Next to supply chain attacks, ransomware was - once again- a major theme in 2021. Of course, ransomware is not a new problem. The ransomware threat grew steadily for much of the past decade. If anything, the prevalence of ransomware attacks declined this year. Data from the firm Sophos, for example, showed that 37% of the 5,400 firms it surveyed were hit by ransomware in 2021, compared with 51% in 2020 and 54% in 2017. But the visibility and repercussions of ransomware attacks reached new heights. It is a year during which cybercriminal and nation state groups refined their methods, explored new lines of business and showed a willingness to target even the most sensitive firms and infrastructure.
From gas to grain: Critical systems in the crosshairs
No incident underscored that shift more than the attack on Colonial Pipeline, which manages the major oil pipeline network supplying the U.S. East Coast. The ransomware attack on the company’s infrastructure, attributed to a ransomware gang known as Darkside, began in June. It hinged on hacked credentials to a virtual private network (VPN) account used to remotely access Colonial’s network. The hack ultimately took down the largest fuel pipeline in the U.S. and led to shortages across the East Coast, as Bloomberg reported at the time.
The agriculture sector also found itself in the crosshairs of ransomware groups this year. In June, for example, meat processor JBS paid $11 million in ransom to regain control of its environment following an attack attributed to the ransomware gang REvil. A September attack by the group Blackmatter targeted the New Cooperative, a major grain cooperative in Iowa, which is a key participant in the nation’s food supply chain.
Then, in July, a ransomware attack on the firm Kaseya sent a shot across the bow for the world's small businesses. The REvil gang's ransomware attack on the firm, therefore, was a direct attack not just on the thousands of MSPs that use Kaseya’s platforms, but on the tens of thousands of small businesses that rely on those MSPs. In the wake of the Kaseya attack, in fact, U.S. President Joe Biden inferred that the company’s RMM (Remote Monitoring and Management) software was critical infrastructure. It was more proof that IT infrastructure is increasingly viewed in the same light as bridges, roads, water treatment plants and power lines.
The gloves come off
The willingness to target critical infrastructure marked an escalation of the ransomware problem. But attacks during 2021 also made clear that ransomware gangs had no compunction about sowing chaos and disruption in pursuit of a payoff, no matter the cost to public safety or public health. In recent years, for example, some ransomware groups had sworn off attacks on critical infrastructure like medical facilities. Despite those early assurances, ransomware attacks on medical facilities have been commonplace, even in the midst of a global pandemic.
If anything, the pain felt by disruptions caused by ransomware attacks increased during the pandemic as both nation state and cyber criminal groups pursued targets with national security and strategic implications, all the while setting the stage for big payouts. These attacks prompted no fewer than five separate alerts from the Cybersecurity and Infrastructure Security Agency (CISA) in 2021 related to threats to infrastructure and assets by ransomware actors like Darkside, Conti and Blackmatter.
Going vertical: Data theft increasingly common
The embrace by cybercriminal groups of so-called “double extortion” rackets (essentially: data theft alongside data encryption) is another clear trend in 2021. We observed in a recent blog post that many ransomware outfits have added code to their toolset in the past year that facilitates data exfiltration.
Betting on coordinated response, better detection in 2022
We should not expect the scourge of ransomware to miraculously disappear in 2022. However, there is some cause for optimism that ransomware groups will operate with less impunity in the New Year.
First, governments around the world are embracing active measures to respond to the threat posed by ransomware, after years in which governments took a “hands off” approach and looked to the private sector for leadership. In June, for example, the Justice Department seized $2.3 million in cryptocurrency paid to affiliates of the Darkside ransomware group, which is believed to have carried out the cyber attack on the Colonial gas pipeline. Then, in November, the Justice Department and the FBI said they had arrested Yaroslav Vasinskyi (aka “Rabotnik”), a reputed author of the REvil ransomware. (Check out ReversingLabs webinar Reviewing the REvil Ransomware Timeline to Secure the Future to learn more about how the REvil group operates and how to protect your organization from similar attacks.)
The Justice Department is also going after ransomware gangs’ ill gotten gain via crackdowns on cryptocurrency exchanges that facilitate payments. The Department announced a $10 million bounty to anyone offering information about the leader of the REvil/Sodinokibi group as part of its Transnational Organized Crime Rewards Program. The Biden Administration’s Counter Ransomware Initiative (CRI) is focusing on improving cross-border and diplomatic coordination on network resilience, money laundering via virtual currencies, criminal investigations and prosecution.
In the meantime, private sector firms today get more timely and pointed guidance from the federal government in countering ransomware attacks. CISA’s alerts about threats to IT assets like vulnerable, legacy Accellion File Transfer Appliances, or the agency’s guidance on how to protect against attacks from groups like Darkside are recent examples of this.
Organizations need to improve their ability to withstand and recover from attacks as well. As we’ve written: making better use of both internal and third party threat intelligence to understand adversaries’ methods can narrow the window of compromise. An example: the presence of platforms like Cobalt Strike can signal that a ransomware group is at an advanced stage of compromise, necessitating rapid response and mitigation. (Our webinar You’ve found Cobalt Strike on your network. Is it Being Weaponized? walks you through the process of identifying ransomware attack stages and methods to analyze and IOCs before Cobalt Strike becomes a ransomware infection.)
Organizations also need to build the capacity to model threats and evaluate their defenses in light of likely attacks. ReversingLabs is helping our customers with this problem. Our Threat Intelligence feed for ransomware uses advanced static and dynamic analysis engines to generate both network and file indicator lists. Those indicators are matched to standardized MITRE ATT&CK tags to streamline threat modeling and provide a more complete picture of cyber risk across an organization.
Security engineers use these threat models to determine if there are needed detection methods missing or misconfigured within their organization. They can also signal what additional logs would be beneficial to collect or create, or if existing prevention and blocking rules are aligned with threats, or outdated and in need of tweaking or replacement.
Don’t hesitate to contact us if you’d like to learn more about how we help organizations combat ransomware. You can use the button below to schedule a meeting!