Ransomware growing on ability to adapt, innovate- Sophos report
The Sophos 2022 Threat Report recently released shows how the force of ransomware is pulling in other cyber threats to form a wider ransomware delivery system which will have an implication for information technology (IT) security.
Sophos is protecting more than 500,000 organizations and millions of consumers in more than 150 countries from today’s most advanced cyberthreats. Powered by threat intelligence, artificial intelligence (AI) and machine learning from SophosLabs and SophosAI, Sophos delivers a broad portfolio of advanced products and services to secure users, networks and endpoints against ransomware, malware, exploits, phishing and the wide range of other cyberattacks.
“Ransomware thrives because of its ability to adapt and innovate. For instance, while RaaS offerings are not new, in previous years their main contribution was to bring ransomware within the reach of lower-skilled or less well-funded attackers. This has changed and, in 2021, RaaS developers are investing their time and energy in creating sophisticated code and determining how best to extract the largest payments from victims, insurance companies, and negotiators,” principal research scientist at Sophos, Chester Wisniewski, said.
With its headquarters in Oxford, U.K., Sophos provides a single integrated cloud-based management console, Sophos Central – the centerpiece of an adaptive cybersecurity ecosystem that features a centralized data lake that leverages a rich set of open APIs available to customers, partners, developers, and other cybersecurity vendors.
According to the report by Sophos, over the coming year, the ransomware landscape will become both more modular and more uniform, with attack “specialists” offering different elements of an attack “as-a-service” and providing playbooks with tools and techniques that enable different adversary groups to implement very similar attacks.
Sophos researchers found out that attacks by single ransomware groups gave way to more ransomware-as-a-service (RaaS) offerings during 2021, with specialist ransomware developers focused on hiring out malicious code and infrastructure to third-party affiliates.
Some of the most high profile ransomware attacks of the year involved RaaS, including an attack against Colonial Pipeline in the U.S. by a DarkSide affiliate.
An affiliate of Conti ransomware leaked the implementation guide provided by the operators, revealing the step-by-step tools and techniques that attackers could use to deploy the ransomware.
Once they have the malware they need, RaaS affiliates and other ransomware operators can turn to Initial Access Brokers and malware delivery platforms to find and target potential victims. This is fueling the second big trend anticipated by Sophos.
Also, established cyberthreats will continue to adapt to distribute and deliver ransomware. These include loaders, droppers and other commodity malware, as well as increasingly advanced, human-operated Initial Access Brokers, spam, and adware.
In 2021, Sophos reported on Gootloader operating novel hybrid attacks that combined mass campaigns with careful filtering to pinpoint targets for specific malware bundles.
The use of multiple forms of extortion by ransomware attackers to pressure victims into paying the ransom is expected to continue and increase in range and intensity. In 2021, Sophos incident responders catalogued 10 different types of pressure tactics, from data theft and exposure to threatening phone calls, distributed denial of service (DDoS) attacks, and more.
Another major trend is cryptocurrency will continue to fuel cybercrimes such as ransomware and malicious crypto mining, and Sophos expects the trend will continue until global cryptocurrencies are better regulated.
During 2021, Sophos researchers uncovered crypto miners such as Lemon Duck and the less common, MrbMiner, taking advantage of the access provided by newly reported vulnerabilities and targets already breached by ransomware operators to install cryptominers on computers and servers.
Sophos also expects cybercriminals to increase their abuse of adversary simulation tools, such as Cobalt Strike Beacons, mimikatz and PowerSploit. Defenders should check every alert relating to abused legitimate tools or combinations of tools, just as they would check a malicious detection, as it could indicate the presence of an intruder in the network.
“It is no longer enough for organizations to assume they’re safe by simply monitoring security tools and ensuring they are detecting malicious code. Certain combinations of detections or even warnings are the modern equivalent of a burglar breaking a flower vase while climbing in through the back window. Defenders must investigate alerts, even ones which in the past may have been insignificant, as these common intrusions have blossomed into the foothold necessary to take control of entire networks.” Wisniewski said.
Sophos predicts that the application of artificial intelligence to cybersecurity will continue and accelerate, as powerful machine learning models prove their worth in threat detection and alert prioritization.
At the same time, however, adversaries are expected to make increasing use of AI, progressing over the next few years from AI-enabled disinformation campaigns and spoof social media profiles to watering-hole attack web content, phishing emails and more as advanced deep fake video and voice synthesis technologies become available.