Full Report
Ontinue identifies that ransomware attacks rose 132 percent, despite a 35 percent drop in payments, signaling a shift... The post Ontinue reports 132% surge in ransomware attacks, with AiTM and PlugX RAT increasing as tactics shift appeared first on Industrial Cyber.
Analysis Summary
# Incident Report: Analysis of Evolving Ransomware and Authentication Bypass Tactics (Reflecting Ontinue's 2024 Threat Intelligence)
## Executive Summary
The security landscape analyzed shows a significant **132% surge in ransomware attacks** during 2024, despite a notable **35% drop in ransom payments**, indicating attackers are shifting strategy toward data exfiltration-based extortion. A major tactic involves the rise of **Adversary-in-the-Middle (AiTM) attacks** used to bypass Multi-Factor Authentication (MFA) by stealing authentication tokens. Key targeted sectors include manufacturing, services, and healthcare, necessitating an urgent hardening of defenses against sophisticated social engineering and novel malware delivery methods across IT and vulnerable IoT/OT environments.
## Incident Details
- Discovery Date: Q2/H2 2024 (Based on 2024 Threat Intelligence Report findings)
- Incident Date: Throughout 2024
- Affected Organization: Various, with manufacturing, services, and healthcare heavily targeted.
- Sector: Manufacturing, Services, Healthcare, and general enterprise across all sectors.
- Geography: Global (Implied by international law enforcement actions and threat reporting)
## Timeline of Events
*Note: This report synthesizes broad trends identified throughout 2024 rather than documenting a single specific event.*
### Initial Access
- **Date/Time:** Ongoing throughout 2024
- **Vector:** Adversary-in-the-Middle (AiTM), Phishing/Vishing (including deepfake audio), Malvertising, Malicious Browser Extensions, and exploitation of IoT/OT vulnerabilities.
- **Details:** AiTM attacks rapidly became dominant for stealing session tokens to bypass MFA. Vishing incidents, often using AI voice cloning (deepfakes), spiked 1,633% QoQ, directing victims to fraudulent Microsoft support pages (often on `.shop` domains).
### Lateral Movement
- **Details:** Threat actors leveraged legitimate, built-in administrative tools, such as **Microsoft Quick Assist**, to gain unauthorized access and maintain persistence within compromised environments.
### Data Exfiltration/Impact
- **Details:** Due to increased resistance to ransom payments, attackers shifted focus to **exfiltration-based extortion** (stealing sensitive data and threatening disclosure). Ransomware attacks continued, though payments decreased globally. The **PlugX RAT** remained an active threat alongside rising C2 traffic from infostealers.
### Detection & Response
- **How it was discovered:** Through proactive monitoring and analysis by threat intelligence firms like Ontinue, as detailed in their 2024 report. Law enforcement actions, such as the **LockBit takedown** in February 2024, also served as major external detection/disruption events.
- **Response actions taken:** Organizations strengthened backup strategies and improved incident response plans, leading to fewer successful ransom payments. Law enforcement agencies executed coordinated international operations against major groups.
## Attack Methodology
- **Initial Access:** AiTM (token theft), Phishing, Vishing (AI-enhanced social engineering), Malvertising, Malicious Browser Extensions.
- **Persistence:** Abuse of legitimate Microsoft tools (e.g., Quick Assist), persistence maintained by malicious browser extensions even after system reimaging.
- **Privilege Escalation:** Weaponizing legitimate remote access tools for unauthorized system access.
- **Defense Evasion:** Blending malicious activity with legitimate IT operations (Living off the Land techniques using built-in utilities), utilizing stealthier delivery methods (browser extensions vs. exploit kits).
- **Credential Access:** Theft of authentication tokens via AiTM, targeting Windows Hello authentication keys.
- **Discovery:** General discovery/reconnaissance implied across ransomware campaigns.
- **Lateral Movement:** Abuse of legitimate remote access tools (Quick Assist) to traverse the network.
- **Collection:** Data gathering associated with infostealers and ransomware objectives.
- **Exfiltration:** Increased focus on data exfiltration to facilitate extortion when upfront ransom payments decline.
- **Impact:** Business disruption via ransomware, data loss/extortion, compromise of vulnerable IoT/OT systems.
## Impact Assessment
- **Financial:** Ransom payments totaled approximately $810 million in 2024 (down from $1.25 billion in 2023), suggesting reduced payout burden but continued high attack volume.
- **Data Breach:** Significant data exfiltration observed as attackers pivot to data-focused extortion models. Specific volume not detailed, but high risk across targeted sectors.
- **Operational:** Attacks continued to target core operations, particularly in manufacturing and healthcare. IoT/OT environments pose an elevated and poorly measured risk due to lack of visibility.
- **Reputational:** High risk due to data extortion threats and major law enforcement actions disrupting large ransomware operators.
## Indicators of Compromise
*Note: Indicators are generic based on reported malware types and techniques; specific IoCs require source configuration.*
- **Network indicators:** C2 traffic patterns associated with PlugX RAT and generic infostealers. Phishing/vishing communication redirects to fraudulent support domains (e.g., generic `.shop` domains).
- **File indicators:** Presence of PlugX RAT components, infostealer malware payloads.
- **Behavioral indicators:** Use of Microsoft Quick Assist for unauthorized remote execution, repeated authentication attempts bypassing MFA via session token replay, AI-driven vishing calls impersonating trusted entities.
## Response Actions
- **Containment measures:** Rapid patching schedules, strengthening authentication mechanisms beyond simple passwords (due to AiTM success), isolating networks containing vulnerable IoT/OT devices.
- **Eradication steps:** Identifying and terminating C2 communication channels, removing malware loaders and established persistence via legitimate tools (e.g., Quick Assist abuse).
- **Recovery actions:** Restoring systems from robust backups (a factor in ransom refusal), enhancing monitoring to detect blended IT/malicious administrative activity.
## Lessons Learned
- **Key takeaways:** The cybersecurity defense landscape is forcing rapid evolution in criminal tactics; reliance solely on MFA based on passwords is insufficient against AiTM attacks. IoT/OT security presents a critical, under-monitored blind spot.
- **What could have been done better:** Organizations need robust defenses against AI-driven social engineering (vishing/deepfakes) and continuous behavioral monitoring to spot legitimate tools being abused.
## Recommendations
- **Prevention measures for similar incidents:** Implement hardware-backed MFA or FIDO2 solutions to resist AiTM attacks. Enhance network segmentation and visibility, especially for IoT/OT assets. Implement rigorous monitoring for the abuse of administrative tools like Quick Assist. Conduct regular training to counter AI-driven social engineering, including deepfake audio awareness.