Cybersecurity authorities in the US, UK, and Australia authored a joint Cybersecurity Advisory whitepaper that reports on the evolution of ransomware tactics and techniques in 2021, revealing threat actors’ growing technological sophistication and an increased ransomware threat to organizations globally.
Their observations provide useful insight on behavioral trends and include recommendations to help reduce the risk of compromise. Read the full report.
Here are some notable highlights:
Observations & Trends
Phishing emails, RDP exploitation, and exploitation of software vulnerabilities remained the top three initial infection vectors for ransomware incidents – likely due to the increase of remote work and schooling.
The ransomware services-for-hire market is becoming “professional”, some offering their victims a 24/7 help center to expedite ransom payment.
Victim information is being shared between ransomware groups, diversifying the threat to targeted organizations.
Threat actors are redirecting efforts away from “big game” organizations and toward mid-sized victims to reduce scrutiny.
Increased use of “triple extortion” by ransomware threat actors: 1) threatening to publicly release stolen sensitive data, 2) disable the victim’s internet access, and/or 3) inform the victim’s partners, shareholders, or suppliers about the incident.
If the ransomware business model continues to yield financial returns, incidents are bound to become more frequent – it confirms the viability and financial attractiveness of the criminal business model.
Ransomware threat actors are targeting the cloud to exploit known vulnerabilities and gain direct access.
Targeting MSPs, thereby accessing multiple victims through one initial compromise.
Attacking software supply chains, allowing them to increase the scale of their attacks – again by accessing multiple victims through a single initial compromise.
Conducting increasingly impactful attacks against U.S. entities on holidays and weekends, as there are fewer network defenders and IT support personnel at victim organizations.
Authorities strongly discourage victims from paying ransoms, as it may encourage adversaries to target (or re-target) additional organizations and continue the distribution of ransomware.
- Automate software security and take advantage of vendor-provided virtualization and security capabilities.
- Train users and raise awareness about phishing emails, visiting suspicious websites, and clicking unknown links and attachments.
- Require Multi-Factor Authentication (MFA) for as many services, especially accounts that access critical systems or manage backups.
- Require all accounts to have strong, unique passwords that aren’t reused or stored.
- Protect cloud storage by backing up to multiple locations, requiring MFA for access, and encrypting data in the cloud.
- Segment networks to control and restrict the traffic flow of adversary lateral movement.
- Identify, detect, and investigate abnormal activity with a network-monitoring tool
- Implement time-based access for privileged accounts and minimize unnecessary privileges for services and software.
- Maintain offline backups of data, and regularly test backup and restoration.
- Collect and monitor telemetry from cloud environments, including network, identity, and application telemetry.