Threat actors have significantly accelerated their deployment of ransomware in recent years, from an average of over 60 days per attack in 2019 to less than four days in 2021, according to IBM.
The firm’s annual X-Force Threat Intelligence Index was compiled from billions of datapoints collected in 2022 from network and endpoint devices, incident response engagements, vulnerability and exploit databases, and more.
It found that although ransomware’s share of incidents fell from 21% in 2021 to 17% in 2022, attackers are conducting their attacks quicker than ever – with a 94% reduction in the average time taken to deploy ransomware between 2019 and 2021.
“One particularly damaging way ransomware operators distribute their payload across a network is by compromising domain controllers. A small percentage, approximately 4%, of network penetration test findings by X-Force Red revealed entities that had misconfigurations in Active Directory that could leave them open to privilege escalation or total domain takeover,” the report explained.
“In 2022, X-Force also observed more aggressive ransomware attacks on underlying infrastructure, such as ESXi and Hyper-V. The potentially high impact of these attack methods underscores the importance of securing domain controllers and hypervisors properly.”
The continued prevalence of ransomware helped to make extortion the number one goal of threat actors last year. It was present in a fifth (21%) of attacks, more than data theft (19%) and credential harvesting (11%), in second and third.
IBM said business email compromise (BEC) was the other major driver of extortion-based attacks, and that they frequently featured the use of remote access tools, crypto-miners, backdoors, downloaders and web shells.
Manufacturing firms accounted for the largest group of victims (30%) in extortion attacks.
Elsewhere, phishing remained the number one initial access vector last year, identified in two-fifths (41%) of incidents, followed by exploitation of public-facing applications (26%).
Once inboxes have been compromised, threat actors are increasingly turning to thread hijacking techniques to add legitimacy to spam emails and improve their chances of victim engagement.
IBM recorded a 100% increase in thread hijacking attempts per month in 2022 versus a year previously, with Emotet, Qakbot and IcedID campaigns in particular making heavy use of the tactic.