This appendix to our Annual Threat Report gives further statistics on incident knowledge and telemetry detailing the instruments utilized by cybercriminals concentrating on small and midsized companies (SMBs). For a broader take a look at the menace panorama dealing with SMBs, see our important report.
Appendix Contents:
Most frequently-encountered malware varieties
Small and midsized companies face an enormous set of threats to knowledge—a few of which can be precursors to ransomware assaults or could lead to different breaches of delicate data. Ransomware dominates the malware noticed in Sophos MDR and Sophos Incident Response circumstances from 2024, with the highest 10 accounting for over 25% of all incidents MDR and IR tracked over the 12 months. But they weren’t your complete story, and practically 60% of MDR incidents concerned threats not involving ransomware.
Figure 13: The mostly seen classes of malware detection seen in 2024, primarily based on buyer detection studies
Command-and-control instruments, malware loaders, distant administration instruments, and information-stealing malware make up nearly all of the malicious software program seen concentrating on small companies (other than ransomware). And these instruments, not all of that are technically malware, are used as a part of the supply of ransomware and different cybercriminal assaults.
Only one of many prime 10 instruments and malware seen in Sophos MDR and IR incidents doesn’t fall into this class: XMRig. It is a cryptocurrency-mining malware typically used to passively generate income earlier than entry is bought or in any other case exploited by a ransomware actor.
Dual-use instruments
One development that continues from earlier years is the intensive use of usually obtainable industrial, freeware, and open-source software program by cybercriminals to conduct ransomware assaults and different malicious exercise. Sophos MDR refers to those as “dual-use tools,” as they might be current on networks for legit causes, however are steadily utilized by cybercriminals for malicious functions.
Dual-use instruments are totally different from “living-off-the-land binaries” (LOLBins) in that they’re full purposes deployed and used as meant by malicious actors, moderately than working system-supplied parts and scripting engines. Some of the instruments that fall into “dual use” are particularly safety testing-oriented and meant for purple groups—Impacket and Mimikatz are open-source instruments that had been constructed particularly for safety researchers. Others akin to SoftPerfect Network Scanner and Advanced IP Scanner are meant as instruments for community directors, however can be utilized by cybercriminals for discovery of networked units and open community ports.
Figure 17: Top 15 “dual use” instruments seen in Sophos MDR and Sophos Incident Response incidents, by frequency
Figure 18: Top 9 “dual use” assault instruments in Sophos endpoint detections
Commercial distant entry instruments are collectively probably the most steadily used dual-use instruments encountered in MDR and IR incidents:
With industrial distant entry instruments, the attackers often abuse trial account licenses or use pirated licenses for the variations they deploy to focused machines. In many circumstances, that is performed after preliminary exploitation by way of malware droppers, net shells, or different command-and-control instruments. In others, it’s pushed by way of social engineering—getting a focused particular person to obtain and set up the software themselves, as we’ve seen in latest Teams “vishing” assaults.
Use of legit distant machine administration instruments, notably by ransomware actors, has been rising, although distant desktop entry instruments AnyDesk and ScreenConnect stay probably the most steadily used industrial IT help instruments seen in Sophos MDR and IR incidents. And the most typical software stays PSExec, a Microsoft “lightweight Telnet replacement” used to remotely execute instructions and create command shell classes.
Sophos clients can prohibit their utilization by way of Sophos Central utilizing software management insurance policies—and will prohibit any instruments that aren’t getting used for legit IT help.
Attack instruments
Cobalt Strike, Sliver, Metasploit, and Brute Ratel are penetration testing instruments, and never malware within the authorized sense. But they’re steadily used to ship malware and for command and management of malware assaults. Having a well-documented, commercially supported post-exploitation software like these is a serious plus for cybercriminals who would in any other case need to construct their very own instruments to broaden their footprint inside a focused group.
Cobalt Strike stays probably the most closely used of those assault instruments, current in eight % of all incidents and practically 11 % of ransomware-related incidents. This is a big decline from 2023, when Cobalt Strike was the third most steadily seen industrial software utilized in MDR incidents, rating solely behind the AnyDesk and PSExec distant entry instruments. Sliver and Metasploit-based instruments, which can be found as open-source, are seen even much less steadily, and Brute Ratel utilization by cybercriminals stays extraordinarily uncommon.
Information stealers
Information-stealing malware is usually step one within the entry dealer’s playbook, offering passwords, cookies, and different knowledge that can be utilized for monetary fraud, enterprise e-mail compromise, and ransomware assaults, amongst different schemes.
Lumma Stealer, bought by way of Russian-speaking boards as a Malware-as-a-Service (MaaS), was probably the most steadily encountered data stealer in MDR incidents, and second in general endpoint detection studies. A significant Lumma Stealer marketing campaign starting in October made it probably the most reported stealer for the final quarter of 2024, far surpassing final 12 months’s MaaS stealer chief RaccoonStealer (which launched a brand new model in 2024 after its infrastructure was disrupted) and by 12 months’s finish eclipsing Strela Stealer (which was rising within the ranks in 2023; it peaked early in 2024, however trailed off within the second half of the 12 months). No MDR incidents tracked in 2024 concerned Strela Stealer.
Figure 21: Lumma Stealer exercise in 2024 as noticed in buyer endpoint detections
First tracked in August 2022, Lumma Stealer is believed to be a successor of Mars Stealer, one other data stealer purportedly of Russian origin. This stealer primarily targets cryptocurrency wallets, browser session cookies, browser two-factor authentication extensions, saved File Transfer Protocol server addresses and credentials, and different consumer and system knowledge.
Like another data stealers (akin to Raccoon Stealer), Lumma Stealer will also be used to ship further malware—both by launching executables or PowerShell scripts, or by loading malicious DLLs from its personal course of. Typically, Lumma Stealer is delivered from a compromised web site (typically a pretend CAPTCHA net web page) as a obtain that victims are dropped at through malvertising.
Lumma Stealer is usually related to broader cybercriminal exercise. Another MaaS stealer bought on Russian-language boards, StealC, was seen with a a lot greater correlation to ransomware incidents. Introduced in January 2023, it has been labeled by researchers as a RaccoonStealer and Vidar copycat.
Of regional notice is Mispadu Stealer, which continues to focus on Latin America (and Mexico particularly). In the second quarter of 2024, it was the second-most detected stealer, coming in simply behind Strela Stealer, with 74% of these detections coming from Mexico. It has been seen utilizing malicious net and search promoting, notably posing as net advertisements for McDonald’s.
Top ransomware threats
LockBit, kind of
The most-detected ransomware household in 2024 was LockBit, however not due to the ransomware group that spawned it. In February 2024, US and UK legislation enforcement claimed to have disrupted the LockBit group by seizing the ransomware-as-a-service group’s servers, arresting two of its members, and charging one other in an indictment. In the wake of this disruption, quite a few variants primarily based on the leaked LockBit 3.0 code grew to become lively within the wild, leading to a spike of LockBit detections in early 2024. However, by March, detections trailed off considerably with a slight rebound in April and early May (although the LockBit gang is probably not gone endlessly).
The teams utilizing LockBit 3.0 steadily used EDR killers and different malware and methods to aim to disable endpoint safety. Their preliminary entry was typically by way of VPN accounts that had been compromised (in some circumstances because of vulnerabilities within the VPN units themselves), or by way of the abuse of credentials harvested from unmanaged units to realize distant entry.
Akira and Fog
In phrases of precise incidents, the Akira ransomware-as-a-service led the pack in 2024, finally stepping in to fill the void left by LockBit. Initially seen in 2022, Akira assaults ramped up in late 2023. The group and its associates had been steadily lively all through 2024, spiking in August when Akira accounted for 17% of the ransomware detections reported by Sophos clients—doubling from its place within the first two quarters of the 12 months. By 12 months’s finish, it nonetheless accounted for 9% of ransomware detection studies.
Notably, Sophos noticed associates tied to Akira additionally deploying different ransomware variants, together with Fog, Frag and Megazord. These attackers (akin to these in STAC5881) sometimes targeted on exploiting VPNs for preliminary entry. Typically, Akira’s targets had VPNs with no multifactor authentication, or had misconfigured VPN gateways that allowed the attackers to realize entry with stolen credentials or brute power assaults.
While Akira stays lively, Fog ransomware has often been used as a alternative by associates beforehand related to Akira, which accounts for its place in third among the many prime 15 ransomware households encountered in MDR and IR incidents.
RansomHub
RansomHub was one other rising chief in ransomware incidents in 2024. While tied for sixth in general detections, RansomHub was the fourth most noticed ransomware household in precise MDR and IR incidents.
Between February and August 2024, in keeping with a Cybersecurity and Infrastructure Security Agency #CeaseRansomware advisory, RansomHub had “encrypted and exfiltrated data from at least 210 victims.” The majority of Sophos MDR and IR circumstances involving RansomHub got here within the second half of the 12 months, mounting in numbers in November.
Most RansomHub assaults concerned abuse of RDP along with different legit distant desktop instruments, together with AnyDesk. Initial entry in some reported circumstances got here from leveraging the seven-year-old Windows SMB Remote Code Execution Vulnerability (CVE-2017-1444), although this was not noticed within the Sophos MDR and IR circumstances represented in our knowledge. Initial entry vectors Sophos X-Ops noticed in RansomHub circumstances included abuse of externally dealing with Microsoft SQL Servers for command execution, abuse of open RDP and Remote Desktop Web entry, and compromise of unmanaged units.