Construction the worst hit by ransomware in Thailand

Key findings from this investigation: Unit 42 saw a 49% YoY increase in multi-extortion ransomware attacks from 2022 - 2023 globally. In ASEAN, manufacturing was the most targeted industry for ransomware extortion in 2023, while construction was the most impacted in Thailand. Of the 3,998 leak site posts from 2023 globally, LockBit 3.0 ransomware remains the most active, with 928 organisations accounting for 23% of the total. LockBit 3.0 is also the most active group in Thailand with 19 counts of victims in 2023. 

Tatchapol Poshyanonda, Country Director for Indochina, Palo Alto Networks, said, “Construction, and the other proximity industries such as transport/logistics and manufacturing, are closely related to the development of the Thai economy. These industries are booming, and we can see many mega projects throughout the country such as the high-speed rail construction project.”

He added, “Attackers do not discriminate. They follow the money and path of least resistance. These industries in Thailand don’t typically have robust levels of security and have a larger attack surface due to connected devices. This makes them prime targets for hackers – where there is money and activity, you will see higher levels of attacks.”

The growth in leak site posts can be attributed to zero-day exploits targeting vulnerabilities for MOVEit Transfer SQL Injection and GoAnywhere MFT, among others. 

As further evidence, when reviewing the number of compromises reported by ransomware leak sites, sporadic spikes were observed (see figure below). These loosely aligned with periods where ransomware groups began exploiting specific vulnerabilities.

Unit 42 2024 Incident Response Report: Speed of Exfiltration + Vulnerabilities Driving Activity

Unit 42 analysed more than 600 incidents from 250 organisations for the 2024 Unit 42 Incident Response Report. This investigation went beyond ransomware leak site posts into the overall casework volume. While phishing has historically been a popular tactic with attackers, the report found that it is declining, to a certain extent. 

From a one-third share of initial access incidents in 2022, phishing has dropped to just 17% in 2023. This indicates a potential de-prioritisation of phishing as cybercriminals adapt to more technologically advanced – and perhaps more efficient – infiltration methods. More advanced threat actors are moving away from traditional and interactive phishing campaigns to less noticeable and possibly automated methods of exploiting system weaknesses and pre-existing credential leaks. 

Other key findings from the report include:

●    More-Sophisticated Threat Actors Are Gaining Initial Access Differently: There has been a discernible rise in the exploitation of software and API vulnerabilities. Exploiting such vulnerabilities accounted for 38.60% of the initial access points in 2023, up from 28.20% in 2022. 

●    Threat Actors Grab Data Indiscriminately: In 93% of incidents, threat actors took data indiscriminately rather than searching for specific data. This is up from 2022 when 81% of cases involved non-targeted data theft. In 2021, it was even lower at 67%. The surge points to a growing trend among cybercriminals who seem to be casting a wider net, gathering any data they can access rather than expending effort to locate and extract particular datasets.

●    Extortion tactics to maximize yields: Interestingly, while the rate of harassment and other extortion tactics related to ransomware has remained steady over the past few years, the rate of harassment in cases where payments were made has jumped by 27x since 2021. 

●    Higher demands, lower payouts: In 2023, median ransom demands increased from US$650,000 to US$695,000 (up 3%) but median payouts decreased from US$350,000 to US$237,500 (down 32%). This can be potentially attributed to organizations calling in Incident Response teams with negotiation capabilities; which fewer did in the past.

Steven Scheurmann, Regional Vice President for Asean, Palo Alto Networks, said, “One single point of vulnerability is all a hacker needs to deliver a successful attack with damaging consequences. And this is why enterprises need to get it right with cybersecurity.  They need to prioritize securing their high-tech equipment and networks, as well as their digital connections with any supply chains.”