Over three-quarters of cyber incidents impacted small businesses in 2023, with ransomware having the biggest impact on these firms, according to a new Sophos report.
The notorious LockBit group made up the highest number of small business ransomware incidents handled by Sophos Incident Response last year, at 27.59%.
LockBit infections were considerably higher than the next highest groups: Akira (15.52%), BlackCat (13.79%) and Play (10.34%).
Read more: LockBit Takedown: What You Need to Know about Operation Cronos
The report also highlighted evolving tactics used by ransomware operators as 2023 progressed. This included an increase in the use of remote encryption, whereby attackers leverage an unmanaged device on organizations’ networks to attempt to encrypt files on other systems through network file access.
Additionally, ransomware operators are building malware to target macOS and Linux operating systems. Sophos researchers have observed leaked versions of LockBit ransomware targeting macOS on Apple’s own processor and Linux on multiple hardware platforms.
Data Theft the Main Focus for SMB Attacks
The research found that over 90% of cyber-attacks reported by Sophos customers involved data or credential theft in some form, ranging from ransomware to data breaches.
Nearly half (43.26%) of all malware targeting small and medium businesses (SMBs) last year focused on data theft. These were made up of password stealers, keyboard loggers and other spyware.
The most prominent ‘stealer’ malware detected across Sophos’ telemetry last year were RedLine (8.71%), Raccoon Stealer (8.52%), Grandoreiro (8.17%) and Discord Token Stealer (8.12%).
The report noted that stolen credentials have huge value for malicious actors. These include:
- Follow-on social engineering attacks, such as business email compromise (BEC)
- Access to third-party services, such as cloud-based finance systems
- Access to internal resources that can be exploited for fraud or other monetary gain
- Sold by access brokers on underground forums
The researchers also observed an increase in information-stealing malware that targets macOS in 2023, a trend expected to continue this year.
These stealers are capable of collecting system data, browser data and cryptowallets, and some of them are sold in underground forums and Telegram channels for as much as $3000.
Christopher Budd, director of Sophos X-Ops research at Sophos, commented: “The value of ‘data,’ as currency has increased exponentially among cybercriminals, and this is particularly true for SMBs, which tend to use one service or software application, per function, for their entire operation.”
Social Engineering Attacks Evolving Fast
The report highlighted a rise in malware-as-a-service (MaaS) operators using malicious web advertising and search engine optimization (SEO) poisoning to infect victims.
SEO poisoning is where threat actors purchase legitimate services to increase the prominence of their websites on search engines, making them appear authentic.
In one example, a group using malware dubbed ‘Nitrogen’ leveraged Google and Bing advertisements tied to specific keywords to lure targets into downloading a software installer from a fake website, using a legitimate software developer’s brand identity.
Sophos said BEC compromises were identified by its Incident Response team more often than any other vector, except for ransomware.
The report found BEC attackers have become “far more creative,” moving beyond simply posing as an employee and asking another employee to send gift cards.
The most effective BEC actors are more likely to strike up a conversation first, before sending malicious links and attachments after receiving a reply from the target, according to the researchers.
Scammers were also observed experimenting with a variety of methods to avoid email security detection tools. This included replacing any malicious text content in their messages with embedded images and using QR codes or images that appear to be invoices.
Attackers moved to PDF file attachments “almost exclusively” last year, the report found. These primarily link to malicious scripts or sites, and sometimes used embedded QR codes.