A surge in "sophisticated, high impact" ransomware attacks has prompted the United States's Cybersecurity and Infrastructure Security Agency (CISA), the UK's National Cyber Security Centre (NCSC), and the Australian Cyber Security Center to issue a joint advisory about the techniques being used by cybercriminals to attack businesses and organisations.
Reacting to ransomware attacks against a broad range of industry sectors - including defence, financial services, IT, healthcare, education, energy, charities, and local government, the agencies warn that ransomware tactics and techniques have "continued to evolve in 2021."
In the joint bulletin, the agencies claim that ransomware threat actors' are demonstrating a "growing technological sophistication" which poses an "increased ransomware threat to organisations globally."
According to the cybersecurity authorities in the United States, UK, and Australia, the top three initial infection vectors for ransomware incidents during 2021 were:
- Phishing emails
- Remote Desktop Protocol (RDP) exploitation via stolen credentials or brute force
- Exploitation of software vulnerabilities
Once an attacker has gained the ability to enter a network or to execute code on a device ransomware will often be deployed. Unfortunately, it's likely that these infection vectors will remain popular because of the increased level of remote working, which has expanded the remote attack surface and - in the words of the report - "left network defenders struggling to keep pace with routine software patching."
In addition, the ransomware business became increasingly professional in 2021, with the increased use of Ransomware-as-a-Service (RaaS) operations, some of which are even offering 24/7 helpdesk support to victims in an attempt to expedite ransom payments.
And, as is well documented, businesses have been encouraged to open their purses by attackers threatening to leak stolen sensitive data if demands are not met.
The view of CISA, NCSC and the Australian Cyber Security Center is that as the ransomware business model continues to yield large financial returns, attacks will become more frequent. At the same time, the use of the RaaS model has made it more difficult to identify conclusively the cybercriminals behind a particular attack as there may be a complex web of developers, freelancers, and affiliates at work.
Interestingly, authorities in the United States and Australia say that they have seen a shift away from ransomware gangs targeting larger organisations such as Colonial Pipeline and JBS Foods in favour of mid-sized victims instead. This may be the result of action taken by the US authorities in mid-2021 to disrupt the activities of ransomware operators involved in the high-profile attacks.
Despite some law enforcement successes, the overall picture painted by the advisory is a gloomy one, with ransomware groups increasing their impact during 2021 by:
- Targeting poorly-defended cloud infrastructure to steal data, encrypt information, and - in some cases - deny access to backup systems.
- Targeting managed service providers (MSPs), impacting all of an MSP's clients at once.
- Attacking industrial processes by either affecting connected business systems, or developing code to interfere with critical infrastructure.
- Attacking the software supply chain, and using it as a method to access multiple victims through a single initial compromise.
- Targeting organisations on holidays and weekends, where they might have more impact and there are fewer IT support personnel in place to handle emergencies.
For more information, and for advice on how to mitigate against ransomware threats, be sure to read the Joint Cybersecurity Advisory issued by CISA, NCSC, and the Australian Cyber Security Center.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
