According to the Cybersecurity & Infrastructure Security Agency (CISA), sophisticated, high-impact ransomware incidents against organizations’ critical infrastructure increased globally in 2021.
Ransomware tactics and techniques continued to evolve in 2021, which demonstrates ransomware threat actors’ growing technological sophistication and an increased ransomware threat to organizations globally. A joint Cybersecurity Advisory—authored by cybersecurity authorities in the United States, Australia, and the United Kingdom—provides observed behaviors and trends as well as mitigation recommendations to help network defenders reduce their risk of compromise by ransomware.
Most notable trends to watch include:
- Gaining access to networks via phishing, stolen Remote Desktop Protocols (RDP) credentials or brute force, and exploiting vulnerabilities.
These are the top 3 vectors for ransomware infection. This increase can be attributed to an expanded remote attack surface that has left network defenders struggling to keep pace with routine software patching.
- Cybercriminal services for hire
The market for ransomware became increasingly “professional” in 2021, and the criminal business model of ransomware is now well established. In addition to their increased use of ransomware-as-a-service (RaaS), ransomware threat actors employed independent services to negotiate payments, assist victims with making payments, and arbitrate payment disputes between themselves and other cyber criminals — these services even come with a 24/7 help desk.
- Victim Sharing
If you get hit by ransomware once, it won’t be the only time. Ransomware groups have shared victim information with each other, diversifying the threat to targeted organizations. If they know your systems are weak, they are going to tell their friends about you.
- SMBs are Becoming Bigger Targets
The FBI has observed some ransomware threat actors redirecting ransomware efforts away from “big-game” and toward mid-sized victims to reduce scrutiny.
- Diversifying approaches
Ransomware threat actors increasingly used “triple extortion” by threatening to (1) publicly release stolen sensitive information, (2) disrupt the victim’s internet access, and/or (3) inform the victim’s partners, shareholders, or suppliers about the incident.
- Targeting organizations on holidays and weekends
Ransomware threat actors may view holidays and weekends—when offices are normally closed—as attractive timeframes, as there are fewer network defenders and IT support personnel at victim organizations.
- Targeting the Cloud
Ransomware developers targeted cloud infrastructures to exploit known vulnerabilities in cloud applications, virtual machine software, and virtual machine orchestration software. Ransomware threat actors also targeted cloud accounts, cloud application programming interfaces (APIs), and data backup and storage systems to deny access to cloud resources and encrypt data.
Every time a ransom is paid, it confirms the viability and financial attractiveness of the ransomware criminal business model. Additionally, cybersecurity authorities in the United States, Australia, and the United Kingdom note that the criminal business model often complicates attribution because there are complex networks of developers, affiliates, and freelancers; it is often difficult to identify conclusively the actors behind a ransomware incident.
How to Defend Against Ransomware
- Keep all operating systems and software up to date.
- Require MFA to mitigate credential theft and reuse.
- Ensure devices are properly configured and that security features are enabled.
- Ensure all connections between third-party vendors and outside software or hardware are monitored and reviewed for suspicious activity.
- Implement a user training program and phishing exercises to raise awareness among users about the risks of visiting suspicious websites, clicking on suspicious links, and opening suspicious attachments.
- Require all accounts with password logins to have strong, unique passwords.
- Protect cloud storage by backing up to multiple locations, requiring MFA for access, and encrypting data in the cloud.
Ransomware is a real threat. Contact ACE IT Solutions at 646.558.6358 to schedule a complimentary cybersecurity assessment. We will assess your systems to discover gaps in your cybersecurity program, to ensure you can prevent and recover quickly from disruptions — including ransomware.