The first few weeks of 2022 have demonstrated why ransomware remains the most serious cybersecurity threat to businesses and government organizations in the U.S. and around the world.
Consider a small sampling of headlines from the first few weeks of January:
- On Jan. 12, officials with Maryland’s Department of Health and the state’s Information Technology office confirmed that a ransomware attack that started in December has left hospitals and other healthcare facilities struggling at a time of increasing cases of COVID-19.
- A few days before, on Jan. 10, Microsoft posted an update to its users concerning the Log4J vulnerability. The company’s security analysts found ransomware gangs taking advantage of this particular tricky bug to deploy their crypto-locking malware.
- Microsoft also warned that threat groups are deploying data-wiping malware disguised as ransomware to certain targets in Ukraine as that country finds itself in increasing conflict with Russia, which has previously deployed its cyber capabilities against other Eastern European countries.
- Meanwhile, the Russian Federal Security Service announced in early January that investigators in that country conducted raids against alleged members of the REvil (a.k.a. Sodinokibi) ransomware gang at the request of U.S. officials. These actions resulted in some arrests and the confiscation of large amounts of money, although it’s not clear what effect these police actions will have on ransomware attacks.
While this is a small sampling of ransomware-related threats, these incidents show that these cybercriminal gangs and their affiliates continue to refine their skills to better take advantage of system vulnerabilities.
In a recent BugCrowd report on the increases in critical vulnerabilities discovered in systems and software, researchers note that ransomware gangs are adopting many of the same techniques found in tech startup culture.
“We are now seeing ransomware gangs applying lean startup principles to their operations. They begin with skeleton teams making scattergun, speculative
attacks and crudely requesting their rewards in crypto,” according to Bugcrowd’s 2022 Priority One report. “Following one or two successful attacks, these teams treat the ransoms paid as seed capital, using it to grow their operations and invest in better software, talent, and exploits.”
Casey Ellis, founder and CTO at Bugcrowd, also noted this evolution in a recent interview. “Ransomware started life as primarily a consumer problem, which targeted the average user via phishing and the like, and encrypted their personal treasures,” Ellis told Dice. “This is very much still a thing, but ransomware as a business model for monetizing things which can be hacked but are otherwise worthless has evolved to strategically and directly target business—thus maximizing gains for the attackers. I think this is an important evolution because in my experience it’s something people often miss when they think about the risk of ransomware.”
Another report, conducted by Cybersecurity Insiders and sponsored by security firm Bitglass, surveyed over 230 security professionals and found that a majority (55 percent) view malware and especially ransomware as an “extreme” threat to their organizations. Over the next 12 months, 75 percent of survey participants see these attacks becoming a much greater threat to organizations.
“In 2021, a lot of attention has been given to cyber extortion. Ransomware has led the pack with high-profile attacks such as DarkSide's extortion of Colonial Pipeline, among several others,” Xue Yin Peh, a senior cyber threat intelligence analyst at Digital Shadows, told Dice. “We have also seen these attacks growing in sophistication, with these attacks leveraging weak points in the supply chain to proliferate. Ransomware-based extortion and the attack methods used in conducting such attacks will continue to be a prolific threat across sectors and geographies in 2022.”
Skilled Defenders
Several cybersecurity experts noted that one of the bigger challenges in the months ahead is ensuring that IT and security professionals have the right skill sets to not only respond to these incidents, but also anticipate the tactical changes ransomware gangs might make to their attacks.
While ransomware attacks are likely to increase over this year, developments in endpoint detection and response, combined with advances in automation (such as A.I.) can help reduce or prevent the likelihood of these incidents. These are the areas where organizations should invest, including hiring security professionals who know how to maximize these technologies, said Andrew Barratt, vice president of technology and enterprise at security consulting firm Coalfire.
“Prevention and detection are different sides to the same coin. Sure, an ounce of prevention feels like it should save a pound of detection, but oftentimes we see that prevention techniques are circumvented. This may be due to user error, a new attack technique, a missing patch or other unresolved vulnerabilities, and with limited detection capabilities everyone ends up scratching their head as to what an intruder may have done,” Barratt told Dice.
“Penetration tests and ethical hacking exercises can be a good way to get a point-in-time view of potential vulnerabilities. However, for meaningful value and to help defenders, they really need to be coupled with technology that is more continuous in its monitoring capability,” Barratt added.
Joseph Carson, chief security scientist and Advisory CISO at ThycoticCentrify, noted that investing in those employees who know how to handle incident response can help lessen the possibility of crippling ransomware attacks.
“When security controls fail to prevent attacks, this means the business must look to the incident response and recovery capabilities to get the business back and running,” Caron told Dice. “In addition to incident response, a strong backup strategy that reduces risks from ransomware, a solid privileged access security solution and multifactor authentication will make it a bit more difficult for attackers to be successful.”
Besides investing in skilled workers who understand incident response, Carson urged organizations to invest in creating more resilient systems that can withstand and recover from an attack—an approach favored by government organizations such as the National Institute of Standards and Technology.
“To build resilient systems means you must understand the business and what makes the business successful so that you can put in place alternative systems in production to keep operating. If a company can recover from a backup, they won’t need to pay the criminals to get their data back,” Carson added.
Focus on Cloud
Another area that IT and security pros want to focus on is the cloud. Many workers will likely remain at home or remote for a good portion of 2022, which means a continuing reliance on cloud-based apps. This, in turn, increases the attack surface and can make networks more vulnerable to attack.
Analysts also see ransomware gangs shifting away from attacks that take advantage of vulnerabilities in on-premises networks and focusing more on cloud environments, said Oliver Tavakoli, CTO at security firm Vectra.
“Almost all ransomware attacks carried out in the past two years have used relatively commoditized tools to attack on-premises networks,” Tavakoli told Dice. “As almost everything moves to the cloud and as the tools used by nation-states to attack assets organizations have in the cloud become commoditized, ransomware gangs will focus there. Organizations need to get their clouds, identity stores and SaaS applications locked down and need to implement detection and response capabilities across those three domains.”