The inevitability of cybersecurity incidents has become a harsh reality for organizations. The MGM Resorts breach is just one example demonstrating the crippling financial, legal and operational consequences of ransomware incidents.

Recently, we have seen a fundamental shift in the strategies employed by highly coordinated threat actor groups like ALPHV/BlackCat and Scattered Spider who prioritize targeting infrastructure over endpoints during incident responses to bypass modern investments in cybersecurity solutions such as endpoint detection response (EDR).

We’ve also seen threat actors employing older techniques with enhanced resources and innovative approaches, leveraging paid AI subscriptions for creating more realistic phishing campaigns and utilizing legitimate services such as chatbots and other publicly available AI tools to assist them in circumventing traditional security awareness training, which still instructs employees to look for spelling and grammatical errors as well as a lack of localization such as non-English language support.

Through 2025, generative AI will cause a spike in the cybersecurity resources required to secure it, causing more than a 15% incremental spend on application and data security.

Motivation

For ransomware threat actor groups, financial gain is the primary reason for their organized criminal activities. While some operate independently, others are backed by larger organized crime syndicates, as demonstrated by high-profile breaches like the MGM Resorts incident. The allure of substantial financial gain incentivizes these groups to invest in their efforts, with phishing campaigns costing as little as a few dollars per compromised account. 

Threat actors are changing their tactics based on what is providing them with the more reliable payout of extortion or ransom. Ransomware threat actors still obtain payouts from victims who must pay to recover files to restore services post-ransomware attacks. However, this avenue has seen a significant decline due to ongoing efforts by insurance providers and compliance standards forcing businesses to update their business continuity requirements and procedures. While this has been moderately successful in reducing the need for payouts due to victims lacking restorable backups, certain areas of insurance and compliance standards have lagged behind the current threat landscape, requiring technologies or content filtering and categorization solutions to aid in the detection of data exfiltration.

For instance, organizations still struggle to detect data walking out the front door. Consequently, threat actors now specifically target stealing corporate data that contains employee privacy data, financial banking records, business insurance certificates (so they know how much you are insured for) and corporate intellectual property. Due to their success, victims are reliably paying out to reacquire the stolen data through extortion, which now constitutes the primary source of income for the majority of ransomware threats.

Additionally, traditional organized crime units are now working in cohesion together more often by leveraging the specialties of one another. We’ve directly seen this coordination, or franchise model, adopted by ransomware threat actor groups like BlackCat, which specializes in facilitating the ransomware negotiation and developing ransomware encryptor and decryptor tools. Additionally, Scattered Spider aids in delivering ransomware and exfiltrating data. Within this framework, The Com, a sub-group primarily operating in the United States, is known for its specialization in providing U.S. localization voice talent. The Com is also associated with performing sim-swap attacks, targeting specific employees at victim organizations to bypass MFA. Each of the entities involved in this type of coordinated attack will receive a payout.

Old School Techniques Resurfacing

A common trend among threat actors is to rely on older techniques but allocate more resources and deploy them differently to achieve greater success. Several security solutions organizations have long relied on, such as multi-factor authentication, are now vulnerable to circumvention with very minimal effort. Specifically, organizations need to be aware of the forms of MFA factors they support, such as push notifications, pin codes, FIDO keys and legacy solutions like SMS text messages. The latter is particularly concerning because SMS messaging has long been considered an insecure form of authentication, managed by third-party cellular providers, thus lying outside the control of both employees and their organizations.

In addition to these technical forms of breaches, the tried-and-true method of phishing is still viable. Both white hat and black hat tools continue to be enhanced to exploit common MFA replay techniques. Like other professional tools used by security testers like Cobalt Strike used by threat actors to maintain persistence on compromised systems, MFA bypass/replay tools have also gotten more professional. One common tool popular among white hat hackers is Evilginx, which even offers classes available for attaining CPE credits towards ongoing education on its usage and configuration to bypass most common MFA solutions.

The level of sophistication required to protect most commercial MFA-enabled solutions is increasing due to the proliferation of good security testing tools, while the investment on the attacker’s behalf is decreasing. 

Low Investment = High Returns

A common narrative we hear is how threat actors are now allocating more monetary resources toward carrying out breach attacks to break into companies. However, when you compare the cost of investment on the attacker’s side versus the cost to protect organizations there is truly no comparison. Organizations spend hundreds of thousands to millions of dollars to protect themselves, while attackers might invest anywhere from $5,000 to $10,000 on average to carry out the attack. And when it comes to SIM-swapping, attackers are only investing anywhere from $1500 to $2500 to side-step SMS-enabled multi-factor authentication (MFA) in order to break into organizations.

Comparatively, a typical phishing campaign can cost a threat actor around $1 to $5 per successfully compromised account, and the proliferation of tools available to carry out phishing attacks are widely accessible.

The abundance of data available to facilitate attacks like credential stuffing also continues to grow. Major dumps of working email addresses and scraping of popular sites like LinkedIn have given attackers hundreds of millions of legitimate email addresses with harvested passwords from previous breaches. The 23andMe breach in October 2023 is a perfect example of this, where attackers didn’t even need to gain access to internal systems to cause a leak of over 6.9 million users’ data. This has made threat actors’ investment into their breach campaigns fairly nominal. If the attacker already has email addresses, they only need to seek out passwords. If a company hasn’t implemented MFA, attackers will do whatever they can to defeat it.

The proactive measures taken by SOCs to mitigate these risks involve monitoring for leaked credentials and enforcing password resets for potentially compromised accounts. Tools such as Have I Been Pwned, curated by cybersecurity expert Troy Hunt, play a pivotal role in identifying at-risk accounts and enabling timely intervention to prevent unauthorized access.

7 Ways Organizations Can Protect Themselves

Here are seven actionable tips organizations should implement to help protect and defend against ransomware threats.

1. Implement 24/7 monitoring of your environment. For organizations struggling to find resources, a MSSP is there to help. 
2. Monitor for changes to a user’s MFA settings.
3. Eliminate SMS text messaging as an MFA factor if not for the entire org, especially for administrative users.
4. Review and update your help desk procedures, namely, why would your help desk have the ability to reset higher privileged accounts? Such procedures should require multiple participants to validate the request.
5. Subscribe to threat intelligence services for domain monitoring. This helps identify instances where corporate email addresses are used on external or personal sites. 
6. Understand that your Accounts Payable and HR teams are under constant attack due to their involvement in handling sensitive data and requiring them to open all attachments and assist clients with payments.  Monitor their accounts and access closely for signs of compromise.

Recent Articles By Author

7. Develop and implement procedures for handling phone and tablet theft. Having a proper procedure for account reset and device wiping is required.