The Evolution of Ransomware

Over the last year, cyber marauders perpetrated more complex and impactful ransomware attacks on a global scale. These attacks targeted critical infrastructure organizations, and in the United States, impacted 14 of 16 critical sectors, including defense, emergency services, food and agriculture, governmental facilities and information technology, according to a new advisory from the Cybersecurity and Infrastructure Security Agency (CISA).

The agency created the joint study based on reports from the FBI, the National Security Agency (NSA), the Australian Cyber Security Centre (ACSC), the United Kingdom’s National Cyber Security Centre (NCSC-UK) and CISA itself.

In Australia, ransomware attackers targeted the medical, financial services and markets, higher education and research, and the energy sectors, while in the United Kingdom, education was one of the top sectors targeted, followed by the business, charity, legal and public service sectors.

“Ransomware tactics and techniques continued to evolve in 2021, which demonstrates ransomware threat actors’ growing technological sophistication and an increased ransomware threat to organizations globally,” according to the report, 2021 Trends Show Increased Globalized Threat of Ransomware.

To reduce the risk of compromise by ransomware, the agencies advised network defenders to:

•. Update operating system and software;

• Implement user training and awareness of phishing practices to increase knowledge about the risk of suspicious links and attachments;

•. Secure and monitor the use of Remote Desktop Protocols (RDPs);

•. Create an offline backup of data; and

•. Use multifactor authentication.

In 2021, cyber criminals most commonly gained access to networks through phishing emails, stolen RDP credentials or brute force and exploiting software vulnerabilities, and then once they had network access or code execution, they would deploy ransomware.

“These infection vectors likely remain popular because of the increased use of remote work and schooling starting in 2020 and continuing through 2021,” the agencies advised. “This increase expanded the remote attack surface and left network defenders struggling to keep pace with routine software patching.”

More and more, adversaries leveraged cyber criminal services-for-hire, as the demand for ransomware capabilities grew, leading the criminality to become “professional” in 2021.

“The criminal business model of ransomware is now well established,” the report stated. “In addition to their increased use of ransomware-as-a-service, ransomware threat actors employed independent services to negotiate payments, assist victims with making payments and arbitrate payment disputes between themselves and other cyber criminals. NCSC-UK observed that some ransomware threat actors offered their victims the services of a 24/7 help center to expedite ransom payment and restoration of encrypted systems or data.”

The agencies again recommended against paying ransomware, saying that it perpetuates their market value.

“Cybersecurity authorities in the United States, Australia and the United Kingdom assess that if the ransomware criminal business model continues to yield financial returns for ransomware actors, ransomware incidents will become more frequent,” the study advised. “Every time a ransom is paid, it confirms the viability and financial attractiveness of the ransomware criminal business model.”

The agencies acknowledged that identification and attribution of perpetrators was more difficult given the evolving criminal business model in a complex network of developers, affiliates and freelancers. “It is often difficult to identify conclusively the actors behind a ransomware incident,” they said.

Moreover, cyber criminals are increasingly sharing information about victims, which enables follow-on attacks from other adversaries. “Eurasian ransomware groups have shared victim information with each other, diversifying the threat to targeted organizations,” the report indicated. “For example, after announcing its shutdown, the BlackMatter ransomware group transferred its existing victims to infrastructure owned by another group, known as LockBit 2.0.”

The agencies did see a move away from some high-value targets in the United States last year, following inroads from cyber and law enforcement agencies against ransomware attacks. “In the first half of 2021, cybersecurity authorities in the United States and Australia observed ransomware threat actors targeting "big game" organizations—i.e., perceived high-value organizations and/or those that provide critical services—in several high-profile incidents, including Colonial Pipeline Company, JBS Foods and Kaseya Limited,” the report stated. “However, ransomware groups suffered disruptions from U.S. authorities in mid-2021. Subsequently, the FBI observed some ransomware threat actors redirecting ransomware efforts away from "big-game" and toward midsized victims to reduce scrutiny.”

In Australia, however, the ACSC sees ransomware continuing to focus on Australian organizations of all sizes, including critical services and the “big game” targets. Similarly, in the United Kingdom, the NCSC-UK observed ransomware attacks against organizations of all sizes throughout the year, with some “big game” victims.

The agencies also found that attackers diversified their approaches to leveraging payouts by using “triple extortion,” threatening to publicly release stolen sensitive information, disrupt the victim’s Internet access and/or inform the victim’s partners, shareholders or suppliers about the incident.

In addition, ransomware attackers are increasingly targeting cloud infrastructure to exploit known vulnerabilities in cloud applications, virtual machine software, and virtual machine orchestration software.

For more details on attack methods and how to mount protections, visit CISA's issuance of the report.