Latest Headlines
Sophos Threat Report Identifies Key Trends in Ransomware Attacks
Emma Okonji
Sophos, a global leader in next-generation cybersecurity, has released the Sophos 2022 Threat Report, which showed how the gravitational force of ransomware’s black hole is pulling in other cyberthreats to form one massive, interconnected ransomware delivery system, with significant implications for IT security.
The report, written by SophosLabs security researchers, Sophos Managed Threat Response threat hunters and rapid responders, and the Sophos Artificial Intelligence (AI) team, provides a unique multi-dimensional perspective on security threats and trends likely to face organisations in 2022.
According to the report, over the coming year, the ransomware landscape would become both more modular and more uniform, with attack ‘specialists’ offering different elements of an attack ‘as-a-service’ and providing playbooks with tools and techniques that enable different adversary groups to implement very similar attacks.
Sophos researchers said attacks by single ransomware groups, gave way to more ransomware-as-a-service (RaaS) offerings during 2021, with specialist ransomware developers focused on hiring out malicious code and infrastructure to third-party affiliates.
Some of the most high profile ransomware attacks of the year involved RaaS, including an attack against Colonial Pipeline in the US by a DarkSide affiliate, the report said, adding that an affiliate of Conti ransomware leaked the implementation guide provided by the operators, revealing the step-by-step tools and techniques that attackers could use to deploy the ransomware.
“Once they have the malware they need, RaaS affiliates and other ransomware operators can turn to Initial Access Brokers and malware delivery platforms to find and target potential victims. This is fueling the second big trend anticipated by Sophos,” the report further said.
The report also highlighted that established cyberthreats would continue to adapt to distribute and deliver ransomware. These, it said, include loaders, droppers and other commodity malware; increasingly advanced, human-operated Initial Access Brokers; spam; and adware. In 2021, Sophos reported on Gootloader operating novel hybrid attacks that combined mass campaigns with careful filtering to pinpoint targets for specific malware bundles.
The report further highlighted the use of multiple forms of extortion by ransomware attackers to pressure victims into paying the ransom is expected to continue and increase in range and intensity. In 2021, Sophos incident responders catalogued 10 different types of pressure tactics, from data theft and exposure, to threatening phone calls, distributed denial of service (DDoS) attacks, and more.
The report also said cryptocurrency would continue to fuel cybercrimes such as ransomware and malicious cryptomining, and that Sophos expects that the trend would continue until global cryptocurrencies were better regulated. During 2021, Sophos researchers uncovered cryptominers such as Lemon Duck and the less common, MrbMiner, taking advantage of the access provided by newly reported vulnerabilities and targets already breached by ransomware operators to install cryptominers on computers and servers.
Analysing the report, the Principal Research Scientist at Sophos, Chester Wisniewski, said: “Ransomware thrives because of its ability to adapt and innovate. For instance, while RaaS offerings are not new, in previous years their main contribution was to bring ransomware within the reach of lower-skilled or less well-funded attackers. This has changed and, in 2021, RaaS developers are investing their time and energy in creating sophisticated code and determining how best to extract the largest payments from victims, insurance companies, and negotiators.
“They are now offloading to others the tasks of finding victims, installing and executing the malware, and laundering the pilfered cryptocurrencies. This is distorting the cyberthreat landscape, and common threats, such as loaders, droppers, and Initial Access Brokers that were around and causing disruption well before the ascendancy of ransomware, are being sucked into the seemingly all-consuming ‘black hole’ that is ransomware.”
Advising organisations on how best to remain safe, Wisniewski further said: “It is no longer enough for organisations to assume they are safe by simply monitoring security tools and ensuring they are detecting malicious code. Certain combinations of detections or even warnings are the modern equivalent of a burglar breaking a flower vase while climbing in through the back window. Defenders must investigate alerts, even ones which in the past may have been insignificant, as these common intrusions have blossomed into the foothold necessary to take control of entire networks.”