Mid-Year Cyberthreats Report, From Innovation to Risk: Managing the Implications of AI-driven Cyberattacks

We continue to see a decline in the number of new ransomware samples. Unfortunately, the situation remains dire. Ransomware gangs are still breaching companies around the globe fairly easily, and continue to make malicious use of popular legitimate tools after breaching systems — PowerShell is used to execute malicious datacollecting scripts, Mimikatz to escalate privileges and PsExec to execute commands remotely. Of course, they continue to use dual-use frameworks like Cobalt Strike for all attack stages where it has been proven effective.

In recent months, we saw many examples where ransomware attackers abused vulnerable drivers from legitimate applications for malicious purposes. This tactic is nothing new, but it is hugely advantageous for criminals: they can get kernel-level privileges and execute adminlevel commands, allowing them essentially free reign over compromised systems.

Many drivers have such vulnerabilities, including those used by security companies. For example, AvosLocker and Cuba ransomware used the Avast anti-rootkit kernel driver vulnerabilities to infect systems. Popular games are also targeted, and specialists at Trend Micro have reported on a ransomware actor abusing the Genshin Impact anti-cheat driver, using it to kill endpoint protection on the target machine.