On February 9, 2022, the US Cybersecurity & Infrastructure Security Agency (CISA) recently issued an alert through the National Cyber Awareness System warning of the increasing risk of global ransomware attacks. Authorities from the US, AU, and the UK observed an “increase in sophisticated, high-impact ransomware attacks against critical infrastructure organizations globally“.
Observations of Recent Global Ransomware Attacks
Global government agencies are reporting increased frequency of ransomware incidents as well as more sophisticated ransomware techniques which combine to increase ransomware threats significantly.
The FBI, CISA, and NSA reported incidents involving ransomware against 14 of the 16 critical infrastructure sectors. These included defense, emergency services, food & agriculture, government facilities and IT.
The ACSC observed continued ransomware targeting of critical infrastructure entities including healthcare, financial services, higher education, and energy sectors.
The NCSC-UK sees ransomware as the biggest cyber threat facing their country. Education has been the sector most targeted by ransomware but they are also seeing attacks against charities, in legal sectors, and in local government and health sectors.
New Trends Are Emerging From Cyber Criminal Behavior
- Phishing emails, RDP exploitation, and exploitation of software vulnerabilities remained the top three tactics used by cyber criminals in 2021
- The ransomware market matured significantly in 2021 and has developed a class of “professional” cyber criminal skilled in ransomware attacks.
- The ransomware business model is well established and even includes ransomware-as-a-service (RaaS) where bad actors are using sophisticated systems to negotiate payments, make it payments easier for victims, and even arbitrate disputes.
- Victim data sharing across ransomware groups is increasing
- The ransomware market has expanded to include any business providing critical services so its not just “big game” hunting anymore.
- Extortion tactics have diversified to include 3 threat vectors 1) threatening to release sensitive stolen information, 2) disrupt internet access, and/or 3) make the victims partners, suppliers and shareholders aware of the incident.
- Ransomware groups are increasingly targeting vulnerabilities in cloud applications and virtual machine software.
- Managed service providers (MSPs) are increasingly being targeted as a result of their access into client organizations.
- Incidents targeting industrial processes are increasingly being observed with the goal of stopping critical processes.
- The software supply chain has gaps that are increasingly being exploited and is enabling bad actors to scale their attacks.
- Holiday and weekends are increasingly being targeted since vacations and closed offices are increasing the probability of success.
Recommended Tactics to Mitigate Ransomware Attacks
- Maintain up-to-date software and operating systems
- Increase awareness of known vulnerabilities
- Monitor RDP services closely, limit resources over internal networks and require multi-factor authentication (MFA)
- Extend security measures to key third-parties in your supply chain and anyone interconnected with your business
- Education and training to raise awareness and knowledge of phishing/spearfishing emails
- Require MFA for critical accounts including VPNs, email and any privileged systems
- Require all accounts with password logins to use unique and secure passwords and implement password policies
- Leverage the latest security modules for Linux based systems
- De-risk the cloud by leveraging multiple backup locations and encrypt data in stored in the cloud