Transnational security agencies highlight increased ransomware trends in 2021

Industrial Cyber Logo web

A transnational joint cybersecurity advisory (CSA) was issued on Wednesday outlining the growing international threat posed by ransomware trends observed over the past year. The global security agencies said that ransomware groups have increased their impact by targeting the cloud infrastructure and managed service providers (MSPs), attacking industrial processes and the software supply chain, and launching attacks on organizations on holidays and weekends.

The advisory, titled, “2021 Trends Show Increased Globalized Threat of Ransomware,” was issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), along with the Federal Bureau of Investigation (FBI), National Security Agency (NSA), Australian Cyber Security Centre (ACSC), and the U.K.’s National Cyber Security Centre (NCSC-UK).

The alert identifies an increase in sophisticated, high-impact ransomware incidents against critical infrastructure organizations globally. It also documented ransomware trends and provided mitigation recommendations to help network defenders reduce their risk of compromise by ransomware. It also said that “although most ransomware incidents against critical infrastructure affect business information and technology systems, the FBI observed that several ransomware groups have developed code designed to stop critical infrastructure or industrial processes.”

The U.S. security agencies – the FBI, CISA, and the NSA – observed ransomware incidents against 14 of the 16 U.S. critical infrastructure sectors, including the defense industrial base, emergency services, food and agriculture, government facilities, and information technology sectors.

The ACSC observed continued ransomware attacks targeting Australian critical infrastructure entities, including in the healthcare and medical, financial services and markets, higher education and research, and energy sectors.

The NCSC-UK recognizes ransomware as the biggest cyber threat facing the country. Education is one of the top U.K. sectors targeted by ransomware actors, but the agency also witnessed attacks targeting businesses, charities, the legal profession, and public services in the local government and health sectors.

On Wednesday, the NCSC-UK also issued separate cybersecurity guidance to help farmers improve the security and resilience of their businesses against cyber threats. The agency worked with the National Farmers Union to support the agriculture and farming sector, given the increased use of email, online accounting tools, online payment systems, and automated farming equipment.

The joint CSA also outlined that ransomware trends observed across the three nations included cybercriminals increasingly gaining access to networks through phishing, stolen Remote Desktop Protocols (RDP) credentials or brute force, and exploiting software vulnerabilities.

Last year, the market for ransomware became increasingly ‘professional’ with an increase in cybercriminal services-for-hire, and the criminal business model of ransomware is now well established. In addition to their increased use of ransomware-as-a-service (RaaS), ransomware hackers employed independent services to negotiate payments, assist victims with making payments, and arbitrate payment disputes between themselves and other cybercriminals.

The advisory also revealed that Eurasian ransomware groups have shared victim information with each other, diversifying the threat faced by the targeted organizations. Cybercriminals also diversified approaches to extorting money. After encrypting victim networks, ransomware hackers increasingly used ‘triple extortion’ by threatening to publicly release stolen sensitive information, disrupt the victim’s internet access, and/or inform the victim’s partners, shareholders, or suppliers about the incident, the joint CSA added.

The joint CSA also pointed to the shifting away from ‘big-game’ hunting. In the first six months of 2021, cybersecurity authorities in the U.S. and Australia observed ransomware hackers targeting big game organizations, such as those perceived as high-value organizations and/or those that provide critical services. Some of these victims included Colonial PipelineJBS Foods, and Kaseya.

However, ransomware groups suffered disruptions from U.S. authorities in mid-2021, the advisory noted. Subsequently, the FBI observed some ransomware hackers redirecting ransomware efforts away from ‘big-game’ and toward mid-sized victims to reduce scrutiny.

The ACSC observed ransomware continuing to target Australian organizations of all sizes, including critical services and ‘big game,’ throughout last year, the joint CSA said. NCSC-UK observed targeting of U.K. organizations of all sizes throughout the year, with some ‘big game’ victims. Overall victims included businesses, charities, the legal profession, and public services in the education, local government, and health sectors.

Given the escalating threat landscape and ransomware trends faced by critical infrastructure organizations last year, the global security authorities advised network defenders to apply a spate of recommendations, which would help mitigate the likelihood and impact of ransomware incidents. These mitigation measures will assist network defenders to reduce their risk of compromise, provide appropriate responses to ransomware attacks, with access to key resources from their respective cyber agencies.

“Reducing risk to ransomware is core to CISA’s mission as the nation’s cyber defense agency, and while we have taken strides over the past year to increase awareness of the threat, we know there is more work to be done to build collective resilience,” Jen Easterly, CISA Director, said in a media statement.

“When critical infrastructure is held at risk by foreign hackers operating from a safe haven in an adversary country, that’s a national security problem,” Rob Joyce, NSA cybersecurity director, said. “The ransomware scourge is a significant focus area for NSA as we generate insights alongside our partners,” he added.

Organizations need to invest in newer and more advanced technologies for monitoring, detection and response much earlier in the attack kill chain to be successful, Saryu Nayyar, CEO and founder at Gurucul, wrote in an emailed statement. “This requires looking at more advanced analytics and behavioral profiling beyond what current XDR and SIEM solutions offer. In addition, the current class of rule-based machine learning (ML) in these solutions is incapable of identifying new variants and emerging ransomware threats.”

“Ransomware is not going away in 2022,” Mark Stone recently wrote in an IBM Security Intelligence blog post. “For the enterprise, a robust ransomware defense strategy can only fortify its cybersecurity posture,” he added.

Share this page: