Last year, many organizations stopped talking about when the workforce would be back full-time in the office. Instead, they focused on how we build a hybrid work model for the future. 2021 was active and interesting – for lack of a better word. There’s a lot to say in terms of cyber crime in general and ransomware specifically.
As we progress further into 2022, we wanted to pause to reflect on 2021. What’s in store going forward? We spoke with Camille Singleton, a threat intelligence expert within IBM Security X-Force, to get her thoughts. See how we can prepare for what’s ahead.
Singleton: We’ve seen a number of new trends in 2021, including an uptick in triple extortion. We began seeing double extortion in 2019 and 2020, during which gangs either leak or threaten to leak stolen data, which puts more pressure on victims to pay the ransom than if their data was only encrypted. Now we are seeing some groups threaten triple extortion, adding distributed denial-of-service attacks when a victim doesn’t pay after the group encrypts, steals and then leaks the data. This technique is still in its infancy, but it may become more prevalent if ransomware gangs figure out how to use it to their advantage.
On a positive note, 2021 was also the year of a crackdown on ransomware. We’ve seen a flurry of arrests worldwide, including that of Clop ransomware actors and members of the REvil/Sodinokibi ransomware group. We also saw many groups, such as REvil/Sodinokibi, DarkSide, Black Matter and Avaddon, shut down, although I expect some will come back next year. But at least for now, the tempo of attacks may be a little slower.
First, I don’t think ransomware is going away – even with the shutdowns and government crackdowns. Ransomware actors are earning a ton of money, billions of dollars every year from ransomware attacks, which continues to attract cyber criminals to the ransomware space.
Second, I think a lot of the big groups that were shut down will rebuild and come back. I don’t know what their new names or focus will be, but they will learn from their experience to develop new ransomware and continue their operations. While I can’t predict the number of new groups, I think it may be somewhat comparable to the number shut down in 2021.
Finally, I am hopeful we will see more arrests of ransomware actors in 2022 than we did in 2021. Ideally, these arrests will eventually have a lasting effect on the ransomware landscape. For example, in 2016, hacktivism was huge, and the group Anonymous was extremely active with a high level of hacktivist attacks. But the strong law enforcement crackdown from 2016 to 2018 dramatically changed the hacktivist threat landscape, decreasing the level of hacktivist activity. There may be some hope that we will see a similar threat landscape change with ransomware over time.
After reviewing numerous ransomware attacks spanning most geographies and industries, X-Force has found that many ransomware attackers are using similar tactics, tools and techniques. Cyber criminals are figuring out what works and communicating that to one another. In particular, X-Force has identified five stages of a ransomware attack that threat actors are using again and again. Recently, we’ve seen some changes in the details of these attacks, such as the frequent exploitation of Active Directory to steal credentials and to move laterally within the network. If organizations pay more attention to Active Directory, monitor it closely and know what suspicious activity to look for, they might be able to catch ransomware actors before they execute their objectives. We’ve also noticed that 88% of ransomware attacks used the tool Adfind, which wasn’t the case even three years ago.
Organizations should also focus on domain controllers. Almost every single ransomware attack today involves the attackers trying to get access to domain controllers and domain administrator accounts and deploy the ransomware from there. Previously, many ransomware strains “wormed around,” such as with WannaCry, self-propagating from computer to computer through the network. Now, attackers are using domain controllers to deploy ransomware on all or as many devices as possible within an enterprise network simultaneously.
In terms of how ransomware attackers are initially getting in, phishing and vulnerability exploitation are the two infection vectors we are commonly observing. Ransomware attackers are cooperating with QakBot, Emotet and Trickbot operators who gain initial access through phishing emails and drop malicious attachments. They then deploy their malware, and the ransomware affiliates continue the attack from there. Organizations should continue to protect against phishing through user awareness training, behavior-based anti-malware detection and phishing email software solutions. Organizations should also use a robust vulnerability management program to address relevant vulnerabilities quickly.
While there is no way to 100% prevent ransomware, understanding the techniques threat actors are using today can help organizations know where to focus to prevent attackers from getting into the network and then finding them once they breach the network.
On a certain level, organizations should expect that a ransomware attack will happen. They should prepare for an attack beforehand by planning their response, considering how to diminish the impact on their network and putting backup plans and redundancy in place so they can get up and running quickly. Organizations should also consider how to handle the public relations aspect of a massive ransomware attack. Everyone from the CEO to the lowest level security operations center analyst needs to know what they are going to do next in a response scenario. The goal is to prevent attacks as much as possible but be ready in case one happens, whether that’s in 2022 or beyond.