Ransomware Targeted 14 of 16 U.S. Critical Infrastructure Sectors in 2021
US, UK and Australia Warn of Increase in Sophisticated Ransomware Attacks
An increase in attack sophistication is proof of the growing threat that ransomware poses to all organizations, cybersecurity agencies from the United States, United Kingdom, and Australia said on Wednesday.
Over the past several years, ransomware has become the most prevalent threat to organizations in private and public sectors alike, including financial services, food and agriculture, government, healthcare, and other critical infrastructure industries.
In the U.S., ransomware attacks targeted 14 of the 16 critical infrastructure sectors, as defined by the Department of Homeland Security.
The business model has proven highly lucrative for cybercriminals and, for as long as the ransomware business model yields financial returns for the attackers, the number of incidents is expected to increase, the cybersecurity agencies warn.
In a joint advisory on Wednesday, the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), the National Security Agency (NSA), the United Kingdom’s National Cyber Security Centre (NCSC-UK), and the Australian Cyber Security Centre (ACSC) warn that each time a ransom is paid ransomware operators may be emboldened to launch more attacks.
Throughout 2021, cybersecurity agencies in the US, UK, and Australia noticed that ransomware incidents grew in sophistication and that the attackers managed to increase impact by targeting cloud services, managed service providers, the software supply chain and industrial processes, and by launching attacks during public holidays and weekends.
The ransomware landscape, they say, continues to evolve, backed by a complex network of specialized threat actors and affiliates engaged in malware development, distribution, and negotiation, sometimes leading to difficulties in attributing attacks to a specific group.
In 2021, the attackers showed a tendency to use cybercriminal ‘services-for-hire’ in their operations. Not only is ransomware-as-a-service (RaaS) growing, but attackers also rely on independent services to negotiate with the victims and aid with the ransom payments. NCSC-UK noticed that in some instances victims were directed to a 24/7 help center to assist with the payment and data recovery.
Phishing, remote desktop protocol (RDP), and software vulnerabilities remained the top three initial infection vectors last year, but ransomware operators increasingly shared victim information amongst themselves, and some groups were seen selling access to compromised networks.
2021 was marked by ransomware attacks on several high-profile US targets – such as Colonial Pipeline and meat processor JBS – but also by the highly impactful assault on software maker Kaseya, as well as by the shutdown of major ransomware operations, including DarkSide and BlackMatter.
In the second half of 2021, the US agencies noticed that ransomware operators moved away from high-profile and critical services organizations toward mid-sized victims – likely in an attempt to reduce scrutiny and disruptive operations from law enforcement. The ACSC and the NCSC-UK, however, say that organizations of all sizes were targeted, including high-value and critical infrastructure entities.
The five agencies also say that ransomware operators continued to employ double- and even triple-extortion tactics, where they threaten the victim with the public release of stolen data, or with the disruption of Internet access if a ransom is not paid.
“We live at a time when every government, every business, every person must focus on the threat of ransomware and take action to mitigate the risk of becoming a victim. With our NCSC-UK, ACSC, FBI, and NSA partners, we urge organizations to review this advisory, visit stopransomware.gov to take action to strengthen their cybersecurity posture, and report unusual network activity or cyber incidents to government authorities,” CISA Director Jen Easterly said.
Immediate action that organizations can take to mitigate the threat of ransomware includes keeping all software updated, maintaining offline – encrypted – backups of all data, securing RDP, disabling unused resources, implementing network segmentation and multi-factor authentication, and educating employees to recognize phishing emails.
According to Matthew Warner, CTO and co-founder at automated threat detection and response provider Blumira, ransomware groups are shifting away from high-value targets not only because last year’s series of high-profile attacks attracted too much unwanted attention, but also because the proliferation of RaaS has allowed many unskilled cybercriminals to launch opportunistic rather than targeted attacks.
Warner also warns that organizations need to strengthen their security to ensure they don’t fall victim to these increasingly sophisticated attacks. This includes ensuring visibility into all assets and implementing broad risk mitigation efforts, for fast response in the event of an incident.
“Like any profitable business, ransomware threat actors will likely sink money back into areas of the business that promote growth, such as research and development, to create more sophisticated tools to make money and improve their intrusion tradecraft — which means that simply deploying a firewall and antivirus software and hoping for the best will no longer cut it,” Warner said.
Tyler Shields, CMO at cyber asset management and governance solutions provider JupiterOne, also believes that better visibility into their assets can help organizations identify potential weaknesses in their environments and mitigate risks.
“While ransomware will continue to be a major issue for organizations this year, I believe there will be a substantial increase in misconfigurations and shadow or unknown asset attacks. We saw this problem growing last year, and with the pace of cloud transformation and application development growth, I would be surprised if the impact of these issues doesn’t continue to grow in the year ahead,” Shields said.