According to researchers, in 2022, 43% of ransomware attacks began by exploiting vulnerabilities in public applications. In almost one in four cases (24%), ransomware attacks began with the use of previously compromised user accounts, and in 12% with malicious emails. In some cases, attackers aimed not to encrypt data, but to gain access to personal information, intellectual property, and other confidential data of organizations. Additionally, ransomware was sometimes used to cover up traces of an attack and make it more difficult to investigate. During the investigation of incidents with the use of ransomware, experts found that attackers were often in the client’s network for some time after the penetration. Attackers used PowerShell for data collection, Mimikatz for privilege escalation, PsExec for remote command execution, or frameworks like Cobalt Strike for all stages of the attack.
Konstantin Sapronov, Head of the Global Computer Incident Response Team at Kaspersky Lab, commented: “Compromised user credentials, software vulnerabilities, and social engineering techniques often allow attackers to penetrate corporate infrastructure and perform malicious actions, including ransomware attacks. To minimize these risks, companies should implement and manage strong password policies, regularly update corporate software, and train employees in the basics of information security.”
According to Kaspersky Lab’s annual survey, more than 40% of companies worldwide experienced at least one ransomware attack in 2022. Small and medium enterprises paid an average of $6,500 for data recovery, while large businesses paid an average of $98,000.
