The ransomware threat has boomed in the past year, with a recent report by allied cybersecurity agencies highlighting the need for better monitoring of remote access technologies to successfully tackle the threat.
The report highlights how the FBI, NSA, and CISA all observed ransomware attacks on 14 of the 16 key infrastructure sectors in the United States. These sectors include food and agriculture, defense industrial base, and emergency services. Similar attacks have been identified in Australia, the United Kingdom, and numerous other countries around the world.
2021 saw an evolution in the tactics and techniques used by attackers, with a growing level of technological sophistication used to successfully target organizations across the world. For instance, phishing and stolen Remote Desktop Protocols credentials have all been on the rise, along with the exploitation of software vulnerabilities.
These attack vectors were particularly popular due to the rise in homeschooling and remote working during the pandemic, but the authors believe they will continue to remain popular, not least due to the struggles network administrators have in patching their software successfully.
Guns for hire
As the ransomware market grew during 2021, it also became more "professional," with criminals' business models becoming more sophisticated and established. For instance, some criminals offered victims a “helpline” service to expedite the payment of the ransom and the return of their system to normality.
"In addition to their increased use of ransomware-as-a-service (RaaS), ransomware threat actors employed independent services to negotiate payments, assist victims with making payments, and arbitrate payment disputes between themselves and other cybercriminals," the authors explain.
The authors are concerned that if ransom payments continue to flow so smoothly, it will merely encourage criminals to increase activity as the viability and attractiveness of the model grow. This is especially problematic as the global nature of the sector makes it extremely difficult for law enforcement agencies to prosecute criminals successfully.
The professionalization of the sector does not mean it's necessarily dog-eat-dog, however, as the report highlights the willingness of criminal groups to share information on vulnerable targets with one another.
"For example, after announcing its shutdown, the BlackMatter ransomware group transferred its existing victims to infrastructure owned by another group, known as Lockbit 2.0," the authors explain. "In October 2021, Conti ransomware actors began selling access to victims’ networks, enabling follow-on attacks by other cyber threat actors."
There also seems to be a willingness to move away from so-called "big game" targets and attack smaller organizations. Criminals are doing this both because such targets may be more vulnerable and also it may help them to avoid the scrutiny of law-enforcement agencies.
The report also identifies a willingness among cybercriminals to diversify their methods in a bid to extract ransom payments from victims. A popular approach is the so-called "triple extortion," which firstly involves a threat to release stolen data publicly, after which the criminals threaten to disrupt access to systems before finally informing partners, shareholders, and suppliers that their systems and data have been compromised.
With the widespread migration towards cloud-based services during the pandemic, it is perhaps understandable that ransomware attackers are increasingly striving to exploit known vulnerabilities in virtual machine software and cloud applications. Indeed, some criminals have been able to successfully access cloud resources via local devices, which highlights the range of possible methods being deployed.
There has also been considerable growth in the willingness of criminals to target organizations on holidays and weekends. Criminals reason that fewer security personnel will be operational in these times, so they see them as a great opportunity for attack.
Warding off the threat
Thankfully, there remain a number of fairly straightforward methods for keeping systems safe. The first of these is to ensure that all software and operating systems are patched and kept up to date.
"Regularly check for software updates and end of life (EOL) notifications, and prioritize patching known exploited vulnerabilities," the authors explain. "In cloud environments, ensure that virtual machines, serverless applications, and third-party libraries are also patched regularly, as doing so is usually the customer’s responsibility."
Access control is also a crucial step, especially for cloud-based systems. If remote access is required, then using a virtual private network or virtual desktop infrastructure can help to bolster security.
The authors also urge organizations to do more to educate staff about cybersecurity. They argue that this should focus specifically on phishing to enable employees to detect suspicious websites or emails and therefore avoid clicking on links and opening attachments that can leave them vulnerable.
Similarly, IT teams should require all accounts with password access to have strong and unique passwords. What's more, these passwords shouldn't be used across multiple devices.
None of these measures are either new or particularly hard, and it’s clear that officials are not requesting that organizations be impregnable to attack but rather more secure than peers elsewhere. With data from Microsoft suggesting that these kinds of simple measures would be sufficient to rebuff the vast majority of attacks, we can only hope that it’s a message that gets through sooner rather than later.