Ransomware attacks are associated with a common set of realities in 2022.
In brief:
• Multiple levels of extortion increase the likelihood of a massive payday.
Threat actors seek financial gain from ransomware attacks. It is bad news for the threat actor if the victim organization does not pay the ransom demand. To increase the likelihood of receiving a payment, threat actors have innovated beyond malicious data encryption as the sole blackmail lever. Additional levers include threatened distributed denial of service (DDoS) attacks and data exfiltration through hard-to-detect mechanisms like DNS tunneling with threats to sell, publish, auction, or otherwise disclose the stolen data if the ransom is not paid. Victim organizations may be able to address the operational disruption of malicious data encryption through backups, but mitigating risks associated with DDoS and exfiltrated data is a different challenge entirely.
• RaaS and partner-in-crime models expand the number of attackers, ransomware variants, and advanced threat methods. Threat actors are making ransomware toolkits easily available to wannabe
threat actors, speeding up their time to crime. Today’s toolkits offer advanced evasions, exploits, and other techniques that were previously available only to nation-state actors or large cybercrime and ransomware gangs. When a new entrant threat actor lands a successful attack using a RaaS toolkit, any ransom payment is divided between the threat actors.
RaaS has been implicated in increasing the number of ransomware attacks. The number of ransomware variants in the first half of 2022 doubled compared to the second half of 2021.
• Ransomware supply chain models amplify specialization through division of labor.
Ransomware gangs are embracing specialist skills in crafting ransomware attacks, such as Initial Access Brokers (IABs) who sell access to compromised networks or devices, and post-compromise negotiators fluent in the language of the victim organization to negotiate the ransom payment. Ransomware gangs seek the same benefits from specialization and division of labour that the world has seen in most other business endeavours, such as manufacturing.
• The most common entry points for ransomware are:
Phishing (for credentials), open network ports and virtual private networks (VPNs), and vulnerabilities in applications.
Distracted employees clicking malicious links, misconfiguring a device, or forgetting to apply a critical security patch continue to be the leading causes of most breaches.
Email is still the top attack vector so businesses must evolve their thinking beyond email perimeter defence and user training. Insufficient protections against these attack entry points is like painting a target on the front door.
Ransomware in 2022 features multiple levels of extortion, RaaS models, and rampant data exfiltration.