Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
Mailbombing on the rise, top new ransomware operations, shortening dwell times and more – here’s what to watch for and why in the coming 12 months.
Sophos recently shared some ransomware trends to watch for with Cyber Daily, and it looks like Australian businesses – and businesses worldwide – are going to be in for a rough year ahead.
Mailbombing
One of the major new trends is a serious uptick in the practice of mailbombing, with the company’s managed detection and response team seeing campaigns of more than 3,000 emails sent to embattled employees in just one hour more than 15 times in the last month.
The practice is particularly prevalent among Russian cyber-crime groups, but what exactly is mailbombing?
“Mailbombing is a technique where a cyber-criminal uses an automated system to send thousands of emails to a specific address, filling the target’s inbox with ‘spam’ messages,” Sean Gallagher, Principal Threat Researcher at Sophos, told Cyber Daily.
“This can be used to conceal things like email alerts to password changes made on accounts and other warnings, or simply to create a sense of urgency that makes the target vulnerable to fake tech support calls that lead to the attacker gaining access to their computer remotely.”
According to Sophos, cyber-criminals often pose as legitimate tech support providers via Microsoft Teams meetings to gain initial access to networks.
Dropping dwell times
One alarming revelation that Sophos revealed is that dwell times – the amount of time threat actors spend on a network before exfiltrating and encrypting data – are dropping.
Sophos’ Counter Threat Unit has seen times as low as just 28 hours from initial incursion to the hackers leaving the network following a successful hack, and Gallagher expects this figure to continue to drop in the year to come.
“We have seen the time from first compromise to attack shrink over time as ransomware gangs move to exploit their footholds before defenders can act,” Gallagher said.
“This is also connected to the prevalence of remote ransomware – execution of the ransomware from one compromised system or from a Remote Desktop connection across the organisation's network through file sharing connections. This requires less lateral movement and preparation.”
In addition, despite an increase in successful law enforcement operations, ransomware activity continues to grow. Leak site activity increased by 62 per cent year-on-year during December 2024, which was easily the busiest month of the year for ransomware operators.
The Akira group was the most active in the last six months of 2024, followed by Fog – both of whom have recently claimed Australian victims. In that time Akira claimed 127 victims from around the world.
The path of least resistance
One thing that Sophos, and indeed Cyber Daily, has observed is that cyber criminals, and ransomware operators in particular, are largely opportunistic. They don’t set out to target a specific company, but rather reach for what some analysts call the ‘low-hanging fruit’ of companies with less than stellar levels of cyber security readiness.
“A large percentage of incidents we see involve unpatched, misconfigured, or inadequately secured network edge devices such as VPN gateways, Remote Desktop servers and other remote access appliances,” Gallagher said.
“These devices can be scanned for across the Internet and exploited quickly by cyber-criminals, either through known vulnerabilities, leaked credentials from other sources (such as infostealing malware or phishing), or brute force login attacks. We have seen criminals target specific types of VPNs, for example, and then exploit other vulnerabilities they find on the network to elevate their level of access, steal data, and execute ransomware.”
Keeping devices patched, properly configured, up-to-date and being aware of the latest security trends may not provide 100 per cent protection, but it will – in the same way that bars on a window may make a potential robber look for an easier score – make it more likely that a ransomware operator picks a less defended target, and leave your business alone.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
