News

Blog

Thursday, December 8th, 2022

The Reality of Ransomware 2022

Introduction

The impact of ransomware worldwide has undoubtedly disrupted many organisations over the past few years, with threat actors capitalising on the remote and hybrid business landscape. Ransomware attack vectors have evolved and are now targeting remote access services, software weaknesses, and cloud applications. Healthcare, energy, critical manufacturing, and public sector (federal, state, local, education, and tribal) organisations are frequently targeted by threat actors, with unpatched vulnerabilities, coding errors, and misconfigurations being common points of infiltration. There has been a lot of disruption of ransomware groups over the past year thanks to geopolitical unrest and prosecutions. New groups have risen from the old, and ransomware activity remains one of the most pervasive cybercrime threats to organisations. Ransomware operators continue to evolve their tactics and techniques, both to evade detection and to incorporate novel features.

Here are some trends/insights on how ransomware has evolved in 2022:

Ransomware threats by region

The number of targeted and regional ransomware attacks has increased year on year. One of the reasons for this is that there is less cooperation among ransomware groups.

Many ransomware groups have sided with the conflict between Russia and Ukraine. They have focused their activities on devastating attacks or limiting their target geographically. Perhaps the biggest response came from the ransomware group, Conti. Conti has announced that if Russia is targeted by a cyberattack, it will retaliate against the “enemy’s” critical infrastructure by any means necessary. Kaspersky, on the other hand, discovered Freeud, a wiper disguised as ransomware whose developer announced support for Ukraine.

The attack volume of ransomware in Europe reached 63 million this year, an increase of 63% from last year. This was largely due to a spike in May, when ransomware attacks reached 24.7 million. This was over three times the levels seen in May 2021 and more than ten times in May 2020. Many countries with a low volume of ransomware attacks saw their levels increase in the first half of 2022.

New programming languages and targeting are being used by threat actors

Some ransomware groups are using new programming languages ​​to make detection more difficult and to make it easier to compile ransomware executables to run on different operating systems and platforms. The Rust programming language was adopted by the BlackCat and Hive ransomware developers, while BlackByte malware was written using Go (aka GoLang). LockBit was the most prevalent single ransomware observed in the first 10 months of 2022, followed closely by BlackCat and Phobos. However, more than one-fifth of named families are attributed to “others,” suggesting the ransomware landscape is not just confined to a few well-known families.
Not only have the languages ​​used diversified, but ransomware has also changed its focus. It is no longer solely focused on Windows. RedAlert or N13V, like Luna (another Rust-based ransomware strain), encrypts both Windows and Linux ESXi servers. But it’s not just second-string players.
A Linux ESXi variant of LockBit was discovered earlier this year. A change in target platforms means more opportunities for threat actors. Most ransomware defences focus on Windows, which can increase the attack surface, increase pressure on victims, and reduce detection risk.

Major developments in the deployment of ransomware

We have seen many developments in how ransomware is deployed on compromised systems. One example of ransomware incidents earlier in the year included Darkside, the other Exx ransomware. This involved the abuse of otherwise benign applications for DLL sideloading. In the Darkside case, the threat actor used a clean antivirus utility program; with Exx, it was a Google updater. After years of popularity with certain niche-target attackers, DLL sideloading is fast becoming a popular tactic with threat actors, as it can allow them to evade detection by executing malicious payloads under the guise of legitimate processes.

As far as delivering and spreading ransomware goes, threat actors continue to evolve. We’ve seen Impacket, a collection of open-source Python modules for working with network protocols, being abused for lateral movement on compromised networks. Impacket’s toolset includes remote execution capabilities, credential sniffing and dumping scripts, exploits for known vulnerabilities, and enumeration modules – making it a very attractive package for ransomware actors. It’s intended to be a legitimate security testing tool but, much like Metasploit and Cobalt Strike, its features and capabilities attract unfriendly customers. On the same note, Brute Ratel has been observed being used for payload delivery. The rise of attacker abuse of legitimate security tools requires that defenders be scrupulously aware of what’s operating on their network and who’s got rights to do so.

The rise and consolidation of information stealers

In 2022, several new malicious families have been spotted actively selling on the dark market. This included Rhadamanthys, BlueFox, and Parrot, which steal sensitive information from victims’ devices. One of the most notable new thieves was OnionPoison. Unlike typical stealers, this malware collects data that can be used to identify victims, such as browsing history, social network account IDs, and Wi-Fi networks.
The previously identified stealers were not left behind. This year saw updates to AcridRain and Racoon Stealer. It also the impressive development of RedLine Stealer to become a self-propagating threat targeting players via YouTube. Campaigns that mimic well-known software brands such as Notepad are also worth noting. This trend continues to be strong, with these types of campaigns reaching a large number of users and hitting the target brand’s bottom line. Additionally, the ransomExx ransomware gang exploits open source software by recompiling it and loading malicious shellcode. Notepad was also used in one of these attacks.

Top ransomware attacks of 2022

Conti ransomware attack on Costa Rica

Russian-related cyber gang Conti substantially disrupted economic operations throughout Costa Rica in April. They attacked the Ministry of Finance and succeeded in halting Costa Rica’s import and export operations. A countrywide emergency was declared for the first time in a ransomware assault.

At the end of May, there was a second attack targeting the Social Security Fund. This was also attributed to Conti as the Hive ransomware was used and Conti was involved in its development. This unusual activity could be interpreted as a kind of smokescreen as an attempt by Conti to rebrand itself. They fear the impact of sanctions on Russia in the Ukrainian conflict.

Lapsus$ institution’s chaotic spree

The Lapsus$ operation began in 2022 with some high-profile targets, such as Nvidia, Ubisoft, Samsung, and Microsoft. In each case, information was stolen and regularly leaked online. In addition to those assaults, LAPSUS$ also enacted a successful attack on the Brazilian Ministry of Health. High-profile cyberattacks are in reality not anything new, however there are some matters that make LAPSUS$ unique:

  • The people behind these attacks are all thought to be teenagers
  • Unlike conventional ransomware gangs, LAPSUS$ has a strong social media presence.
  • This gang is known for exfiltrating data. They regularly stole source code and different proprietary info and posted these facts on the Internet.

The LAPSUS$ assaults simply display that cybercriminals are not content to perform normal ransomware assaults. Beyond encrypting information, as has regularly been done in the past, LAPSUS$ seems to be targeting cyber extortion.

Data Breach on Macmillan Publishers

The global exchange publishing company declared in July 2022 that it was the victim of a security breach as a result of a ransomware assault. The organisation was forced to close down its workplaces while it recovered. It is unknown which ransomware institution is responsible for the assault, and whether or not or any information was taken.

More than 1.2 million credit card numbers leaked on hacking forum

Carding marketplaces are dark web sites where users trade stolen credit card details for financial fraud, usually involving large sums of money. On October 12, 2022, carding marketplace BidenCash released the details of 1,221,551 credit cards for free. A file posted on the site contained the information for more than 1.2 million credit cards expiring between 2023 and 2026, in addition to other details needed to make online transactions. BidenCash had previously leaked the details of thousands of credit cards in June 2022 as a way to promote the site. As the carding marketplace had been forced to launch new URLs three months later in September after suffering a series of DDoS attacks, some cyber security experts suggested this new release of details could be another attempt at advertising. 

Dropbox suffers data breach following phishing attack

On October 14, 2022, a malicious actor gained access to 130 of the company’s source code repositories after its employees were targeted by a phishing attack. The attack saw a malicious actor pose as code integration and delivery platform CircleCI in order to harvest login credentials and authentication codes from employees. It also gained access to Dropbox’s account on code repository site GitHub, as CircleCI login information can be used to access Github. Throughout the attack, the hacker gained access to some of the code Dropbox stores on the platform, including API keys used by its developers.

Once again, the healthcare sector is targeted heavily in 2022:

The healthcare sector remains a top target for ransomware attacks. Ransomware groups such as Everest, BianLain, and LockBit were responsible for most of the attacks on the industry.

In February 2022, the FBI released an alert warning victims of LockBit 2.0 ransomware indicators. The ransomware targets networks through a variety of techniques, such as purchased access, unpatched vulnerabilities, insider access, and zero-day exploits. From there, LockBit 2.0 actors used publicly available tools such as Mimikatz to escalate privileges. The attackers used a variety of both publicly available and custom tools to exfiltrate data followed by encryption using the LockBit malware. The actors always leave a ransom with instructions on how to obtain the decryption software.

A similar warning was issued about a gang of cybercriminals known as the Daixin Team, which primarily targets the country’s health system. The Daixin Team is a ransomware and data extortion group that has targeted the HPH Sector with ransomware and data extortion operations since at least June 2022. One such attack targeted OakBend Medical Center on September 1, 2022, with the group claiming to have harvested approximately 3.5 GB of data, including more than one million patient and staff information records. A sample of 2,000 medical records was also posted on the data leak website, which included names, genders, dates of birth, social security numbers, addresses and more.

In October 2022, Medibank, a health insurance company providing services for more than 3.9 million people in Australia, confirmed that a ransomware attack was the cause of a cyberattack and interruption of online services.

Ransomware is a pervasive threat that continues to grow in size. Ransomware attackers have become more sophisticated as they mature in their methods to infiltrate and bring down organisations through exposures that exist in their attack surfaces. Despite major efforts from the FBI, CISA, NSA and cybersecurity advisories, the number of ransomware victims is only increasing every year.

What do you need to do to protect against Ransomware Threats?

1. Visibility is key

Visibility of what hardware and software assets you have in your network and physical infrastructure is key. This will help you gain a greater understanding of your organisation’s security posture.

2. User awareness

Regular cyber security awareness training will ensure that your employees are always up-to-date with the latest phishing scams and malicious attempts to access your data or systems.

3. Updating and Patching

Make sure your devices have the latest security updates installed and an antivirus or anti-malware service. System patches also help avoid lost productivity.

4. Enable Multi-factor authentication

Most online services provide a way to use your mobile or other methods to protect your accounts in this way.

5. Make sure you have an up to date Incident Response Plan in place

You should be regularly testing your incident response plan in order to simulate a real-life attack. You should then be documenting how your organisation is in a position to respond, should one occur.

6. Back- up your systems and data

Data loss is often as damaging, monetary and brand, to an organisation as a data breach. You should be copying critical data in a secure offsite location as one small step that should not be overlooked.

7. Active Directory and Privileged Access Management

The last couple of years have seen ransomware like LockerGoga and Samas omitting a spreader. Malware usually includes a means of propagating itself from an initial infected device to other devices on the same network. But instead of writing and testing the extra code, which may be prone to failure, hackers are leveraging a mechanism that is already present in most organisations: Active Directory.

Smarttech247

Contact Us

The data you supply here will not be added to any mailing list or given to any third party providers without further consent. View our Privacy Policy for more information.

    Copyright Smarttech247 - 2021