Advisen

Officials saw more 'professional' cybercriminals, more infrastructure attacks in 2021

By Alex Zank, Advisen

Ransomware attacks on critical infrastructure increased in 2021, hitting 14 of the 16 critical infrastructure sectors in the U.S., according to a report from cybersecurity authorities in multiple countries.

Ransomware trends and recommendations were laid out in a Joint Cybersecurity Advisory, co-authored by cybersecurity agencies in the U.S., U.K. and Australia. The report noted that evolving tactics and techniques of cybercriminals demonstrated their growing sophistication and their increased threat to organizations globally.

U.S. officials cited attacks on such critical sectors as the defense industrial base, emergency services, food and agriculture, government facilities, and information technology.

Targeted sectors in Australia included healthcare and medical, financial services and markets, higher education and research, and energy.

U.K. authorities recognized ransomware as the biggest cyber threat facing the country, with the education sector being one of the top targets. Others included businesses, charities, the legal profession, and public services in the local government and health sectors.

Cybersecurity authorities observed an increasingly professional field of ransomware actors in 2021.

Along with increased use of ransomware-as-a-service (RaaS), threat actors employed independent services to negotiate payments, assist victims in making payments, and arbitrate payment disputes with other cybercriminals. Criminal groups in Europe and Asia have also shared victim information with each other.

According to the report, U.K. authorities observed that “some ransomware threat actors offered their victims the services of a 24/7 help center to expedite ransom payment and restoration of encrypted systems or data.”

In the U.S., ransomware actors shifted their focus from “big game” organizations to mid-sized victims in mid-2021 after they suffered disruptions from cyber authorities. The switch was to reduce scrutiny, officials said

Cybercriminals continued to most commonly initiate ransomware attacks via phishing emails, stolen remote desktop protocols (RDP) credentials and exploitation of software vulnerabilities.

“These infection vectors likely remain popular because of the increased use of remote work and schooling starting in 2020 and continuing through 2021,” the report stated. “This increase expanded the remote attack surface and left network defenders struggling to keep pace with routine software patching.”

They increased their impact through a few methods, such as by targeting the cloud, managed service providers (MSPs), and software supply chain entities, and several groups have begun attacking industrial processes. More attacks against U.S. entities occurred on holidays and weekends.

Criminals increasingly expanded methods to extort money from victims. They would threaten to publicly release stolen information, disrupt victims’ internet access, and/or inform the victims’ partners or shareholders of the incident.

Authorities had several recommendations to reduce the likelihood and impact of ransomware attacks. Organizations should keep all operating systems and software up to date, secure and closely monitor potentially risky services like RDP, implement user training programs and phishing exercises, require multi-factor authentication (MFA), require strong and unique passwords, protect cloud storage by backing up to multiple locations, and encrypting cloud data.

Reporter Alex Zank can be reached at alex.zank@zywave.com