Sophos 2023 Active Adversary Report for Business Leaders: Decrypting the evolving threat landscape

In the non-stop game of cat and mouse played by cybercriminals and defenders, attackers keep adapting their tactics. Instead of merely attempting to breach defenses, they often gain access through legitimate means – by logging in. This shifting reality underscores the challenges faced by security teams as the threat landscape has expanded in both size and complexity.

Highlights of the recently released 2023 Sophos Active Adversary Report for Business Leaders serve as a reminder of the need for business leaders to stay vigilant and proactive in their cybersecurity efforts. The data in the report comes from more than 150 Sophos incident response cases, which identified more than 500 unique tools and techniques, including 118 “Living off the Land” binaries (LOLBins). Researchers observed 524 unique tools and techniques used by attackers — 204 offensive or hacking tools; 118 LOLBins; and 202 other unique artifacts, which includes various tactics recognized in MITRE’s ATT&CK taxonomy.

Here are some of the key takeaways of the research.

Ransomware remains a pervasive threat

Ransomware continues to loom large. The report finds this particular type of malware, which encrypts files and demands a ransom for their release, remains a persistent and potent threat. A majority of the incidents examined by the Sophos incident response team, 68%, were linked to ransomware, followed by non-ransomware network breaches (18%)     . These figures underscore the pervasive nature of ransomware and its plague on businesses. Ransomware has consistently played a predominant role in Sophos’ incident response investigations, and made up nearly three-quarters of their cases over the past three years.

This year, of the 104 ransomware cases investigated, LockBit took the top spot with 15.24% of the cases handled, followed closely by BlackCat (13%), Hive (12%), and Phobos (11%). The research also reveals there were 31 active ransomware gangs in 2022 verse 28 in 2021.

Data exfiltration in ransomware attacks are common

There is now a high likelihood of data exfiltration if your organization is a victim of a ransomware attack. The data reveals 65 confirmed data exfiltration events      in 2022. That is nearly half (42.76%) of investigated cases. When it comes to ransomware attacks specifically, over half (55%) involved confirmed exfiltration, and another 12% of cases showed signs of possible exfiltration or data staging. Of those cases in which data was exfiltrated, half (49%) prob     ably resulted in confirmed leaks.

While just over 47% of all attacks showed no conclusive evidence of data exfiltration, Sophos researchers note that in many cases it was that the logs showed no evidence, but rather that they were incomplete or missing. Much more data may have been stolen in these instances and there is no concrete way to know definitively.

Attacker dwell time is shrinking

In 2022, the dwell time for attackers was down across all types of attacks, falling from 15 to 10 days. The dwell time in ransomware attacks shrank from 11 to 9 days. Even more remarkable was the decline in dwell time for non-ransomware attacks, plummeting from 34 days in 2021 to a mere 11 days in 2022.

Researchers found no significant difference in dwell time among organizations of different sizes or sectors. However, when timing of attacks was examined to understand if attackers showed a preference for a particular day of the week, the data showed no significant result for either. This signifies that most organizations are victims of opportunistic attacks, which can start or end any day of the week, highlighting the need for a team of trained analysts constantly monitoring an organization’s environment.

The shrinking dwell time is also concerning because it means attackers are displaying a greater sense of urgency in executing on exploits, intensifying the ongoing race between attackers and defenders. However, the decrease may also signal enhanced capabilities in the detection of active attacks, a step forward for defenders.

The report      finds many of the attacks that did occur in this reduced dwell time window were less severe in their impact. This can be attributed, at least in part, to the use of various cybersecurity tools and services, which reveals the importance of a proactive and multi-layered defense strategy.

Patch, patch, patch

One recurring theme in the data is the ongoing problem of vulnerabilities that remain unpatched – leaving easy to exploit holes open to attackers. For the second year running, exploited vulnerabilities (37%) contributed the most to the root causes of attacks. This is lower than last year’s total (47%) but consistent with the three-year tally (35%) from the research.

Many of the attacks analyzed by Sophos researchers could have been prevented if only the available patches had been implemented. In 55% of all investigations in which exploit vulnerability was the root cause, the exploitation of either the ProxyShell or the Log4Shell vulnerability was to blame. Yet patches for these vulnerabilities were released months prior to the attacks.

Failing to address these vulnerabilities quickly can leave your organization susceptible to attacks. Regular patch management should be a cornerstone of your cybersecurity strategy to plug potential entry points for cybercriminals.

Be prepared for anything

Unfortunately, no organization is immune from compromise. That’s why it’s crucial to avoid complacency. Once attackers breach your network’s defenses, the likelihood of an attack and data exfiltration is high. To get help with evaluating your cybersecurity posture and to learn how Sophos can help you elevate your defenses, visit

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button