Ransomware attacks spike in 2023 due to exploitation of vulnerabilities (CVE) and stolen login credentials

Ransomware attacks spike in 2023 due to exploitation of vulnerabilities (CVE) and stolen login credentials

Mandiant, a leading cybersecurity firm, has released a report detailing the surge in ransomware activity last year. The report, titled M-Trends 2025, highlights two key developments in the ransomware landscape.

Use of Legitimate Remote Access Tools by Ransomware Operators

Ransomware groups are increasingly leveraging legitimate remote access software to conduct their attacks. By using tools that appear normal and trusted in enterprise environments, these threat actors can stealthily move within networks and manage compromised systems. This technique complicates detection since such tools are typically whitelisted or trusted by security policies, enabling attackers to bypass traditional security controls and escalate privileges more effectively.

Emergence and Proliferation of Data Leak Sites

In addition to encrypting victim data, ransomware operators now often steal sensitive information and publish it on dedicated data leak sites as a form of double extortion. These sites function as public or semi-public platforms where stolen data is exposed to pressure victims into paying ransoms. This trend aligns with the broader shift of ransomware attacks becoming not only about encryption but also about extorting victims through data exposure and reputation damage.

The report notes that nearly 3 in 5 ransomware attacks observed by Mandiant in 2023 involved confirmed or suspected data theft. Threat actors more commonly relied on known vulnerabilities in 2023 for exploitation. In almost 40% of incidents where the initial access vector was identified, threat actors used compromised legitimate credentials to gain access to victim environments, either through the use of stolen credentials or brute-force attacks.

The observed increasing reliance on legitimate tools by attackers likely reflects efforts to conceal their operations from detection mechanisms and reduce the time and resources required to develop and maintain custom tools. Mandiant found that the alleged victim organizations named on data leak sites spanned more than 110 countries last year.

Other Key Findings

• Mandiant led 20% more investigations involving ransomware than the previous year.
• The number of posts on data leak sites surged to more than 1,300 in the third quarter, setting a quarterly record.
• There were 4,520 posts on data leak sites last year, a 75% increase from 2022.
• The report indicates an upward trend in the use of exploited vulnerabilities in ransomware attacks from 2022 to 2023, with exploited vulnerabilities accounting for almost 30% of ransomware attacks last year, up from 24% in 2022.
• Mandiant tracked more than 1,200 data leak site posts in the second quarter.
• The ransomware threat landscape is also becoming more integrated with state-sponsored actors, sharing tactics and infrastructure, which heightens the sophistication and scale of operations.
• Detection times remain critical: Mandiant's report notes that without proactive threat detection, attackers can achieve their objectives in under a week, underscoring the importance of threat intelligence and early detection mechanisms in mitigating ransomware damage.

These trends reflect a maturing ransomware ecosystem that leverages trusted tools and public pressure tactics to maximize impact and profitability, making defense increasingly challenging for organizations. The report's findings highlight the industry's collective inability to reduce ransomware attacks and the significant damage they inflict on businesses and people.

1. Mandiant's M-Trends 2025 report reveals that ransomware groups are utilizing legitimate remote access tools to carry out their attacks, making it difficult to detect intrusions as these tools are often trusted by security policies.
2. The report also reveals an increased use of data leak sites by ransomware operators, where stolen data is exposed to pressure victims into paying ransoms and inflict reputation damage.
3. In 2023, nearly 3 in 5 ransomware attacks investigated by Mandiant involved confirmed or suspected data theft, with threat actors increasingly relying on known vulnerabilities for exploitation and using compromised legitimate credentials to gain access to victim environments.

Read also: