Cybersecurity authorities from Australia, the U.K., and the U.S.
have published a joint advisory warning of an increase in
sophisticated, high-impact ransomware attacks targeting critical
infrastructure organizations across the world in 2021.
The incidents singled out a broad range of sectors, including
defense, emergency services, agriculture, government facilities,
IT, healthcare, financial services, education, energy, charities,
legal institutions, and public services.
“Ransomware tactics and techniques continued to evolve in 2021,
which demonstrates ransomware threat actors’ growing technological
sophistication and an increased ransomware threat to organizations
globally,” the agencies said[1]
in the joint bulletin[2].
Spear-phishing, stolen or brute-forced Remote Desktop Protocol
(RDP) credentials, and exploitation of software flaws emerged as
the top three initial infection vectors that were used to deploy
ransomware on compromised networks, even as the criminal business
model morphed into a “professional” market dominated by different
groups of players to gain initial access, negotiate payments, and
settle payment disputes.
But in a noticeable shift in the wake of highly-publicized
attacks on Colonial Pipeline[3], JBS[4], and Kaseya[5]
last year, ransomware actors pivoted away from “big-game” hunting
in the U.S. in the second half of 2021 to focus on mid-sized
victims and evade scrutiny from law enforcement.
“After encrypting victim networks, ransomware threat actors
increasingly used ‘triple extortion’ by threatening to (1) publicly
release stolen sensitive information, (2) disrupt the victim’s
internet access, and/or (3) inform the victim’s partners,
shareholders, or suppliers about the incident,” the agencies
said.
According to a new report[6]
published by Syhunt this week, over 150 terabytes of data has been
stolen from victim organizations by ransomware groups from January
2019 up to January 2022, with REvil alone accounting for 44.1TB of
the total stolen information the group siphoned from 282
victims.
Among other tactics embraced by ransomware groups to maximize
impact include striking cloud infrastructures to exploit known
weaknesses, breaching managed service providers (MSPs) to access
multiple victims through one initial compromise, deploying code
designed to sabotage industrial processes, poisoning the software
supply chain, and conducting attacks during holidays and
weekends.
To mitigate and reduce the likelihood and impact of ransomware
attacks, organizations are being urged to —
- Keep all operating systems and software up to date,
- Limit access to resources over internal networks, especially by
restricting RDP and using virtual desktop infrastructure, - Raise awareness among users about the risks of phishing,
- Mandate strong, unique passwords and multi-factor
authentication to protect accounts from takeover attacks, - Encrypt data in the cloud,
- Implement network segmentation,
- Disable unnecessary command-line utilities, and restrict
scripting activities and permissions, - Enforce time-based access for privileged accounts, and
- Maintain offline (i.e., physically disconnected) backups of
data
“Criminal activity is motivated by financial gain, so paying a
ransom may embolden adversaries to target additional organizations
or encourage cyber criminals to engage in the distribution of
ransomware,” the agencies cautioned. “Paying the ransom also does
not guarantee that a victim’s files will be recovered.
Additionally, reducing the financial gain of ransomware threat
actors will help disrupt the ransomware criminal business
model.”
References
- ^
said
(www.cisa.gov) - ^
joint
bulletin (www.ncsc.gov.uk) - ^
Colonial
Pipeline (thehackernews.com) - ^
JBS
(thehackernews.com) - ^
Kaseya
(thehackernews.com) - ^
new
report (www.syhunt.com)
Read more https://thehackernews.com/2022/02/cisa-fbi-nsa-issue-advisory-on-severe.html
