Ransomware attacks became increasingly targeted, sophisticated, and costly last year, according to the CrowdStrike 2022 Global Threat Report.
The cybersecurity vendor’s threat intelligence team saw an 82% increase in ransomware-related data leaks in 2021 with 2,686 attacks as of Dec. 31, 2021, compared to 1,474 in 2020.
“And that is significant, because that is a change in how things have been done,” said Adam Meyers, senior VP of intelligence at CrowdStrike. “We are seeing the weaponization of victims’ data from multiple threat-actor groups.”
These are ransomware attacks where hackers steal sensitive data and then post it to data leak sites or otherwise make it available on the internet to threaten and shame the victims into paying the ransom.
In one very public example of this: last April, Russian ransomware-as-a-service gang REvil hit Apple supplier Quanta. After breaching that company’s networks and stealing Apple’s future product designs, REvil pivoted and demanded Apple pay $50 million or else it would leak even more stolen blueprints for the yet-to-be-released devices.
This highlights the growing value that attackers see in victims’ data, Meyers said. “It’s become very clear why that’s so valuable,” he added. “The victim loses control of the narrative when their information is leaked.”
With other, less visible cyberattacks, corporations may lose access to their IT systems and data, and while they will feel the business disruption, “it’s still within the control of the organization to run the narrative that they want to run,” Meyers said.
But once attackers leak data, that narrative moves into the adversary’s hands, he added. “That lack of control is a problem for the victim, and it really exposes all their dirty laundry on the internet,” Meyers explained. “So it is a powerful tool for coercion and to create havoc and chaos within the organization.”
More Sophisticated Ransomware AttacksHowever, this move toward data leaks isn’t the only disturbing ransomware trend CrowdStrike Intelligence observed last year. The group also saw 2,721 big game hunting incidents in 2021 — these are targeted ransomware attacks usually conducted by eCrime syndicates against large organizations. Last year, big game hunting attacks occurred across nearly every industry and every country.
CrowdStrike Intelligence saw on average more than 50 targeted ransomware events per week last year. Additionally, the ransomware-related demands averaged $6.1 million per ransom, up 36% from 2020.
And as eCrime syndicates and nation-state hackers become more sophisticated, they increasingly exploit stolen user credentials and identity to infiltrate cloud environments and bypass legacy security solutions. Using these legitimate credentials instead of malware to initially compromise systems allows attackers to remain in corporate environments for longer periods of time by evading detection.
Of all detections CrowdStrike indexed in the fourth quarter of 2021, 62% were malware-free.
eCrime breakout time is another indicator of growing sophistication. This is the time it takes an attacker to move laterally within the victim’s environment once they’ve breached the initial host. In 2021, this took on average just one hour and 38 minutes.
“Why this is important is that if a threat actor gets access to a system within the first hour and 38 minutes, that’s where you have the best chance to stop an intrusion from being successful,” Meyers said. “After that hour and 38 minutes elapses, now you’re chasing that threat actor through the enterprise, so it becomes a more difficult challenge at that point.”
Nation States’ Targeted Intrusion TacticsIn 2021, CrowdStrike observed distinct targeted intrusion tactics by the big-four nation-state actors: Russia, China, Iran, and North Korea. For example, Russia increasingly targeted IT and cloud services providers. Fancy Bear, associated with Russia’s Main Intelligence Directorate, has been shifting away from malware and instead toward credential-harvesting tactics, the report said.
Meanwhile, China emerged as the leader in vulnerability exploitation and increasingly targeted internet-facing devices and services like Microsoft Exchange. CrowdStrike Intelligence confirmed China-based groups successfully exploited 12 vulnerabilities published in 2021.
Iran used ransomware to blend eCrime activity with disruptive operations — specifically “lock-and-leak” tactics against multiple organizations within the U.S., Israel, and the greater Middle East and North Africa region.
And North Korea favored illicit cryptomining and cryptocurrency-related entities to maintain its cashflow and take advantage of pandemic-related economic disruption.
This range in targeted attacks makes it difficult to point to one threat actor as the top concern, Meyers says. “It’s all of them,” he said, when asked if there’s one nation state or eCrime group that organizations should be most worried about. “It’s where you do business, it’s where you’re located, and what’s going on geopolitically as it relates to your geographic locations.”
Know Your AdversaryRansomware gangs, for example, tend to favor opportunistic, targeted attacks against all sectors, he added. “If you’re in industrials and engineering, manufacturing, technology, professional services, financial services, health care, academia, logistics, state and local government — pretty much any sector you can think of, there is risk of opportunistic attack by eCrime actors,” Meyers said.
However, threats associated with Chinese and Russian state-sponsored groups tend to be more political in nature. “If the situation escalates in Ukraine, then there could be collateral damage against Western businesses that have operations in or business ties to Ukraine,” Meyers said.
“We used to say 10 years ago, you don’t have a malware problem, you have an adversary problem,” he continued, adding that still holds true today. Knowing your adversaries, and what their interests are against your organization, puts companies in a better position to defend themselves.
“Every reader needs to take a hard look at where they do business, how they do business, who they do business with, and use that to start to paint a picture of what are the most realistic threats,” Meyers said. “Then find the highest and most detrimental threat to the business operation, and work to defend against that first.”