A report from the Secureworks Counter Threat Unit (CTU) covering the first half of 2023 revealed that nearly half of initial access events leading to ransomware attacks were due to compromised credentials. The study identified that 45% of all ransomware-related initial access stemmed from stolen login details, with credentials for virtual private networks (VPNs) being the most common target.

This analysis highlights a significant trend in how threat actors are gaining footholds into corporate networks. The findings underscore the importance of securing remote access points against credential-based attacks.

Stolen Credentials: The Leading Entry Point

According to the Secureworks report, of the 45% of breaches initiated by compromised credentials, two-thirds involved VPN credentials. The remaining one-third were for remote desktop protocol (RDP) or other remote access services. Threat groups such as Gold Drake, associated with the Akira ransomware, were observed using compromised VPN credentials in their campaigns. Other groups, including Gold Mystic (linked to LockBit) and Gold Lowell (linked to Trigona ransomware), also utilized compromised credentials to launch attacks. The report notes that these credentials are often acquired through infostealer malware or purchased from underground online forums.

Other Initial Access Vectors

While stolen credentials were the dominant method, the report detailed other significant initial access vectors used by ransomware operators. The exploitation of software vulnerabilities accounted for 32% of initial access events. Another 23% of intrusions were initiated through malware or phishing campaigns. To counter the threat of credential compromise, Secureworks advised in its report that organizations implement multi-factor authentication (MFA) on all internet-facing systems, with a particular focus on VPNs and remote access services.