Article by Scott Leach, Vice President of Varonis APJ.
In 2021, threat actors have targeted ransomware with multiple high-profile attacks targeting large enterprises and critical infrastructure. Overall, there were five standout trends that shed light on the new tactics and strategies hackers are using to gain access to corporate networks.
1. Ransomware-as-a-Service became the model of choice
Ransomware-as-a-Service (RaaS), which allows attackers to use pre-developed ransomware tools to perform specific parts of their attack, became the preferred model for ransomware attacks in 2021.
With a plethora of RaaS offerings now available on the black market, less experienced hackers are more than capable of executing successful attacks.
RaaS often operates on a subscription model, where hackers pay a fee to access malware applications. Other RaaS offerings operate on a “profit-sharing model” with the goal of building an underground network of partners and subgroups, each specializing in different attacks.
An example of this profit-sharing model is “Initial Access Brokers” (IAB), which use mass scanning tools to examine thousands of organizations and find vulnerable targets. After gaining access to corporate networks, IABs then sell the credentials on the black market, with the sale price depending on the victim’s size and value.
IABs often become affiliates, partners, or subcontractors of other ransomware networks and receive part of the ransom in exchange for their services, giving them additional revenue streams.
However, increased profit sharing also means more risk, as partners and affiliates do most of the dirty work. Any mishap or failure could easily see them identified by investigators and reprimanded with hefty fines.
2. The rise of custom ransomware
Many ransomware groups are now using bespoke ransomware, which is customized based on a specific victim’s network structure and is therefore more difficult to detect than generic ransomware.
In general, most ransomware threats fall under the executable category that targets Windows operating systems. However, as threat actors have gained more knowledge about modern enterprise environments, they have introduced new threats that can target Linux-based hosts, including those used for file storage and virtualization such as: E.g. VMware ESX.
As new vulnerabilities emerge, threat actors quickly add them to their arsenal and prey on any organizations that haven’t patched their systems quickly.
Once an attacker has gained access to a victim’s network, their goal is to remain undetected for as long as possible. They often take a “slow and slow” approach to data theft to avoid detection by cybersecurity teams while exfiltrating data.
Many ransomware groups also examine a victim’s financial records to find details of cyber insurance policies and to determine the maximum ransom paid under those policies.
3. Big game hunters blackmail victims
As ransomware groups have become more sophisticated, their goals have also become more ambitious. In 2021, hackers turned their attention to “big game hunting” — that is, stealing data from larger companies, which are more likely to pay the ransom than smaller organizations and individuals who don’t have the funds to do so.
Ransomware groups have realized that they don’t even need to encrypt data to be successful; All you have to do is threaten to make it public. Many large companies with highly sensitive data are willing to pay the ransom to keep it confidential.
For example, disclosure of personally identifiable information (PII) such as ID cards and bank account information can lead to hefty fines and reputational damage. In contrast, intellectual property (IP) leakage can lead to loss of competitive advantage and wasted research costs. The bigger the target, the more likely they are to pay the ransom.
Ransomware groups are constantly evolving their extortion methods – for example, they often contact a company’s customers, employees, and even the media to alert them to the compromised network.
Some won’t work without third-party negotiators, while others tell their victims to silently pay without notifying the proper authorities or facing any additional consequences.
4. Target the weakest links in the supply chain
A very notable tactic used by threat actors in 2021 (particularly nation-states) was software supply chain attacks, where hackers only need a single entry point to gain access to higher-value enterprise networks throughout the supply chain.
For example, organizations on every continent held their breath as news broke of the infamous Kaseya attack that killed over 1,000 people.
Contrary to the traditional tactic of picking a target organization and deploying ransomware to gain access to their network, ransomware groups instead attempted to compromise a widely used software vendor and also give them access to all of an organization’s customers – which is the scope of dramatically increased the attack.
These types of attacks became more common in 2021 and will continue to do so for years to come.
5. Commodity Malware
In 2021, delivering ransomware became almost as easy as ordering takeout online. Essentially, commodity malware is an application that hackers can buy or download for free online, and it continues to be used by everyone from organized cybercrime groups targeting large corporations to script kiddies splurging a few bucks online want to earn.
Some important examples of popular off-the-shelf malware are njRAT, Formbook, NanoCore, Lokibot, Remcos, AZORult, Netwire, Danabot, and Emotet.
Article by Scott Leach, Vice President of Varonis APJ.