Government Agencies Warn of High-Impact Sophisticated Ransomware

A surge in “sophisticated, high-impact” ransomware attacks has prompted the US Cybersecurity and Infrastructure Security Agency (CISA), the UK’s National Cyber ​​Security Center (NCSC) and the Cyber ​​Security Center Australia to publish a joint opinion on the techniques used. used by cybercriminals to attack businesses and organizations.

Reacting to ransomware attacks on a wide range of industry sectors – including defense, financial services, IT, healthcare, education, energy, charities and local government, the agencies are warning that Ransomware tactics and techniques have “continued to evolve in 2021”.

In the joint bulletin, the agencies say that ransomware threat actors are demonstrating “increasing technological sophistication” that represents an “increased ransomware threat to organizations around the world.”

According to cybersecurity authorities in the US, UK and Australia, the top three initial infection vectors for ransomware incidents in 2021 were:

  • Phishing emails
  • Exploitation of Remote Desktop Protocol (RDP) via stolen credentials or brute force
  • Exploitation of software vulnerabilities

Once an attacker gains the ability to enter a network or execute code on a device, ransomware is often deployed. Unfortunately, these infection vectors are likely to remain popular due to the increased level of remote working, which has widened the remote attack surface and – in the words of the report – “left network defenders struggling to keep pace with routine software patches”.

Additionally, the ransomware industry has become increasingly professional in 2021, with the increased use of Ransomware-as-a-Service (RaaS) operations, some of which even offer 24/7 support to victims. in order to expedite the payment of ransoms.

And, as is well documented, companies have been encouraged to open their wallets by attackers threatening to release stolen sensitive data if demands are not met.

CISA, NCSC and the Australian Cyber ​​Security Center believe that as the ransomware business model continues to generate significant financial returns, attacks will become more frequent. At the same time, the use of the RaaS model has made it more difficult to conclusively identify the cybercriminals behind a particular attack, as there can be a complex network of developers, freelancers and affiliates at work. .

Interestingly, authorities in the US and Australia say they have seen a move away from ransomware gangs targeting larger organizations such as Colonial Pipeline and JBS Foods in favor of mid-size victims. This may be the result of actions taken by US authorities in mid-2021 to disrupt the activities of ransomware operators involved in the high-profile attacks.

Despite some law enforcement successes, the overall picture painted by the advisory is bleak, with ransomware groups increasing their impact in 2021 by:

  • Target poorly protected cloud infrastructure to steal data, encrypt information and, in some cases, deny access to backup systems.
  • Target Managed Service Providers (MSPs), impacting all of an MSP’s customers at once.
  • Attack industrial processes by affecting connected business systems or developing code to interfere with critical infrastructure.
  • Attacking the software supply chain and using it as a method to gain access to multiple victims through a single initial compromise.
  • Target organizations on holidays and weekends, where they might have more impact and there are fewer IT support staff in place to handle emergencies.

For more information and advice on how to mitigate ransomware threats, be sure to read the Joint Cybersecurity Advisory published by CISA, NCSC and the Australian Cyber ​​Security Center.

Editor’s note: The views expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of Tripwire, Inc.

Ashley C. Reynolds