Share this article on:
A joint security advisory has been issued by cybersecurity agencies in the United States, United Kingdom, and Australia, warning about the increased globalized threat of ransomware attacks and the elevated risk of targeted attacks on critical infrastructure entities.
The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) have observed high-impact ransomware attacks against 14 of the 16 critical infrastructure sectors in 2021, including government facilities, financial services, transportation systems, water and wastewater systems, energy, and healthcare and public health.
The UK’s National Cyber Security Centre (NCSC-UK) says ransomware is now the biggest cyber threat faced by the country, with education the most targeted sector. There has also been an increase in attacks on businesses, charities, law firms, local government public services, and the healthcare sector. The Australian Cyber Security Centre (ACSC) says ransomware gangs are targeting critical infrastructure sectors including healthcare and medical, financial services and markets, higher education and research, and energy.
In the cybersecurity advisory, the CISA, the FBI, and the NSA share information about ransomware trends observed in 2021 ransomware attacks and the tactics, techniques, and procedures known to be used by ransomware gangs to gain access to networks, move laterally, and increase the impact of their attacks and suggest mitigations that can reduce the likelihood of a ransomware attack succeeding and the impact of a successful attack.
2021 Ransomware Attack Trends
In the United States, the first half of 2021 saw ransomware gangs target ‘big game’ targets such as Colonial Pipeline, Kaseya, JBS Foods; however, the increased scrutiny on ransomware gangs following these attacks saw them shift their focus to mid-sized targets; however, big game targeting continued throughout 2021 in the United States and Australia.
In Europe, ransomware gangs have been sharing victim information with other ransomware operations and cybercriminal groups. The BlackMatter ransomware operation shutdown and transferred existing victims to the LockBit 2.0 infrastructure and the Conti ransomware gang is known to have sold access to victims’ networks to other cybercriminal groups.
While double extortion tactics have become the norm, 2021 saw an increase in tripe extortion attacks where, in addition to encryption, files are exfiltrated and a demand is issued for payment to prevent the publication of the stolen data, Internet access is disrupted, and threats are issued to inform partners, shareholders, and suppliers about the attack.
Methods Used to Gain Access to Victims’ Networks
CISA, the FBI, and the NSA say ransomware gangs have increasingly sophisticated technological infrastructure and the ransomware threat is increasing globally. Ransomware gangs are using many methods to gain access networks, which makes implementing defensive measures to block the attacks a major challenge.
Initial access to networks is gained through phishing attacks to obtain credentials, using stolen Remote Desktop Protocol (RDP) credentials, brute force tactics to guess weak credentials and the exploitation of known vulnerabilities that have yet to be patched. CISA has identified several new vulnerabilities that are being actively targeted by ransomware gangs which have been added to its Known Exploited Vulnerabilities Catalog, which now includes 368 vulnerabilities. These attack vectors have proven successful due to the increased attack surface due to remote working and schooling as a result of the pandemic, which has made it difficult for IT security teams to patch vulnerabilities and address security weaknesses while supporting their remote workers and learners.
Ransomware gangs are now operating more like professional businesses and are increasingly outsourcing certain functions to specialist cybercriminal groups, who assist with payments, negotiations, arbitration, and provide 24/7 help centers for victims.
Increasing the Impact of Ransomware Attacks
2021 has seen an increase in the severity of ransomware attacks. The attacks are conducted to cause as much disruption as possible to increase the likelihood of the ransom being paid. Ransomware gangs are targeting cloud infrastructures and are exploiting known vulnerabilities in cloud applications, virtual machine software, and virtual machine orchestration software. There has been an increase in attacks on managed service providers and their downstream clients, and industrial processes and the software supply chain are being targeted. Attacks are often conducted at the weekend or during holidays when there are likely to be fewer network defenders and support personnel on hand to identify and respond to attacks.
Defending Against Ransomware Attacks
The security advisory details a long list of mitigations to reduce the likelihood of a successful attack and the severity of an attack should perimeter defenses be breached, including limiting the ability of threat actors to learn about an organization’s IT environment and move laterally.