Hackers exploited known unpatched vulnerabilities of public-facing networks for initial entry into the network. Some of the common ways to exploit vulnerabilities were compromised credentials of remote access services including VPN and RDP, used by threat actors to gain entry into networks, the report noted. Cyber thieves also exploited legitimate tools like “AnyDesk” used for remote administration.
(Sign up to our Technology newsletter, Today’s Cache, for insights on emerging themes at the intersection of technology, business and policy. Click here to subscribe for free.)
They used these to execute scripts in safe mode and evade installed security solutions and carry out further attacks. Multiple platforms like Linux based operating systems, virtual environments like ESXI, backup storages and cloud environments were also targeted.
For cloud-based systems, ransomware groups chose to wipe the data rather than encrypting after exfiltration, the report said. Major sectors affected by these attacks include data centres, IT/ ITes, manufacturing and finance, oil and gas, transport and power.
The report noted that among the prominent ransomware families observed in H1 2022 , Djvu/Stop and Lockbit were the most used. While Djvu/Stop was used for citizen centric attacks, Lockbit was mostly utilized for targeted attacks. Citizen centric attacks refer to attacks on personal devices of prominent individuals like CA’s, lawyers, journalists and politicians while targeted attacks refer to attacks on organisations.
Other ransomware families used for attacks included Phobos for both citizen centric and targeted attacks while Hive group activity was observed in targeted attacks.
And while different families like Djvu/Stop have majorly been used in citizens centric attacks they can be used to target organisations as well, similarly Lockbit can be used in citizen centric attacks.
CERT-In suggested that the victims of these attacks must isolate the infected systems from networks, report such attacks to the CERT-In or other regulatory authorities, and lodge an FIR with law enforcement agencies.
However, it urged the victims to avoid negotiating or paying the ransom in case of such attacks.