Weekend attacks and assaults on the software supply chain mark evolving TTPs
An increase in “sophisticated, high-impact” ransomware incidents is posing a growing threat to critical infrastructure organisations, western government agencies warn.
The UK’s National Cyber Security Centre (NCSC), the US Cybersecurity and Infrastructure Security Agency (CISA), and the Australian Cyber Security Centre published a joint advisory (PDF) on Wednesday that highlighted the evolution of techniques deployed by cybercriminals and the growing maturity of the ransomware-as-a-service business model.
Attackers have long used a combination of phishing, stolen Remote Desktop Protocol (RDP) credentials, and vulnerabilities to plant file-encrypting ransomware and demanding payment in exchange for decryption keys.
More recently, cybercriminals have threatened to leak sensitive information if ransom demands are not met. Other tactics including targeting organizations during weekends and holidays, when guards may be lower and response times slower.
In their advisory, the agencies report that ransomware peddlers have begun sharing victim information with each other, diversifying the threat to targeted organizations:
For example, after announcing its shutdown, the BlackMatter ransomware group transferred its existing victims to infrastructure owned by another group, known as Lockbit 2.0. In October 2021, Conti ransomware actors began selling access to victims’ networks, enabling follow-on attacks by other cyber threat actors.
Ransomware groups have increased their impact by targeting managed service and cloud infrastructure providers, according to the NCSC and other members of the Five Eyes intel sharing alliance.
“Ransomware developers targeted cloud infrastructures to exploit known vulnerabilities in cloud applications, virtual machine software, and virtual machine orchestration software,” according to the joint advisory.
“Ransomware threat actors also targeted cloud accounts, cloud application programming interfaces (APIs), and data backup and storage systems to deny access to cloud resources and encrypt data.”
Ransomware groups suffered disruptions from US authorities in mid-2021. As a result, miscreants redirecting ransomware efforts away from “big-game” and toward mid-sized victims, particularly in the US.
This shift in emphasis spells trouble for mid-range organizations, industry experts warned.
Chris Boyd, senior threat researcher at Malwarebytes, commented: “The shift away from so-called ‘big-game’ targets to smaller entities because of generating too much heat from major ransomware outbreaks could spell trouble for SMEs, as ransomware groups redouble their efforts on organizations which may not have the security budget to withstand sustained, aggressive attacks.”
“Much of what’s in the CISA’s report reads as a continuation of attacks from recent years, with a focus on stolen RDP credentials and phishing to gain a foothold in the network as well as targeting MSPs to potentially compromise several targets at once,” Boyd added.
UK and Australian organizations reported that enterprises of all sizes continue to be targeted with ransomware attacks.
Industry representatives told The Daily Swig that Hive, Sodinokibi (AKA REvil), Conti, Phobos, and Khonsari are among the most common ransomware strains by volume at present.
“In terms of volume/in-field submissions these are the top five, but bear in mind some of the big game hunters will not have the volume,” Raj Samani, chief scientist at Trellix, explained.
In their joint advisory, intel agencies offer guidance on preventing attacks. This includes segmenting networks, making regular backups, patching, network monitoring, and tightening authentication controls, among other security enhancements.