Cybercriminals are becoming more adept at hiding their activities and avoiding attribution by disabling or wiping telemetry logs. Telemetry logs are events and data records that can help security analysts investigate and respond to cyber-attacks. However, many cyber gangs use techniques to erase or tamper with these logs, making it harder for organizations to detect and recover from ransomware attacks.

The report, published by IBM Security X-Force, analyzed ransomware incidents that involved 1,000 or more endpoints in the first half of 2021. It found that 49% of these attacks disabled or wiped logs, compared with 34% in 2020. This indicates that cyber gangs are becoming more sophisticated and fast-acting and are aware of the importance of logs for security operations.

Some cyber gangs that have used this tactic include REvil, DarkSide, Conti, and Ryuk. These groups are known for launching targeted and high-impact ransomware attacks against various sectors, such as healthcare, education, energy, and transportation. By disabling or wiping logs, they aim to delay or prevent the discovery of their attacks and hinder their operations' forensic analysis and attribution.

The report also cites experts from Sophos, who warn that organizations need to improve their backup and recovery strategies, as well as their threat intelligence and visibility. They recommend that organizations use multiple layers of protection, such as endpoint detection and response (EDR), network security, and cloud security, to prevent and mitigate ransomware attacks. They also advise that organizations regularly test their backups and ensure they are offline and encrypted.

The report highlights the challenges and risks that organizations face from the evolving tactics of cyber gangs. It also underscores the need for organizations to adopt a proactive and comprehensive approach to cybersecurity and to leverage the latest tools and technologies to protect their data and systems.