Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Ransomware Targeted 14 of 16 U.S. Critical Infrastructure Sectors in 2021

US, UK and Australia Warn of Increase in Sophisticated Ransomware Attacks

An increase in attack sophistication is proof of the growing threat that ransomware poses to all organizations, cybersecurity agencies from the United States, United Kingdom, and Australia said on Wednesday.

US, UK and Australia Warn of Increase in Sophisticated Ransomware Attacks

An increase in attack sophistication is proof of the growing threat that ransomware poses to all organizations, cybersecurity agencies from the United States, United Kingdom, and Australia said on Wednesday.

Over the past several years, ransomware has become the most prevalent threat to organizations in private and public sectors alike, including financial services, food and agriculture, government, healthcare, and other critical infrastructure industries.

In the U.S., ransomware attacks targeted 14 of the 16 critical infrastructure sectors, as defined by the Department of Homeland Security.

The business model has proven highly lucrative for cybercriminals and, for as long as the ransomware business model yields financial returns for the attackers, the number of incidents is expected to increase, the cybersecurity agencies warn.

In a joint advisory on Wednesday, the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), the National Security Agency (NSA), the United Kingdom’s National Cyber Security Centre (NCSC-UK), and the Australian Cyber Security Centre (ACSC) warn that each time a ransom is paid ransomware operators may be emboldened to launch more attacks.

Throughout 2021, cybersecurity agencies in the US, UK, and Australia noticed that ransomware incidents grew in sophistication and that the attackers managed to increase impact by targeting cloud services, managed service providers, the software supply chain and industrial processes, and by launching attacks during public holidays and weekends.

The ransomware landscape, they say, continues to evolve, backed by a complex network of specialized threat actors and affiliates engaged in malware development, distribution, and negotiation, sometimes leading to difficulties in attributing attacks to a specific group.

Advertisement. Scroll to continue reading.

[READ: SecurityWeek Cyber Insights 2022: Ransomware]

In 2021, the attackers showed a tendency to use cybercriminal ‘services-for-hire’ in their operations. Not only is ransomware-as-a-service (RaaS) growing, but attackers also rely on independent services to negotiate with the victims and aid with the ransom payments. NCSC-UK noticed that in some instances victims were directed to a 24/7 help center to assist with the payment and data recovery.

Phishing, remote desktop protocol (RDP), and software vulnerabilities remained the top three initial infection vectors last year, but ransomware operators increasingly shared victim information amongst themselves, and some groups were seen selling access to compromised networks.

2021 was marked by ransomware attacks on several high-profile US targets – such as Colonial Pipeline and meat processor JBS – but also by the highly impactful assault on software maker Kaseya, as well as by the shutdown of major ransomware operations, including DarkSide and BlackMatter.

In the second half of 2021, the US agencies noticed that ransomware operators moved away from high-profile and critical services organizations toward mid-sized victims – likely in an attempt to reduce scrutiny and disruptive operations from law enforcement. The ACSC and the NCSC-UK, however, say that organizations of all sizes were targeted, including high-value and critical infrastructure entities.

[READ: FBI Warns of Cuba Ransomware Attacks on Critical Infrastructure]

The five agencies also say that ransomware operators continued to employ double- and even triple-extortion tactics, where they threaten the victim with the public release of stolen data, or with the disruption of Internet access if a ransom is not paid.

“We live at a time when every government, every business, every person must focus on the threat of ransomware and take action to mitigate the risk of becoming a victim. With our NCSC-UK, ACSC, FBI, and NSA partners, we urge organizations to review this advisory, visit stopransomware.gov to take action to strengthen their cybersecurity posture, and report unusual network activity or cyber incidents to government authorities,” CISA Director Jen Easterly said.

Immediate action that organizations can take to mitigate the threat of ransomware includes keeping all software updated, maintaining offline – encrypted – backups of all data, securing RDP, disabling unused resources, implementing network segmentation and multi-factor authentication, and educating employees to recognize phishing emails.

[READ: Recent Ransomware Trends Reinforce the Need for Cyber Hygiene, Collaboration]

According to Matthew Warner, CTO and co-founder at automated threat detection and response provider Blumira, ransomware groups are shifting away from high-value targets not only because last year’s series of high-profile attacks attracted too much unwanted attention, but also because the proliferation of RaaS has allowed many unskilled cybercriminals to launch opportunistic rather than targeted attacks.

Warner also warns that organizations need to strengthen their security to ensure they don’t fall victim to these increasingly sophisticated attacks. This includes ensuring visibility into all assets and implementing broad risk mitigation efforts, for fast response in the event of an incident.

“Like any profitable business, ransomware threat actors will likely sink money back into areas of the business that promote growth, such as research and development, to create more sophisticated tools to make money and improve their intrusion tradecraft — which means that simply deploying a firewall and antivirus software and hoping for the best will no longer cut it,” Warner said.

Tyler Shields, CMO at cyber asset management and governance solutions provider JupiterOne, also believes that better visibility into their assets can help organizations identify potential weaknesses in their environments and mitigate risks.

“While ransomware will continue to be a major issue for organizations this year, I believe there will be a substantial increase in misconfigurations and shadow or unknown asset attacks. We saw this problem growing last year, and with the pace of cloud transformation and application development growth, I would be surprised if the impact of these issues doesn’t continue to grow in the year ahead,” Shields said.

Related: French Ministry of Justice Targeted in Ransomware Attack

Related: Thousands of School Websites Go Offline Due to Ransomware Attack on Finalsite

Related: ‘Sabbath’ Ransomware Operators Target Critical Infrastructure

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...