Kronos. Colonial Pipeline. JBS. Kaseya. These are only a handful of 2021’s high-profile victims of threat groups including DarkSide, REvil, and BlackMatter.
According to Kela’s analysis of dark web forum activity, the “perfect” prospective ransomware victim in the US will have a minimum annual revenue of $100 million and preferred access purchases include domain admin rights, as well as entry into Remote Desktop Protocol (RDP) and Virtual Private Network (VPN) services.
Over the past few years, we’ve seen ransomware operators evolve from disorganized splinter groups and individuals to highly sophisticated operations, with separate teams collaborating to target everything from SMBs to software supply chains.
Ransomware infection is no longer an end goal of a cyberattack. Instead, malware families in this arena – including WannaCry, NotPetya, Ryuk, Cerber, and Cryptolocker – can be one component of attacks designed to elicit a blackmail payment from a victim organization.
Cisco Secure calls current ransomware tactics “double-extortion.” Victims will have their systems encrypted in one facet of an attack, and a ransom note will demand payment, normally in Bitcoin (BTC). However, to pile on the pressure, ransomware groups may also steal corporate data before decryption and will threaten to publish or sell on this information, too, unless a payment is agreed upon and made.
The European Union Agency for Cybersecurity (ENISA) said there was a 150% rise in ransomware attacks between April 2020 and July 2021. According to the agency, we are experiencing the “golden era of ransomware,” in part due to multiple monetization options.
This is particularly notable in “Big Game hunting” when ransomware operators will specialize in going after large and profitable companies.
With this in mind, what can we expect from ransomware operators in 2022?
Ransomware-as-a-Service will continue to climb
Ransomware-as-a-Service (RaaS) is an established industry within the ransomware business, in which operators will lease out or offer subscriptions to their malware creations to others for a price – whether this is a per month deal or a cut of any successful extortion payments.
Considering the lucrative nature of RaaS and the difficulty of tracking down and prosecuting operators, it should come as no surprise that many security experts believe this business model will continue to flourish in 2022.
“We’re going to see a continued increase in the severity and volume of ransomware attacks,” commented Andy Fernandez, senior product marketing manager at HPE company Zerto. “In response, we will see a growth in the ransomware-as-a-service market, which is able to propagate new versions and new methods in a much faster way than before. Whether you are a small business or large enterprise, at some point, you will be targeted by a ransomware attack that will try to get into your system and encrypt your critical data.”
Increased attack risk
An emerging trend documented by CrowdStrike is multiple attacks leveraged against organizations once they have been successfully compromised. Data exfiltration and extortion go hand-in-hand, and according to CTO Mike Sentonas, in addition to the threat of sensitive data becoming public, “some criminals have been known to sell files to each other or even to a competitor in a foreign market.”
“This means that even if a company has paid one criminal gang, another could emerge from the shadows and demand precisely the same thing,” Sentonas says.
Other experts, including those from Picus Security, suggest that we may see more extortion methods become commonly employed – such as launching Distributed Denial-of-Service (DDoS) attacks or the harassment of customers and partners.
Pay to stay away?
Another potential method of extortion we may see next year is that of companies paying operators not to attack them. Joseph Carson, Chief Security Scientist at ThycoticCentrify, suggests that while RaaS is already in full swing, “ransomware could even evolve further into a subscription model in which you pay the criminal gangs to not target you.” See also:
Ransomware: It’s a ‘golden era’ for cybercriminals - and it could get worse before it gets better This is the perfect ransomware victim, according to cybercriminals Ransomware attackers targeted this company. Then defenders discovered something curious
The Great Resignation
The COVID-19 pandemic has, perhaps permanently, changed the face of work. Many of us were forced to work from home and have now adopted home office setups – and in many cases – have decided to resign from existing posts to pursue other opportunities.
Thales believes that in 2022, what is known as The Great Resignation will also have ramifications for cybersecurity, predicting a “direct correlation between staff turnover and cyber incidents.”
Also: Hybrid work here to stay: What does that mean for security?
According to the firm, organizations that have already lost staff will have to train new employees unfamiliar with existing protocols and may not have adequate levels of security awareness.
Business ecosystems contain many different processes, partners, and software, which may increase the risk of a business becoming compromised, and ransomware may be one of the top threats companies face today.
“There is also the issue of fatigued or disgruntled workers,” commented Thales’ Global VP of Engineering and Cloud Operations Ashvin Kamaraju. “Even if they are not malicious, they may be increasingly lax in following employee guidelines. In 2022, the cost to replace an employee needs to go beyond recruitment and training costs. And after the rush to fill seats, organizations need to double down on training and onboarding.”
Also: Everyone is burned out. That’s becoming a security nightmare
Going quantum?
BlackBerry CISO John McClurg predicts that emerging technologies may also have an impact on how ransomware is used in 2022 and beyond.
Quantum computing, the concept of using quantum physics to enhance a computer’s ability to perform calculations, could be one of these areas. While outside of the realm of most attackers, McClurg says that leaps forward in quantum computing could also be leveraged to develop new attack vectors.
Also: Hackers could steal encrypted data now and crack it with quantum computers later, warn analysts
“One of the more controversial uses of quantum computing is its potential to break public-key cryptography,” the executive explained. “In just a few short years, security information stored by national and international intelligence will be easily decrypted through a powerful quantum computer. This will leave highly sensitive data vulnerable to threat actors, causing an enormous potential for widespread security breaches.”
Also: Spy chief’s warning: Our foes are now ‘pouring money’ into quantum computing and AI
Implications for cyber insurance
The explosion in high-profile ransomware attacks is also potentially going to cause massive shifts in cyber insurance, premiums, and whether or not ransomware incidents will be covered at all.
Also: What is cyber insurance? What it covers and how it works
With blackmail payouts now reaching millions of dollars, insurers are likely to re-examine if coverage can be offered – and if so, will impose strict requirements in what cases a policy will payout. This may include bans on paying a ransom entirely, forcing applicants to adhere to industry-accepted security standards, agreeing to consist employee training, and more.
Ritesh Singhai, Senior Director, EMEA Solutions at Secureworks, told ZDNet that there will be a “watershed” moment for cyber insurance providers in the future, and coverage for some threats – including ransomware – will become “prohibitively expensive.”
Also: Cyber insurance might be making the ransomware crisis worse, say researchers
“None of this will fundamentally change the threat that organizations face, although the challenges around recouping a loss may change the risk calculation, increasing the value of effective preparation and incident response plans,” Singhai added.
Previous and related coverage
Kronos hit with ransomware, warns of data breach and ‘several week’ outage. Virginia legislative agencies and commissions hit with ransomware attack. Ransomware is now a giant black hole that is sucking in all other forms of cybercrime.
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0