Ransomware operations remain highly impactful in 2022
Several high-profile ransomware events were observed over the course of 2021, such as the attack against the Georgia, U.S.-based Colonial Pipeline, where attackers allegedly exfiltrated about 100 GB of data from the compromised network. This event changed ransomware operations in the underground due to increased media attention and pressure from law enforcement against operators and affiliates of these services. After administrators shut down ransomware activity on their respective forums, the RAMP forum was created and became the go-to platform for threat actors to discuss ransomware-related operations. While we occasionally continue to see discussions of ransomware on the Exploit and XSS underground forums, there were no recent advertisements for these services at the time of this report. We also observed threat actors claiming they would not target certain industries in order to reduce attention from high-profile attacks, including specific actors who stated their affiliates were prohibited from targeting government, health care and educational institutions. They largely kept their word, however, the BlackMatter ransomware-as-a-service (RaaS) was affiliated with an attack on an education center after previous claims of restraint against critical infrastructure. Although the group was not explicit in its definition of “critical infrastructure,” this subsequent attack on a public sector entity raised doubts about its claims and overall reduced the likelihood that other groups who had made similar adjustments would stand by their revised models.
Assessment Ransomware attacks against organizations can cause a vast amount of damage and are considered a global threat. If a business falls victim to a ransomware attack, it can suffer from unpredictable downtime, reputational damage and financial repercussions when facing a ransom payment. Impacted entities likely will need to invest time and resources into recovery and remediation efforts, as well as increase security measures to protect against future incidents. Understanding the stages of a ransomware attack and tactics, techniques and procedures (TTPs) from threat actors who use ransomware as a primary attack method can assist organizations in these attempts.
Five Stages of Ransomware Event
- Initial Point of Entry (threat actor access environment)
- Understand the Environment (threat actor identifies systems to target)
- Lateral Movement (threat actor moves through the environment)
- Data Exfiltration (threat actor identifies relevant data to exfiltrate from systems)
- Ransomware Deployment (threat actor deploys ransomware onto system, extortion tactics depend on ransomware group)
The evolution of ransomware has included the use of double-extortion tactics, such as the implementation of distributed denial-of-service (DDoS) attacks, making phone calls to an organization’s management team and leveraging the media to add pressure to victim organizations to pay a ransom. The success of these tactics suggests ransomware operators likely will continue to diversify attack strategies and use modified extortion methods to increase payment outcomes in 2022. Additionally, we may see these tactics increase a RaaS group’s reputation, which may inadvertently increase its negotiating power. Analyst comment Threat actors have endless opportunities to leverage ransomware services, and the number of services available has given attackers at all skill levels the ability to profit.
Ransomware operators continue to adapt to new challenges, allowing their services to take on variable and sometimes novel characteristics. This means there is no single course of action to protect against all ransomware variants, but emphasizes the necessity for analysts and threat teams to study ransomware services holistically to implement strategies that protect their organizations effectively. As we move through 2022, it will be insightful to observe ransomware attacks and respective operators’ targeting methodology. The popular opportunistic approach that indiscriminately infects as many victims as possible likely will remain a large portion of all observed events. However, we likely also will see operators and affiliates conduct advanced research on potential victims and target those that will ensure a higher ransom payout. The question remains: Will we see quantity over quality take precedent in 2022.
For solution, online support and query email us at .