Ransomware now trends as one of the top and most dreaded cyberthreats that has entangled enterprises. And, it is not a one-time battle. While, it is not a new cyber risk, its exponential growth is worrisome, and now concerning even the governments globally as they try to safeguard critical infrastructure and assets from being taken down. We’d all recall the recent Conti ransomware attack that almost brought down Costa Rican government to its knees. From Supply Chain attacks, to double/triple extortion demands, this seems to be an unstoppable fury.
According to analyst firm IDC approximately 37% of global organisations said they were the victim of some form of ransomware attack in 2021. The FBI’s Internet Crime Complaint Center reported that there were 2,084 ransomware complaints from January to July 31, 2021.
Zscaler’s ThreatLabz recently came out with its 2022 Ransomware Report which reveals that attacks have increased by 80% year-over-year with ransomware-as-a-service being used by eight of the top eleven ransomware families. Nearly one in every five ransomware attacks target manufacturing businesses, making this industry the most targeted for the second year in a row. To evade the crackdown, the Ransomware families are either smartly rebranding themselves or getting dismantled into smaller, unidentified groups.
In 2022, the most prevalent ransomware trends include:
- Supply chain attacks
- Ransomware rebranding
- Geo-political incited ransomware attacks
The ThreatLabz team evaluated data from the Zscaler Zero Trust Exchange, which secures over 200 billion transactions and blocks 150 million threats daily, worldwide. ThreatLabz analysed a year’s worth of global ransomware data from the Zscaler cloud, along with intelligence from external sources, from February 2021 – March 2022
“Modern ransomware attacks require a single successful asset compromise to gain initial entry, move laterally, and breach the entire environment, making legacy VPN and flat networks extremely vulnerable,” says Deepen Desai, CISO of Zscaler.
“Attackers are finding success exploiting weaknesses across businesses’ supply chains as well as critical vulnerabilities like Log4Shell, PrintNightmare, and others. And with ransomware-as-a-service available on the darkweb, more and more criminals are turning to ransomware, realising that the odds of receiving a big payday are high,” he says.
ThreatLabz also noted nearly a 120 percent increase in double-extortion ransomware victims based on data published on threat actors’ data leak sites.
The Verizon Data Breach Investigation Report (DBIR 2022) released last week, also validates the claims made in Zscaler ThreatLabz report. “Of particular concern is the alarming rise in ransomware breaches, which increased by 13 percent in a single year – representing a jump greater than the past 5 years combined. As criminals look to leverage increasingly sophisticated forms of malware, it is ransomware that continues to prove particularly successful in exploiting and monetising illegal access to private information,” writes the Verizon report.
Ransomware is a big business. Here’s a list of some of the notable ransomware attacks in 2021-22:
- Accenture ransomware attack (Aug 21) where the activity included the exfiltration and leaking the proprietary information by a 3rd-party entity. The responsibility was taken by LockBit gang.
- Computer major Acer was attacked in March 2021 where the REvil/Sodinokibi gang published classified financial information and demanded US$50 million in ransom.
- Colonial Pipe, a US energy major was attacked by DarkSide ransomware gang in May 2021 where even federal agencies like FBI got involved in revering the data.
- REvil/Sodinokibi gang knocked down Kaseya VSA software in July last year. By exploiting a vulnerability, the gang was able to execute a supply chain attack and distribute malware to Kasey’s MSP clients and their downstream clients.
- In January 2022, Bernalillo County in New Mexico, US, discovered a data breach. It was a ransomware attack. The threats included closing down of government buildings, blocking the jail’s camera feeds and the entrapment of inmates due to the failure of automatic door mechanisms.
- During February 2022, microchip major Nvidia reported a ransomware attack supposedly orchestrated by Lapsus$ gang. The group also threatened to release around 1TB data if the ransom was not paid by a specific date.
There is no industry that is spared by the ransomware attackers. Zscaler Threatlabz 2022 report validates this fact. According to the report, manufacturing was the most targeted vertical even in the year 2021 followed by services (9.7%), construction (8.1%), retail and wholesale (7.5%), and high tech (6.7%). (See the graph below)
The Zscaler report has also listed down some trends that industry will continue to witness in 2022-23:
- Ransomware as a service (RaaS) has proven to be valuable for all parties involved. New ransomware developers and affiliates will increase their use of this model to wage rapidly changing attacks on vulnerable organisations.
- Changing ransomware models will lead to changing targets – organisations should expect to see a shift toward easier targets, including small to medium enterprises with fewer security controls and organisations with internet-visible applications that have known vulnerabilities along with previously phished credentials.
- Dwell time will continue to decrease: With threat actors having an easy and cheap access to company profiles and compromised credentials for sale on the dark web, the days of attackers sitting on targets for months or even years and then taking extra time to look around before launching an attack are coming to an end. With more public reports of ransomware attackers reducing dwell times to just days, the criminals are savvy to increased detection techniques, realising time is of the essence for a successful attack. As a result, security teams need to close the gap and speed up detection— to days, hours, or just minutes—to prevent worst-case scenario breaches in 2022 and beyond.
- Supply chain attacks will increase as adversaries compromise partner and supplier ecosystems
- Ransomware may be used as, or in conjunction with, a wiper to destroy data: In early 2022, publicised attacks on Ukraine featured multiple types of wiper attacks, including HermeticWiper alongside a decoy ransomware known as PartyTicket. This is not the first time ransomware has been used in geopolitical attacks, with NotPetya and Bad Rabbit being deployed in 2017 to attack Ukrainian organisations. Geopolitical tensions bring with them the threat of masked ransomware, wipers, and other tactics that afford threat actors an elevated degree of anonymity and plausible deniability.
- Ransomware families will continue rebranding: Zscaler Threatlabz saw this cycle throughout 2021; a ransomware group pulls off a major attack, earns attention and sanctions from law enforcement, and then disappears and reforms later under a new name. With ransomware very much on the radar of law enforcement, this cycle will continue throughout 2022 and beyond.
- Organisations will need to beef up security beyond endpoint protection: Ransomware groups will increase use of tactics to bypass antivirus and other endpoint security controls. Organisations will have an even greater need for defence-in-depth rather than relying solely on endpoint security to prevent and detect intrusions.
- Ransomware developers will add more malware obfuscation: Malware authors implement malware obfuscation techniques to hinder reverse engineering and bypass static signature detection. The malware obfuscation complexity will continue to increase with advanced techniques, including control flow flattening, polymorphic string obfuscation, and the use of virtual machine-based packers.
Ransomware is a prolific attack vector that won’t disappear anytime soon. Rather, it will evolve and take different forms. Cyber criminals are resorting to more innovation to exfiltrate sensitive data. One of that is Ransomware as a Service (RaaS). Many of the Ransomware as a Services are now on the Dark Web on a subscription basis. It enables criminals to launch ransomware attacks by signing up for their services. This trend is increasing as also validated by the Zscaler report. Interestingly RaaS has significantly reduced the entry barrier, which has accelerated the proliferation threats. The model is quite similar to the SaaS. Affiliates can now pay a subscription fee to access a RaaS service and also other necessary tools and services.
Another interesting trend witnessed is that of Double Extortion. While ransomware gangs upped the ante by encrypting the files, the enterprises resorted to data backups and refused to pay ransom. But now this technique seems to be ineffective as ransomware gangs now exfiltrate data of the affected organisation prior to encrypting it and then threaten to leak or disclose it if the ransom demands are not met.
In this year’s Zscaler report there is a special emphasis on growth in double-extortion ransomware attacks. The data (as shown below) tells the story. Double-extortion ransomware attacks against healthcare grew by 643% in 2021, though it started with a very low baseline of attacks in 2020. Several other verticals with higher starting points also saw triple-digit growth in attacks, including education (225%), manufacturing (190%), construction (161%), financial services (130%), and services (109%).
It is true that in today’s context, ransomware should and must be one of the highest priorities for organisations of all sizes and and sectors. It is the job of CISOs and their teams to ensure they take all necessary preventative measures to nullify the growing impact of a ransomware and become more resilient and resistant.
NOTE: (dynamicCISO will follow this up with a detailed conversation with Deepen Desai, CISO of Zscaler)