The ransomware landscape hasn’t changed in terms of volume, yet SecureWorks researchers find report Incident responses in May and June 2022 reduced the number of successful ransomware attacks. However, it is still too early to draw conclusions about this. Several reasons could explain the decline in successful ransomware attacks, most notably the disruptive effect of the war in Ukraine on ransomware threats, the economic sanctions designed to create friction for ransomware operators, and the demise of Golden Ulrick’s Conti ransomware-as-a-service operation.
Ransomware Trends for 2022
The researchers also wonder if a new trend is emerging, targeting a greater number of smaller organizations rather than large corporations, as this could be a way for cybercriminals to take less police action against them.
TO SEE: Password Breach: Why Pop Culture and Passwords Don’t Mix (Free PDF) (TechRepublic)
On the other hand, network defenders see their chances of managing a successful defense against ransomware decrease. That window ranges from the moment of the first compromise to the deployment of the ransomware and the encryption of data. In 2022, the median length for that window is 4.5 days, compared to 5 days in 2021, while the average dwell time in 2021 was 22 days instead of 11 days in 2022. This means ransomware operators can manage their time more efficiently and waste less time idling on a compromised system than before.
The strongest measure against those attacks, of course, is to prevent or detect the first breach, before deploying an additional payload, and before the attacker initiates his lateral movement operations.
Unsurprisingly, the main initial vectors of compromise are remote service exploitation and the misuse of credentials (Image A).
Ransomware operators are also increasingly using cross-platform malware, developed in Rust or Go programming language, which allows them to compile the malware across platforms without having to modify the code.
“Hack and Leak” attacks also still a threat
Some cybercrime gangs have decided not to use ransomware. Instead, they compromise systems and steal sensitive information before making ransom demands. If not paid, the data will be publicly leaked.
The groups using these types of attacks generally compromise systems through internet-facing VPN services, on which they are likely to exploit vulnerabilities or use weak or stolen credentials. Once in the system, they often use native operating system tools to perform their tasks, making them more difficult to detect.
The Biggest Initial Compromise Vector: Remote Services Exploitation
Exploiting vulnerabilities on Internet-facing systems, be it devices, servers, or services, became the most common initial access vector (IAV) by 2021, according to SecureWorks. Threat actors tend to use any vulnerability that could help them compromise systems, while defenders tend to be late in patching.
The most dangerous vulnerabilities are those that allow remote code execution without any authentication.
The researchers also note that from a defense point of view, it is more interesting to try to detect the vulnerabilities and not the exploits, as the latter can sometimes be modified and bypass detections.
Infostealer and loader malware
The return of Emoteta loader malware with the ability to put additional malware into systems showed how some cybercriminal gangs can be persistent even when law enforcement seizes their infrastructure down.
Loaders are pieces of software that are used in the early stages of infection to install additional malware, often ransomware or infostealers. Bumblebee is cited as an example of a fast-growing threat used to drop Cobalt Strike and Metasploit payloads, or even the new splinter framework payloads, but there are several efficient loaders around.
Infostealer malware is often used to collect valid credentials which are then sold on cybercriminal underground marketplaces such as Genesis Market, Russian Market or 2easy.
Genesis Market has been in business since 2018 and sells access to victims’ computers that can lead to login credentials theft. Each access is listed with the credentials available on the machine and a custom bot software that allows cyber criminals to clone the victim’s browser (Figure B).
Infostealer’s main malware families are currently RedLine, Vidar, Raccoon, Taurus and AZORult, according to the researchers.
Downloading drive-by is still a thing
Drive-by download is a technique used to trick unsuspecting users into downloading malware by visiting compromised or fraudulent websites.
For example, threat actor Gold Zodiac makes extensive use of Search Engine Optimization (SEO) poisoning, using layers of public blog posts and compromised WordPress sites to place compromised links at the top of Google’s search results. Once a user visits one of those sites, they are tricked into downloading GootLoader, which in turn leads to the download of Cobalt Strike payloads for ransomware delivery.
Business Email Compromise
Analysis from SecureWorks reveals a 27% year-over-year increase in the first half of 2022 compared to the same period in 2021, with incidents still using the same simple yet effective techniques.
The most common method for attackers is to attempt to get a targeted company to make a wire transfer to a bank account they own, by impersonating a manager or director of the company and using various social engineering techniques. Attackers generally compromise company email accounts to make their emails look more legitimate.
Cyber espionage continues quietly
State-sponsored cyber-espionage operations have continued to flow and haven’t yielded as many new techniques in 2022, as the attackers probably don’t need such a high level of sophistication to successfully accomplish their work.
Chinese threat actors mainly continue to use PlugX and ShadowPad as their main malware, often using DLL sideloading to install and run their malware. Some actors have raised the bar for their techniques by using most of their arsenal in memory and less on the compromised hard drives.
Iran continues to target Israel and other countries in the Middle East, in addition to dissidents at home and abroad. In 2021 and 2022, ties between some threat actors and the Iranian government have also strengthened. Technically, most Iranian actors use DNS tunneling as an evasion technique. Some actors have also been observed deploying ransomware, but it is likely used more for disruption than financial gain.
Russia’s cyber-espionage capabilities have not changed much and are still targeting the West, especially the NATO alliance. While Russia is expected to have advanced destructive capabilities since the start of the war with Ukraine, the efforts made have not had much impact on the conflict, according to SecureWorks. Still, reports from Ukraine’s National Computer Emergency Response Team (CERT), the CERT-UA, show a steady cadence in the Russians targeting Ukrainian targets.
North Korean threat actors are still targeting financial attacks, especially cryptocurrencies. In March 2022, the infamous Lazarus threat actor managed to steal more than $540 million by compromising some validator nodes of Ronin, an Ethereum-based cryptocurrency wallet.
Several threat actors have successfully compromised accounts that were not yet using multi-factor authentication (MFA) and added their own devices so that MFA would be bypassed if activated.
Another technique that is still widely used is the “prompt bombing” technique, where the attacker floods the target with repeated login attempts that generate many MFA prompts. The attacker hopes that the user will be distracted or annoyed enough to accept one of them.
Attackers can also use social engineering techniques to circumvent MFA, calling users and using various strategies to get the user to validate an authentication on a targeted service.
Other methods may include using phishing kits with transparent reverse proxies, to collect credentials and session cookies in real time, and bypass MFA.
Revelation: I work for Trend Micro, but the opinions expressed in this article are mine.