By Staff Writer.
A cybersecurity advisory jointly issued by Australia, the US, and the UK has flagged the increase of sophisticated, high-impact ransomware incidents against critical infrastructure organisations over the past year. The advisory highlights how ransomware groups have modified their behaviour over 2021 to increase their chances of success.
The Australian Cyber Security Centre (ACSC) says it has seen continued ransomware attacks across various critical sectors, including healthcare and medical, financial services, higher education and research, and energy.
The advisory noted five important behaviours and trends among cybercriminals in 2021. The cybersecurity agencies confirmed phishing emails, RDP exploitation, and exploitation of software vulnerabilities remained the top three initial infection vectors for ransomware incidents last year.
The agencies also noted the increasing professionalism of the ransomware business model.
Ransomware-as-a-service (RaaS) is on the rise, as is the use of independent third parties to negotiate and facilitate payments and arbitrate in the event of a payment dispute.
Ransomware gangs also share information on their victims with each other more often. This increases the threat to victim organisations of repeated or continuing attacks.
Some agencies have also noticed a shift away from high profile targets like Colonial Pipelines towards smaller targets. As the Colonial Pipelines attack illustrates, big-time targets attract the attention of authorities and can lead to strong repercussions. However, the trend towards smaller ransomware targets is more prevalent in the United States than in Australia.
“The ACSC observed ransomware continuing to target Australian organizations of all sizes, including critical services and “big game,” throughout 2021,” the ACSC noted.
Ransomware attackers are also diversifying their approaches to extorting money. They increasingly rely on triple extortion. Triple extortion involves threatening to publicly release stolen sensitive information, disrupt the victim’s internet access, and inform the victim organisation’s partners, shareholders, or suppliers about the incident.
In addition to changing how they do business, ransomware gangs found ways in 2020 to increase their impact. They are starting to target cloud accounts, cloud application programming interfaces, and data backup and storage systems to deny access to cloud resources and encrypt data. The targeting of managed service providers is also on the rise because they have trusted access to the IT systems of clients.
The FBI notes several ransomware groups now have developed code designed to stop critical infrastructure or industrial processes. Ransomware groups have also learned to increase the scale of their attacks by accessing multiple victims through a single initial supply chain compromise.
The cybersecurity agencies have also noted the increased tendency of ransomware groups to attack during holidays and weekends when presumably, fewer in-house IT experts are on hand to shut down the initial intrusion and response times are slower.
Agencies like ACSC are pushing organisations to mitigate against and prevent ransomware attacks rather than paying the criminal groups.
“Paying the ransom does not guarantee that a victim’s files will be recovered,” the advisory notes. “Additionally, reducing the financial gain of ransomware threat actors will help disrupt the ransomware criminal business model.”
But the ransomware business model remains lucrative for the people behind them. The cybersecurity agencies in all three countries say ransomware tactics and techniques have continued to evolve in 2021. They add that this highlights the growing technological sophistication of ransomware groups and the increased threat to organizations globally.