In Q2 2022, ransomware remains one of the main threats towards information security, and the META region is not an exception.

One of the most notable cases includes attacks on Shoprite, the largest retail chain in Africa. Other examples of aggravating situation with ransomware in the region, include attacks performed by LockBit group in sub-Saharan Africa region and reported Cl0p attacks on entities in UAE.

In addition, Kaspersky experts have been witnessing a growing industrialisation of ransomware groups in terms of their inner structure, advertising, and inventive techniques used during the attacks. This trend has been mentioned in ransomware trends issued by Kaspersky earlier this year.

“We can clearly see a distinctive trend in development of ransomware towards getting more sophisticated and targeted, exposing victims to more threats,” comments Maher Yamout, senior security researcher at Kaspersky. “In recent years, ransomware groups have come a long way from being scattered gangs to businesses with distinctive traits of full-fledged industry.

“We are seeing more and cases where ransomware attacks are performed manually, in a time-consuming, yet efficient manner that was not very typical for small-scale attackers previously.”

In order to better understand and analyse the most common tactics, techniques, and procedures (TTPs), Kaspersky’s Threat intelligence team prepared an extensive study of modern ransomware, which will serve as an aid in understanding how ransomware groups operate and how to defend against their attacks.

The analysis within the guide focuses on the activity of Conti/Ryuk, Pysa, Clop (TA505), Hive, Lockbit2.0, RagnarLocker, BlackByte and BlackCat. These groups have been active in the United States, Great Britain and Germany and other countries, and have targeted over 500 organisations within industries such as manufacturing, software development and small business, between March 2021 and March 2022.

Kaspersky experts analysed how these ransomware groups employed the techniques and tactics described in MITRE ATT&CK knowledge base and found a lot of similarities among their TTPs throughout the cyber kill chain. The revealed ways the groups attacked proved to be quite predictable, with ransomware attacks following a pattern that includes the corporate network or victim’s computer, delivering malware, further discovery, credential access, deleting shadow copies, removing backups and, finally, achieving their objectives.

The researchers also explain where the similarity between attacks comes from:

* The emergence of a phenomenon called ‘Ransomware-as-a-Service’ (RaaS), where the ransomware groups do not deliver malware by themselves, but only provide the data encryption services. Since the people who deliver malicious files also want to simplify their lives, they use template delivery methods or automation tools to gain access.

* Reusing old and similar tools makes life easier for attackers and reduces the time it takes to prepare an attack.

* Reusing common TTPs makes hacking easier. Although it is possible to detect such techniques, it’s much harder to do preventively across all possible threat vectors.

* Slow installation of updates and patches among victims. It is often the case that those who are vulnerable are attacked.

The public version of the ransomware TTPs’ report is available for download on Securelist.com.