Sophisticated “high-impact” ransomware attacks against critical infrastructure sectors are increasing worldwide, according to an advisory from the Cybersecurity and Infrastructure Security Agency (CISA), which cited cybersecurity authorities in the United States, Australia, and the United Kingdom. The advisory also noted that the criminal business model for ransomware continues to evolve, making it harder to “identify conclusively” specific criminal groups because of the complex networks of developers, affiliates, and freelancers.
The FBI, CISA, and the National Security Agency (NSA) in 2021 have observed ransomware attacks against 14 of the 16 U.S. critical infrastructure sectors, including the defense industrial base, emergency services, food and agriculture, government facilities, and Information Technology Sectors, CISA said in the advisory.
The advisory also noted that the market for ransomware has become increasingly professional and noted the emergence of Ransomware-as-a-Service (RaaS) and how threat actors sometimes use independent services to negotiate and arbitrate payment disputes and “help centers” to restore encrypted systems and expedite payments.
Other highlights of the advisory include:
- Sharing of victim information / quick-change artists: Eurasian ransomware groups share victim information and morph quickly, CISA said. For example, the BlackMatter ransomware group, after announcing its shutdown, transferred its existing victims to infrastructure owned by another group, known as Lockbit 2.0. In October 2021, Conti ransomware actors began selling access to victims’ networks, enabling follow-on attacks by other cyber threat actors.
- Shift away from “big-game” hunting in the United States. A shift away from big-game victims in the U.S. such as Colonial Pipeline Company, JBS Foods, and Kaseya to toward mid-sized victims to reduce scrutiny from authorities.
- Triple extortion: After encrypting victim networks, ransomware attackers in the U.S. are increasingly turning to “triple extortion” by threatening to publicly release stolen sensitive information, disrupt the victim’s internet access, and/or inform the victim’s partners, shareholders, or suppliers about the incident, according to CISA.
- Threat actors may target command-line utilities, scripting activities, and permissions: Privilege escalation and lateral movement often depend on software utilities that run from the command line, CISA noted. If threat actors are not able to run these tools, they will have difficulty escalating privileges and/or moving laterally. Organizations should disable macros sent from external sources via Group Policy, CISA suggested.
- Targeting the cloud. “Ransomware developers targeted cloud infrastructures to exploit known vulnerabilities in cloud applications, virtual machine software, and virtual machine orchestration software,” CISA said, adding that ransomware threat actors also targeted cloud accounts, cloud application programming interfaces (APIs), and data backup and storage systems to deny access to cloud resources and encrypt data. Ransomware criminals have also targeted cloud service providers to encrypt customer data, CISA said.
- Targeting managed service providers. Ransomware criminals are targeting managed service providers (MSPs) because of “trusted accesses into client organizations…By compromising an MSP, a ransomware threat actor could access multiple victims through one initial compromise,” according to CISA.
- Attacking the software supply chain. Ransomware threat actors targeted the software supply chain to compromise and extort their customers. “Targeting software supply chains allows ransomware threat actors to increase the scale of their attacks by accessing multiple victims through a single initial compromise,” CISA said.
Mitigations suggested by CISA include:
- Implement end-to-end encryption. Deploying mutual Transport Layer Security (mTLS) can prevent eavesdropping on communications, which, in turn, can prevent cyber threat actors from gaining insights needed to advance a ransomware attack.
- Enforce principle of least privilege through authorization policies. Minimize unnecessary privileges for identities. “Consider privileges assigned to human identities as well as non-person (e.g., software) identities. In cloud environments, non-person identities…with excessive privileges are a key vector for lateral movement and data access.”
- Implement time-based access for privileged accounts. “Just-in-time access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the zero trust model) by setting network-wide policy to automatically disable admin accounts at the Active Directory level.”