Skip to main content
banner image
venafi logo

CISA Alert Points to Rise in ‘Sophisticated’ Ransomware Attacks

CISA Alert Points to Rise in ‘Sophisticated’ Ransomware Attacks

February 15, 2022 | Brooke Crothers

Sophisticated “high-impact” ransomware attacks against critical infrastructure sectors are increasing worldwide, according to an advisory from the Cybersecurity and Infrastructure Security Agency (CISA), which cited cybersecurity authorities in the United States, Australia, and the United Kingdom. The advisory also noted that the criminal business model for ransomware continues to evolve, making it harder to “identify conclusively” specific criminal groups because of the complex networks of developers, affiliates, and freelancers.

Do You Understand the Anatomy of a Supply Chain Attack? Download the White Paper.

The FBI, CISA, and the National Security Agency (NSA) in 2021 have observed ransomware attacks against 14 of the 16 U.S. critical infrastructure sectors, including the defense industrial base, emergency services, food and agriculture, government facilities, and Information Technology Sectors, CISA said in the advisory.

The advisory also noted that the market for ransomware has become increasingly professional and noted the emergence of Ransomware-as-a-Service (RaaS) and how threat actors sometimes use independent services to negotiate and arbitrate payment disputes and “help centers” to restore encrypted systems and expedite payments.

Other highlights of the advisory include:
  • Sharing of victim information / quick-change artists:  Eurasian ransomware groups share victim information and morph quickly, CISA said. For example, the BlackMatter ransomware group, after announcing its shutdown, transferred its existing victims to infrastructure owned by another group, known as Lockbit 2.0. In October 2021, Conti ransomware actors began selling access to victims’ networks, enabling follow-on attacks by other cyber threat actors.
  • Shift away from “big-game” hunting in the United States. A shift away from big-game victims in the U.S. such as Colonial Pipeline Company, JBS Foods, and Kaseya to toward mid-sized victims to reduce scrutiny from authorities.
  • Triple extortion: After encrypting victim networks, ransomware attackers in the U.S. are increasingly turning to “triple extortion” by threatening to publicly release stolen sensitive information, disrupt the victim’s internet access, and/or inform the victim’s partners, shareholders, or suppliers about the incident, according to CISA.
  • Threat actors may target command-line utilities, scripting activities, and permissions: Privilege escalation and lateral movement often depend on software utilities that run from the command line, CISA noted. If threat actors are not able to run these tools, they will have difficulty escalating privileges and/or moving laterally. Organizations should disable macros sent from external sources via Group Policy, CISA suggested.
  • Targeting the cloud. “Ransomware developers targeted cloud infrastructures to exploit known vulnerabilities in cloud applications, virtual machine software, and virtual machine orchestration software,” CISA said, adding that ransomware threat actors also targeted cloud accounts, cloud application programming interfaces (APIs), and data backup and storage systems to deny access to cloud resources and encrypt data. Ransomware criminals have also targeted cloud service providers to encrypt customer data, CISA said.
  • Targeting managed service providers. Ransomware criminals are targeting managed service providers (MSPs) because of “trusted accesses into client organizations…By compromising an MSP, a ransomware threat actor could access multiple victims through one initial compromise,” according to CISA.
  • Attacking the software supply chain. Ransomware threat actors targeted the software supply chain to compromise and extort their customers. “Targeting software supply chains allows ransomware threat actors to increase the scale of their attacks by accessing multiple victims through a single initial compromise,” CISA said.
Mitigations suggested by CISA include:
  • Implement end-to-end encryption. Deploying mutual Transport Layer Security (mTLS) can prevent eavesdropping on communications, which, in turn, can prevent cyber threat actors from gaining insights needed to advance a ransomware attack.
  • Enforce principle of least privilege through authorization policies. Minimize unnecessary privileges for identities. “Consider privileges assigned to human identities as well as non-person (e.g., software) identities. In cloud environments, non-person identities…with excessive privileges are a key vector for lateral movement and data access.”
  • Implement time-based access for privileged accounts. “Just-in-time access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the zero trust model) by setting network-wide policy to automatically disable admin accounts at the Active Directory level.”

Related Posts

Like this blog? We think you will love this.
Featured Blog

Researchers Find 3,200 Apps Exposing Twitter API Keys, Cite ‘BOT Army’ Threat

Key Findings:

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Brooke Crothers
Brooke Crothers
Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more