A new report published today by researchers at Cisco Talos details the evolving tactics and techniques used by prolific ransomware groups and the need to protect against them.

Ransomware is far from new, with the report identifying groups such as ALPHV/Blackcat as among the most prolific. However, ransomware groups do not remain static; they constantly evolve to target potential victims better.

Their methods range from phishing for credentials to exploiting zero-day or previously unknown vulnerabilities in public-facing applications. Gaining initial access remains a critical focus for ransomware gangs, with valid accounts being a common target.

While many ransomware gangs have been around for a long time, the landscape more recently has seen the emergence of new groups like Hunters International, Cactus and Akira, each carving out specific niches. The groups are said to employ unique operational structures and goals, further diversifying the threat environment.

Another notable finding is the prevalent use of defense evasion tactics, including disabling security software and modifying system registries. These techniques increase the dwell time — the duration that a threat actor remains undetected within a compromised network — making detection and remediation more challenging.

The report notes that state-sponsored actors like Volt Typhoon and UAT4356 are adding another layer of complexity to the ransomware landscape, making things harder for defenders. The groups have been documented targeting critical infrastructure using bespoke tools and exploiting high-profile vulnerabilities.

Cisco Talos’ analysis also provides details on the tactics used during the later stages of an attack, such as data exfiltration and double extortion. By combining data theft with encryption, ransomware actors maximize their leverage over victims, increasing the likelihood of the ransom demanded being paid.

To defend against ransomware attacks, the researchers note the critical importance of regular patch management and robust security controls. Companies should implement multifactor authentication and network segmentation to stop ransomware attacks before they begin.

The report also provides mitigation recommendations while emphasizing the need for a proactive approach to cybersecurity. Organizations are urged to adopt the principle of least privilege, minimize information technology exposure to the internet and employ continuous monitoring and endpoint detection solutions to stay ahead of evolving ransomware threats.

Image: SiliconANGLE/Ideogram