It appears that ransomware will continue to be the bane of
businesses everywhere. Group-IB, a global cybersecurity provider,
reported in its Hi-Tech Crime Trends 2022/2023 report that ransomware
operations remain the top cyber threat to public and private companies
across the world, for instance.
According to the company, the
number of companies that had their information uploaded onto the
ransomware dedicated leak sites (DLS) jumped by 22% year-on-year from
2H21 and 1H22 to 2,886. Three hundred and twenty-two companies from the
Asia Pacific region were affected.
 |
| Source: Group-IB. Volkov. |
"Based on our recent incident response engagements and investigations, we should expect continuous growth of the ransomware 'empire'. In 2023, the operators’ techniques and tools will continue to evolve," said Dmitry Volkov, CEO of Group-IB.
Acronis also predicts that the number of ransomware attacks will continue to grow as they remain profitable for cyber criminals, while businesses can lean on cyber insurance to cushion some of the impact of ransoms.
"This will undoubtedly increase the cost of cyber insurance premiums even further," the company stated in a report about cyberthreats.
"Attackers
will increasingly focus on uninstalling security tools, deleting
backups, and disabling disaster recovery plans wherever possible.
Living-off-the-land techniques will play a major role in this."
Living
off the land refers to a cybercriminal making use of tools found in the
compromised environment, as opposed to creating or introducing new
tools.
Easier supply, higher demand
There are other drivers for ransomware, Group-IB said. "Two major driving forces behind ransomware attacks are initial access brokers (IABs) and the increasing number of logs stolen with info-stealing malware," Volkov shared.
"The repositories of
stolen logs that are usually obtained with info-stealers - known as
clouds of logs - are a relatively new trend. Nevertheless, Group-IB
threat intelligence experts already observe high demand for such
services including among nation-state threat actors and are expecting
this segment to grow.
"In this regard, the industry cannot
afford to ignore the increasing number of attacks on employees. The
recent attack on Uber was carried out exactly like that. The single
sign-on (SSO) types of access obtained with info-stealers are likely to
become the main source of initial access to corporate networks.
"As data
protection legislation is getting stricter worldwide, more companies and
individuals are likely to become victims of data leaks and breaches
carried out by financially-motivated cybercrime and nation-state
adversaries. Private and public companies should consider setting up a
threat intelligence programme to monitor for compromised credentials of
their workforce and other sensitive corporate information."
For the second consecutive year, Group-IB researchers observed the increasing impact of IABs on the ransomware market. The company recorded 2,348 instances of corporate network access being sold on dark web forums or privately by IABs, twice as many in the preceding period.
The number of brokers also grew from 262 to 380, leading to good news for those looking for a ransomware attack as-a-service. In the Asia Pacific region, the number of network access offers almost tripled to 382 from 2H21 to 1H22, Group-IB said, resulting in a 32% drop in the price of total offers.
“Initial access brokers play the role of oil producers for the whole underground economy,” Volkov elaborated.
“They fuel and facilitate the operations of other criminals, such as ransomware and nation-state adversaries. As access sales continue to grow and diversify, IABs are one of the top threats to watch in 2023. Private and public companies in the Asia Pacific region should consider setting up a threat intelligence programme to monitor for compromised credentials of their workforce.”
The Asia-Pacific region saw a significant number of network access offers between 2H21 and 1H22 with India (16.8%) in top place followed by Australia (12.8%) and China (11.8%), Group-IB said. One of the most prolific initial access brokers active in APAC, NikaC, offered access to seven financial companies’ networks, mainly in the Asia-Pacific. Most involved access to the corporate email of top managers.
Hybrid attacks
Fortinet has predicted that wiper malware could be combined with ransomware to cause more chaos. Fortinet's FortiGuard Labs noted that wiper malware made a comeback in 2022, with attackers introducing new variants of the decade-old attack method. According to the 1H 2022 FortiGuard Labs Global Threat Landscape report, there was an increase in disk-wiping malware in conjunction with the war in Ukraine, but it was also detected in 24 additional countries, not just in Europe.
"Beyond the existing reality of threat actors combining a computer worm with wiper malware, and even ransomware for maximum impact, the concern going forward is the commoditisation of wiper malware for cybercriminals...Given its broader availability combined with the right exploit, wiper malware could cause massive destruction in a short period of time given the organised nature of cybercrime today. This makes time to detection and the speed at which security teams can remediate paramount.
Using AI-powered inline sandboxing is a good starting point to protect against sophisticated ransomware and wiper malware threats, FortiGuard Labs said. "It allows real-time protection against evolving attacks because it can ensure only benign files will be delivered to endpoints if integrated with a
cybersecurity platform," FortiGuard researchers noted.
To pay or not to pay?
 |
| Source: Pure Storage. Oostveen. |
"Organisations will be more inclined to take a 'safer data' approach – employing unified fast file and object storage platforms that provide the last line of defence against ransomware or rogue employees, while offering quick recovery speeds."
"Increasingly, we are seeing cybercriminals exfiltrating data before encrypting them and holding them for ransom. It is pretty much a ‘double whammy’ when businesses are hit by these kinds of attacks. It is a major concern for businesses as not only is their data held for ransom, but they also face the harsh reality of their data being stolen and likely being put out there and made available on the dark web," agreed Alvin Rodrigues, Field Chief Security Officer, Asia Pacific, Infoblox.
Righard Zwienenberg, Senior Research Fellow at ESET, is also in favour of not paying ransoms as it only encourages cybercriminals, and payment guarantees nothing. A decryptor might not work, he warned, or the data may already have been exfiltrated as Oostveen and Rodrigues have pointed out.
"There's no guarantee the data will not leak even if you pay (the ransom)," he said, lauding governments which are introducing legislation to make paying ransoms illegal. "Even if you pay, someone else could still leak it."
"These attacks are often done over the domain name server (DNS). In other words, they are likely accomplished through command and control, also known as 'C2', whereby attackers start by infecting targeted computers behind the firewall with malware," Rodrigues elaborated.
Businesses should look to secure their DNS, Rodrigues advised. "They will want to go with a strategy that allows them to centralise and automate their DNS and take an approach that allows them to securely deliver applications and services with high availability and response times," he said.
Many scenarios, all bad
Trend Micro warned that ransomware attacks could evolve. In The Near and Far Future of Today's Ransomware Groups report Trend Micro predicted that cybercriminals will continue to evolve their
attacks in response to corporate defensive strategies, law enforcement
successes, and government sanctions. Transformation scenarios could
include scaling up attacks through increased automation, targeting more
IoT and cloud environments, improving professionalism and execution, and
more effectively monetising attacks.
"From working internally with local businesses to partnering with neighbouring countries, collaboration amongst countries, the public and private sectors are essential to contributing to a coalition that allows for information and data capability sharing. In 2023, we can expect to see more collaboration and increased efforts from governments in supporting the fight against ransomware and other form of attacks as cybercriminals are not hampered nor restricted by any geographical boundaries."
Jon Clay, VP of Threat Research at Trend Micro commented: "Change is the only constant in cybercrime, and sooner or later, economic and geopolitical forces may compel ransomware groups to adapt or die. Amidst this uncertain threat landscape, network defenders need platform-based security to provide visibility and control across all attack surfaces, including hybrid cloud infrastructure."
The report from Trend Micro also predicted that ransomware actors could diversify by developing supply chain attacks to cut out reliance on IABs, using stolen data for stock manipulation, selling more services to traditional organised crime syndicates, merging with other criminal groups, or even working with government actors.
Trend Micro's recommendations to prepare for these scenarios include:
- Hardening Internet-facing and internal corporate systems
- Migrating to cloud services
- Focusing defensive efforts on detection and response and initial access vectors
- Strengthening government sanctions on major actors and facilitators
- Regulating cryptocurrency to increase transparency, protect consumers against fraud and make money laundering harder
No comments:
Post a Comment