Ransomware continued to be the most significant cybersecurity threat facing critical infrastructure, healthcare, defense, and other industries, according to a report issued jointly on February 9 by law enforcement and cybersecurity agencies from the United States, United Kingdom, and Australia.
The report, entitled 2021 Trends Show Increased Globalized Threat of Ransomware, noted that ransomware tactics and techniques continued to evolve in 2021, demonstrating that threat actors using this malware variant continue to improve their technological sophistication resulting in an increased ransomware threat to organizations globally.
The report found a great deal of cross-over between which entities ransomware attackers targeted in each nation. Still, each nation’s agencies reported threat actors were somewhat discerning when attacking their respective countries.
In the U.S., the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the National Security Agency (NSA) reported ransomware attacks in 2021 affected 14 of the 16 U.S. critical infrastructure sectors, including the defense industrial base, emergency services, food and agriculture, government facilities, and information technology sectors.
The Australian Cyber Security Centre (ACSC) also noted attacks targeting that nation’s critical infrastructure entities, including healthcare and medical, financial services and markets, higher education and research, and energy sectors.
The National Cyber Security Centre (NCSC) in the U.K. said education was one of the top sectors targeted by ransomware actors, followed by businesses, charities, the legal profession, and public services in the local government and health sectors.
The report did not contain any statistics regarding the number of attacks that took place in 2021 nor which groups were primarily responsible, but it stated that ransomware attacks would continue as long as such activity remains profitable for the attackers.
“Every time a ransom is paid, it confirms the viability and financial attractiveness of the ransomware criminal business model. Additionally, cybersecurity authorities in the United States, Australia, and the United Kingdom note that the criminal business model often complicates attribution because there are complex networks of developers, affiliates, and freelancers; it is often difficult to identify conclusively the actors behind a ransomware incident,” the report said.
Modern organizations are often highly nuanced with various networks, locations, clouds, etc., making it difficult to maintain a consistent vulnerability management program across multiple environments. In this session, Director of Trustwave SpiderLabs EMEA, Ed Williams, discussed the hidden vulnerabilities that most often lead to exploitation and how to detect them before they cause damage.
When it comes to gaining initial access to a potential target’s network, the report said attackers in 2021 used phishing attacks, stolen Remote Desktop Protocols (RDP) credentials, or brute force.
Attackers used these tactics to target cloud infrastructures, managed service providers, critical infrastructure or industrial processes, the software supply chain, and striking on holidays and weekends when security teams might be off or paying less attention.
Once again, the quick move to remote work in 2020, which remained in effect for most of 2021, was one reason why ransomware attackers continued to use these specific infection vectors. This increase in remote work expanded the attack surface and left network defenders struggling to keep pace with many aspects of cybersecurity, including routine software patching.
The fact that so many organizations remain vulnerable to these attack vectors helped boost the market not only for ransomware-as-a-service providers but for third-party cyberattack suppliers with expertise in helping process ransomware payments, the report said.
Threat actors also employed an ecosystem of independent services that negotiated payments, assisted victims with making payments, and even arbitrated payment disputes between themselves and other cybercriminals. Meanwhile, NCSC-UK observed some ransomware adversaries offering their victims the services of a 24/7 help center to expedite ransom payment and restoration of encrypted systems or data, the report said.
It is no longer a given that ransomware gangs operate independently and, in some cases, it was seen that they are actively. For example, the report noted some Eurasian ransomware groups shared victim information, diversifying the threat to targeted organizations. In one example, the BlackMatter ransomware group, after it announced it was shuttering its operation, transferred its existing victims to infrastructure owned by the group Lockbit 2.0.
Another change took place in October 2021, when the Conti ransomware group began selling access to its victims’ networks, enabling follow-on attacks by other cyber threat actors.
Threat actors also redoubled their effort to force victims to pay their ransom demand resulting in cases of double and triple extortion being increasingly observed.
Double extortion involved the threat actor using a combination of encryption and data theft to pressure victims to pay ransom demands. Triple extortion twists this concept by having the attacker threaten to publicly release stolen sensitive information, disrupt the victim’s internet access, and/or inform the victim’s partners, shareholders, or suppliers about the cyber incident.
Not all of the news from 2021 was negative. The FBI saw a marketed decrease in attacks on “big-game” targets after incidents involving several major U.S. companies resulted in a strong response that ended up disrupting the gangs associated with the attacks. Subsequently, the FBI observed some ransomware threat actors redirecting ransomware efforts away from these high-profile targets and toward mid-sized victims to reduce scrutiny.
The U.K. and Australia did not see a similar switch. Each observed attacks on organizations of all sizes throughout the year.
Darren Van Booven, Lead Principal Consultant at Trustwave and former CISO of the U.S. House of Representatives, has noted that cybersecurity practitioners need to create a plan they can use to respond to the full life cycle of a ransomware attack.
Security practitioners should work with the organization’s C-level executives to answer questions and develop a ransomware protection plan. Consider how ransomware is prevented and detected in addition to how your organization would respond.
The plan should ask and answer a series of questions. These include how to contain the ransomware, identify affected systems, is negotiating with the attacker or paying the ransom on the table, and which external resources are needed to respond.
The report further recommended: