Ransomware Trends 2021 - CISA, ACSC, NCSC Joint Advisory

The Australian Cyber Security Centre (ACSC), CISA, the FBI and the National Cyber Security Centre, UK, have released a joint advisory on the increased globalized threat of ransomware.  

The agencies observed “an increase in sophisticated, high-impact ransomware incidents against critical infrastructure organizations globally”, with the model continuing to evolve and the “market for ransomware becoming increasingly professional” in 2021. The advisory also includes recommendations for organisations to mitigate such attacks.  

The sectors affected by ransomware in the past year include defence, emergency services, food and agriculture, government facilities, IT, healthcare, financial services, education, energy, legal, and public services.  

Ransomware trends observed in 2021  

• Initial attack vectors - The top three initial access vectors in 2021 were (1) phishing, (2) Remote Desktop Protocol (RDP) exploitation, and (3) exploitation of vulnerabilities in software. With companies around the world switching to a remote work model following the Covid19 pandemic, cybercriminals could target an expanding remote attack surface and the disruptions caused by the sudden shift.  
• A “professional” market for ransomware – The financial gains made possible by ransomware attacks led to the establishment of a successful business model and an increasingly professional market around it. The agencies observed the use of independent services for facilitating ransom payments, arbitrating disputes, negotiations, and system restoration following payment.   ‍
• Increased information sharing among ransomware groups – More and more ransomware groups were seen to exchange or share victim information with other criminal groups, with some of them even selling access to victims’ networks.   ‍
• More attacks on mid-sized organisations - In the US, threat actors turned their attention from large organisations or “big game hunting” to mid-sized organisations in the second half of the year, to avoid scrutiny by the authorities. In Australia and the UK, attacks on organisations of all sizes continued throughout the year.  ‍
• Double and triple extortion models – Ransomware groups in Australia continued to resort to double extortion, i.e., both encrypting and stealing data to force victims to pay. In the US, there was a shift to the “triple extortion” model, wherein the attackers threatened to publicly release stolen data, inform partners and shareholders of the breach, and disrupt the victim organisation’s internet access if the ransom wasn’t paid.   ‍
• Increased targeting of cloud-based applications – Threat actors exploited organisations’ increased adoption of cloud infrastructures by targeting cloud applications, VM software, cloud APIs, and data backup and storage systems “to deny access to cloud resources and encrypt data”. In a number of cases, they used compromised on-premise devices to move laterally and get access to cloud networks.   ‍
• Attacks on MSPs and supply chains – There was an increase in attacks on managed service providers (MSPs) and software supply chain entities, enabling access to a large number of organisations through a single successful compromise at the initial stage. This allowed ransomware groups to reach some larger organisations with robust security controls of their own but weaker links at the supply chain level.  ‍
• More attacks during the holidays – In the US, the FBI and CISA observed an increase in the number of successful and serious attacks during the holidays and weekends. Holidays are likely seen by ransomware actors as a good time to launch attacks, with most IT staff unavailable to defend networks.  

Ransomware mitigation methods  

The mitigation methods suggested in the advisory include the following (see the full list here):  

• Regularly update and patch all operating systems and software. Enable automatic updates and scanning where possible.  
• Use RDP only if necessary. Enable multi-factor authentication (MFA) if using RDP, and connect via VPN if it needs to be externally available. Take steps for restricted and secure RDP use (see full advisory for details).  
• Institute a phishing and cyber security awareness program to make sure users know about the risks and consequences of clicking on suspicious links and attachments, and visiting malicious websites.  
• To secure cloud storage, encrypt data and back it up to multiple locations, ensure secure configuration and require multi-factor authentication for access.  
• Use multi-factor authentication (MFA) for all services, and implement a password policy that requires strong, unique passwords for all accounts.  
• Segment networks to control traffic flow between different parts of the network and prevent lateral movement if and when an attack occurs.  
• Use endpoint detection and response (EDR) tools and network intrusion-detection systems (NIDS) to detect unusual network connections and anomalous activity early.  
• Backup all business-critical data, encrypt backups and store them securely, offline. Test backups regularly to make sure data can be recovered when the need arises.  

To see the complete list of mitigation methods, see the advisory here or view CISA’s complete Ransomware Guide.  

‍

How LinearStack can help

LinearStack provides a wide range of cyber security services to businesses in New Zealand and Australia. These include our 24x7 Managed Detection and Response (MDR) service designed to protect organisations from advanced threats like ransomware, supply chain attacks and insider threats. We also provide specialized incident response services to investigate and contain cyber incidents in seconds and minutes.    

Call us at 0800 008 795 or email us at info@linearstack.co.nz to book a free consult with one of our security experts.