Ransomware black hole creates havoc, finds Sophos 2022 report
Sophos released the Sophos 2022 Threat Report, which highlights how ransomware’s black hole is attracting other cyberthreats to form one vast, linked ransomware delivery system– with serious ramifications for IT security.
The report, which was authored by SophosLabs security researchers, Sophos Managed Threat Response threat hunters and rapid responders, and the Sophos AI team, offers a unique multi-dimensional perspective on the security risks and trends that enterprises will face in 2022.
“Ransomware thrives because of its ability to adapt and innovate,” said Chester Wisniewski, principal research scientist at Sophos.
He added, “For instance, while RaaS offerings are not new, in previous years, their main contribution was to bring ransomware within reach of lower-skilled or less well-funded attackers. This has changed and, in 2021, RaaS developers are investing their time and energy in creating sophisticated code and determining how best to extract the largest payments from victims, insurance companies, and negotiators.”
“They’re now offloading to others the tasks of finding victims, installing and executing the malware, and laundering the pilfered cryptocurrencies. This is distorting the cyberthreat landscape, and common threats, such as loaders, droppers, and Initial Access Brokers that were around and causing disruption well before the ascendancy of ransomware, are being sucked into the seemingly all-consuming ‘black hole’ that is ransomware.”
“It is no longer enough for organizations to assume they’re safe by simply monitoring security tools and ensuring they are detecting malicious code. Certain combinations of detections or even warnings are the modern equivalent of a burglar breaking a flower vase while climbing in through the back window. Defenders must investigate alerts, even ones which in the past may have been insignificant, as these common intrusions have blossomed into the foothold necessary to take control of entire networks.”
Sophos 2022 Threat Report analyzes the following key trends:
- The ransomware landscape will grow more modular and consistent in the coming year, with attack “specialists” supplying different components of an assault “as-a-service” and giving playbooks with tools and methodologies that allow different adversary groups to carry out very identical attacks. According to Sophos analysts, attacks by single ransomware organizations gave way to more ransomware-as-a-service (RaaS) offers in 2021, with specialist ransomware producers focusing on contracting out malicious code and infrastructure to third-party affiliates. RaaS was used in some of the most high-profile ransomware operations of the year, including a DarkSide affiliate’s attack on Colonial Pipeline in the United States. The implementation guide provided by the operators was disclosed by a Conti ransomware affiliate, showing the step-by-step tools and procedures that attackers may use to deploy the ransomware.
RaaS affiliates and other ransomware operators can use Initial Access Brokers and malware distribution platforms to discover and target potential victims once they have the malware they require. This is generating Sophos’ second big trend prediction.
- Established cyberthreats will continue to adapt to distribute and deliver ransomware. Loaders, droppers, and other commercial malware, as well as more advanced, human-operated Initial Access Brokers, spam, and adware are among them. Sophos stated in 2021 that Gootloader was using unique hybrid attacks that blended huge campaigns with meticulous filtering to locate individual targets for malware bundles.
- The use of multiple forms of extortion by ransomware attackers to pressure victims into paying the ransom is expected to continue and increase in range and intensity. In 2021, Sophos incident responders identified ten different forms of pressure tactics, ranging from data theft and disclosure to threatening phone calls, DDoS attacks, and more.
- Cryptocurrency will continue to fuel cybercrimes such as ransomware and malicious cryptomining, and Sophos expects the trend will continue until global cryptocurrencies are better regulated. During the year 2021, Sophos researchers discovered cryptominers like Lemon Duck and MrbMiner, which took advantage of newly revealed vulnerabilities and targets already hacked by ransomware operators to install cryptominers on computers and servers.
Additional trends Sophos analyzed include:
- After the ProxyLogon and ProxyShell vulnerabilities were discovered (and patched) in 2021, the speed with which attackers exploited them was such that Sophos expects both sophisticated attackers and everyday cybercriminals to continue attempting to mass-abuse IT administration tools and exploitable internet-facing services.
- Cybercriminals are also expected to boost their usage of adversary simulation tools like Cobalt Strike Beacons, mikatz, and PowerSploit, according to Sophos. Defenders should investigate any alerts about abused lawful tools or combinations of tools, just as they would a malicious detection because it could indicate the presence of an intruder in the network.
- Sophos researchers identified a number of new risks targeting Linux systems in 2021, and in 2022, they anticipate to see a growing interest in Linux-based systems, both in the cloud and on online and virtual servers.
- Mobile threats and social engineering frauds, such as Flubot and Joker, are predicted to grow and diversify in order to attack both individuals and businesses.
- As strong machine learning models prove their worth in threat detection and warning prioritization, the use of artificial intelligence in cybersecurity will continue and accelerate. At the same time, adversaries are expected to use AI more frequently in the coming years, progressing from AI-enabled disinformation campaigns and spoof social media profiles to watering-hole attacks, phishing emails, and more as advanced deep fake video and voice synthesis technologies become available.