Ransomware attackers have taken a variety of incremental steps over the past year that have resulted in shorter infection-payload cycles — requiring businesses to more quickly respond to potential malicious behavior.
In its "2022 Cyber Threat Landscape Report" published this week, Deep Instinct said that its data shows that execution, persistence, and privilege escalation were the top three attacker actions, as defined by the MITRE ATT&CK framework, suggesting that adversaries had focused on initial infiltration and payload execution as opposed to extensive lateral movement. In addition, the increased adoption of ransomware-as-a-service (RaaS), which is easily accessible on the Dark Web, has resulted in a 15% increase in detected ransomware threats, according to the report.
The threat landscape is going to be extremely treacherous in coming months, especially as cyber operations escalate because of Russia's war on Ukraine, making defensive agility very important, says Shimon Oren, vice president of threat research and AI intelligence for Deep Instinct.
"This means that prevention is more important than ever before," he says. "For certain types of attacks, if you do not have the right posture in place, and be able to detect and remediate very quickly, you will be vulnerable and the damage will already have been done."
Cyberattacks and incidents are now the top concern for businesses in 2022, and ransomware is the top threat, with 57% of business professionals rating the surge in ransomware as their top concern, according to the recently released Allianz Risk Barometer 2022. Seven out of 10 financial firms had suffered a ransomware attack, with the average ransom topping $91,000, although 70% of firms would or have refused to pay the ransom, according to Egress, a cybersecurity firm focused on insider threats.
Ransomware has become an endemic threat for most companies. To mitigate the risk, companies need to harden their network, processes, and people, says Tony Pepper, the firm's CEO and co-founder.
“The best advice is to stop the attackers getting in in the first place," he says. "Make it harder for them to gain access via email specifically — as the vast majority of malware is delivered using phishing emails. Implement the right technology to detect these attacks, and ensure that your people have the tools and the training to spot phishing attempts."
Most companies, however, are focused on mitigating the overall business risk, rather than the specific cybersecurity dangers. While 83% of companies are spending on anti-phishing, 72% maintained a cyber-insurance policy, 64% retained outside legal counsel, and 55% invested in a forensic investigation, according to a report on executives' views on phishing published by Egress.
Return on Investment
For attackers, it's all about return on investment, hitting organizations that can afford to pay with multiple attacks. Currently, triple extortion — consisting of encrypting data, stealing data, and using a denial-of-service attack — is the favored method to pressure companies into paying. As long as the returns exceed the costs, ransomware will continue, says Rotem Salinas, senior malware researcher at CyberArk.
"The ROI for ransomware is very high — both when targeting individuals or organizations — so I wouldn’t expect a decline in attack volume," he says.
Attackers are definitely becoming increasingly sophisticated in ways of obfuscating their malware, making it harder to detect. Yet whether the attacker goes for a quick, impactful attack or a slower, stealthier spread depends on the attacker's motivations and goals.
In either case, the defensive focus should be on hardening the information-technology environment, preventing the attack, and automating the initial response, because otherwise the attacker will either quickly infect other systems or execute the payload, says Deep Instinct's Oren. The more companies can slow down the attacker, the better, he says.
"Strong prevention is critical," Oren says. "There is a lot of attacks that you will not be able to catch at a very early stage, and if you don't, then it's game over — the impact has been achieved. That's why there needs to be a much greater focus on the earlier stages of the kill chain."
In addition, with more expertise focused on providing ransomware-as-a-service, and a variety of leaked codebases allowing malware developers to build on one another, ransomware will continue to become more sophisticated and evolve quickly, CyberArk's Salinas says. In a recent analysis of leaked information on the Conti ransomware group, CyberArk's researchers found information about how the group operates as well as source code for some of the malware and tools used by the group.
"Now that Conti’s source code [has been] leaked, it’s likely new variants of the malware will be discovered in the near future," he says.
Conti is the fourth most common ransomware strain, according to Deep Instinct's "2022 Cyber Threat Landscape Report." The STOP and REvil malware families accounted for the vast majority of ransomware detected by the firm.