CTI Roundup: 2024 Ransomware Recap, Breached Passwords, and O365 Exploits

This week, CTI looks at the key players and emerging tactics of ransomware actors from 2024. Next, CTI investigates a new report offering insights on stolen passwords. Finally, CTI examines reports of two recent incidents where threat actors used aspects of Office 365 to access victim organizations with the intent to deploy ransomware.

Trustwave highlights key ransomware players and tactics

Trustwave’s latest report looks at some of the key players and emerging tactics of ransomware actors from 2024.

According to Trustwave, financial motives continued to be at the forefront of the overall ransomware landscape last year. Trustwave also outlines the overlapping tactics, techniques, and procedures (TTPs) of ransomware groups in 2024 and provides insights into the 2025 ransomware ecosystem.

The top 5 affiliate ransomware programs of 2024

Trustwave identified what they refer to as the “big five” affiliate programs of 2024 by looking at data leak site activities:

1. RansomHub established itself as a notable ransomware affiliate in 2024. This is primarily due to the group’s affiliate-friendly model, which offers a 90-10 payment split favoring affiliates. The group did not experience any notable interruptions and set itself apart with its custom EDR killer malware. RansomHub is positioned to remain a top threat this year.
2. El Dorado first emerged in March 2024 and rebranded itself as BlackLock later in the year. The group gained traction quickly with its cross-platform capabilities and remains a threat into 2025.
3. Lynx emerged in July 2024 and was another successful ransomware group. Specific details and TTPs that lead up to the ransomware deployment are still unclear, but the actors are known to consistently delete shadow copies of backups.
4. FOG first emerged in May but did not announce its data leak site until mid-June. Affiliates of FOG used custom scripts, credential-stuffing techniques, and other persistence methods.
5. BASHE first appeared as APT73 before changing its name in October. The group quickly gained traction with its data leak site-as-a-service model, which set it apart from traditional ransomware-as-a-service (RaaS) models.

Overlapping TTPs

Trustwave mapped the observed techniques of ransomware actors from 2024 to better understand their operations. They created a heatmap that highlights some of the most observed techniques.

The visual, which can be found in their report, highlights some of the top overlapping techniques, such as exploiting public-facing applications, scheduled tasks, spear phishing, malware, and others.

[Read also: What is phishing? Types, risks, and prevention]

2025 ransomware outlook

Ransomware will remain prominent in 2025, considering how effective it was in 2024.

The ransomware ecosystem is “increasingly characterized by the decentralization of operations, a trend spurred by the disruptions of larger groups.” According to Trustwave, this has helped shape the current landscape in which smaller groups can emerge and be successful quite quickly.

RansomHub’s affiliate-friendly model will enable it to remain prominent in 2025, as long as there are no significant disruptions.

Trustwave anticipates a continuation of ransomware developed in Go, alongside decentralized groups, combined extortion tactics, and the emergence of new affiliate programs.

Analyst comments from Tanium’s Cyber Threat Intelligence team

Ransomware operations are having an easier time adapting to law enforcement efforts, making them more resilient – and dangerous.

New ransomware groups will likely continue to emerge, and existing groups may break off into different ransomware brands in 2025. However, as Trustwave reminds us, these groups can disappear just as quickly as they emerge, making it “uncertain which will evolve into long-term threats.”

Specops releases breached password report

Specops recently released its breached password report, sharing insights from stolen passwords throughout 2024.

According to the report, more than 1 billion credentials were stolen by malware during a 12-month span, with 230 million meeting standard complexity requirements.

Specops details some of the observed trends, including the top stolen passwords, the most common base terms, the most common password lengths, and the most used credential-stealing malware.

[Read also: The new thinking on password security might surprise you]

Weak password trends and patterns

Specops incorporated statistics from other sources to emphasize some of the findings. For example, a LastPass survey previously found that 91% of users are aware of the risks of password reuse across accounts, yet 59% do so regardless. This makes some of their findings even more alarming.

Specops analyzed the 1,089,342,532 stolen passwords they captured. The first thing they analyzed was the most common weak passwords and base terms. They found that the top five stolen passwords were:

1. 123456
2. Admin
3. 12345678
4. password
5. Password

The password “123456” had 3.7 million exact matches. The most common base terms were admin, guest, qwerty, welcome, and password.

According to Specops, eight characters is the most common length, accounting for 189 million of the stolen passwords analyzed. They also examined passwords that met complexity requirements, which means they must include a minimum of eight characters, one capital letter, one number, and one special character. A total of 230 million of the stolen passwords met these requirements.

How hackers use malware to steal passwords

Stolen credentials are clearly in high demand, considering how many were stolen in 2024 alone. This high demand directly correlates to increased infostealer malware designed to collect data, including credentials.

Specops found that the RedLine infostealer malware is quite popular, accounting for almost half of the stolen passwords they analyzed. The Raccoon Stealer and Vidar stealer also accounted for 11.7% and 17% of the stolen passwords, respectively.

[Read also: Stop making these 4 common password mistakes now]

Analyst comments from Tanium’s Cyber Threat Intelligence team

The overall premise of the Specops report is nothing new: Threat actors consistently target weak passwords, as well as strong ones.

The report provides a detailed overview of the credential theft landscape while providing trends and recommendations that can help security professionals understand how to stay safe.

It’s important to keep in mind that simply meeting password complexity requirements is not enough, as nearly a quarter of stolen passwords met these requirements.

Actors use email bombing and Teams vishing

Sophos shared two incidents where threat actors exploited Office 365 to access victim organizations intending to deploy ransomware.

The incidents were linked to two different threat actors, each operating and maintaining their own Microsoft Office 365 service tenants to further their attacks.

Some of the tactics used in these incidents include email bombing, sending Teams messages, making Teams voice and video calls, and using Microsoft remote control tools.

[Read also: To defend against vishing, get smart]

STAC5143 and STAC5777

Sophos is tracking the two threat actors as STAC5143 and STAC5777.

1. STAC5143: Some of the malware employed by this threat cluster is similar to that used by a group tracked as FIN7. However, pieces of the attack chain differentiate the groups. Sophos observed activity from this group in November when an organization reported receiving a large volume of spam messages, with over 3,000 occurring in a 45-minute span. Not long after receiving the messages, the individuals received a Teams video call from a “Help Desk Manager” account. Once on the call, the victim was instructed to allow a remote screen control session via Teams, enabling the attacker to drop files and execute Python malware.
   
   STAC5143 was observed leveraging the built-in remote control in Teams, a Java archive to automate exploitation, and Python-based backdoors downloaded from a remote SharePoint link.
2. STAC5777: Similar to the previous threat cluster, STAC5777 has targeted organizations with email bombing and a Microsoft Teams message. The Teams message from this group will request a call with the victim to help fix the issue.
   
   STAC5777 was observed utilizing Microsoft Quick Assist, making hands-on keyboard configuration changes, deploying malware, using a legitimate Microsoft updater, and employing other techniques and tools previously associated with a group known as Storm-1811.

In each incident, the attacker had the victim install Microsoft Quick Assist from the legitimate Microsoft website over the Teams call. This was then used to establish a remote session, giving the attacker control of the victim’s device. Once the actor had control, they downloaded a malicious payload, established persistence, and connected to the C2 server.

Using the obtained credentials, the actor searched for hosts to facilitate lateral movement. In one instance, the actor even tried to execute Black Basta ransomware but was ultimately blocked.

Analyst comments from Tanium’s Cyber Threat Intelligence team

This report demonstrates the growing popularity of Microsoft Teams as a social engineering tool for threat actors.

Over the past several months, numerous incidents have occurred in which threat actors posed as IT support to gain initial access. As Sophos points out, end-users need to be mindful of how they normally engage with IT support teams and be on the lookout for abnormalities.

Do you have insight into these stories that you want to share? Head over to Tanium’s discussion forum to start a conversation.

For further reading, catch up on our recent cyber threat intelligence roundups.