In early February, the Department of Homeland Security Cybersecurity & Infrastructure Security Agency (“CISA”) announced the publication of a joint cybersecurity advisory observing “an increase in sophisticated, high-impact ransomware incidents against critical infrastructure organizations globally” during 2021. The report—which was coauthored by cybersecurity authorities in the United States (CISA, the Federal Bureau of Investigation, and the National Security Agency), Australia (the Australian Cyber Security Centre), and United Kingdom (the National Cyber Security Centre)—emphasizes that the continued evolution of ransomware tactics and techniques throughout the past year “demonstrates ransomware threat actors’ growing technological sophistication and an increased ransomware threat to organizations globally.”
The joint report provides technical details regarding the observed behaviors and trends of ransomware actors, mitigation recommendations for network defenders to reduce their risk of compromise by ransomware, and step-by-step advice for responding to ransomware attacks.
Ransomware Trends. The report details a variety of behaviors and trends that cybersecurity authorities observed among cyber criminals over the past year.
- Gaining Access to Networks: The top three “initial infection vectors” for ransomware incidents in 2021 remained phishing emails, remote desktop protocols (RDP) exploitation, and exploitation of software vulnerabilities.
- Using Cyber Criminal Services-for-Hire: The market for ransomware grew in sophistication in 2021, as ransomware threat actors not only made increased use of ransomware-as-a-service, but also “employed independent services to negotiate payments, assist victims with making payments, and arbitrate payment disputes between themselves and other cyber criminals.” The advisory noted that this business model “often complicates attribution” of ransomware incidents to specific threat actor(s).
- Sharing Victim Information: Ransomware groups in Eurasia have shared victim information with each other, including selling access to victims’ networks, which “diversif[ied] the threat to targeted organizations.”
- Shifting Away from “Big-Game” Hunting in the United States: U.S. authorities observed that, over the course of 2021, some cybercriminals shifted their ransomware efforts from large organizations, including those that provide critical services, toward mid-sized victims after several high-profile incidents resulted in scrutiny and disruption from government authorities. Australian and U.K. authorities, however, observed that ransomware threat actors continued to target organizations of all sizes.
- Diversifying Approaches to Extorting Money: Ransomware threat actors increasingly used “triple extortion” methods as part of ransomware incidents by “threatening to (1) publicly release stolen sensitive information, (2) disrupt the victim’s internet access, and/or (3) inform the victim’s partners, shareholders, or suppliers about the incident.”
- Increasing Their Impact: Authorities observed that cybercriminals have increased the scale and disruptive nature of their attacks by targeting cloud infrastructures (including the cloud providers themselves), managed service providers (MSPs), industrial processes (including code designed to stop critical infrastructure or industrial processes), and the software supply chain, as well as by conducting attacks on holidays and weekends. The authorities authoring the alert assessed that “there will be an increase in ransomware incidents where threat actors target MSPs to reach their clients.”
Mitigation Recommendations. CISA’s advisory identified five “immediate actions” that entities can “take now to protect against ransomware”:
- Update your operating system and software.
- Implement user training and phishing exercises to raise awareness about the risks of suspicious links and attachments.
- If you use Remote Desktop Protocol (RDP), secure and monitor it.
- Make an offline backup of your data.
- Use multifactor authentication (MFA).
The report also advises that network defenders may “reduce the likelihood and impact of ransomware incident” by taking the following steps (some of which mirror CISA’s immediate actions listed above):
- Keeping all operating systems and software up to date, including by prioritizing known exploited vulnerabilities and automating software security scanning and testing when possible;
- Securing and closely monitoring RDP or other potentially risky services, including external connections to third party vendors;
- Implementing a user training program and phishing exercises;
- Requiring multi-factor authentication for as many services as possible, “particularly for webmail, VPNs, accounts that access critical systems, and privileged accounts that manage backups;”
- Requiring all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to have strong, unique passwords;
- If using Linux, using a Linux security module (such as SELinux, AppArmor, or SecComp) for defense in depth; and
- Protecting cloud storage by backing up to multiple locations, requiring MFA for access, and encrypting data in the cloud.
The report further recommends that network defenders may “limit an adversary’s ability to learn an organization’s enterprise environment and to move laterally” through the following steps:
- Segmenting networks;
- Implementing end-to-end encryption;
- Identifying, detecting, and investigating abnormal activity and potential traversal of the indicated ransomware with a network-monitoring tool;
- Documenting external remote connections;
- Implementing time-based access for privileged accounts;
- Enforcing principle of least privilege through authorization policies;
- Reducing credential exposure;
- Disabling unneeded command-line utilities; constraining scripting activities and permissions, and monitoring their usage;
- Maintaining offline (i.e., physically disconnected) backups of data, and regularly testing backup and restoration;
- Ensuring that all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure; and
- Collecting telemetry from cloud environments.
The advisory also recommended that critical infrastructure organizations with industrial control systems or operational technology (OT) networks should review the joint CISA-FBI Cybersecurity Advisory DarkSide Ransomware: Best Practices for Preventing Business Disruption from Ransomware Attacks for more recommendations. CISA’s mitigation recommendations align with steps that cyber insurance policyholders can take to manage ransomware risk as insurers have scaled back coverage in response to the increase in global ransomware attacks. For more information on recent trends in cyber insurance, see the recent Covington Alert, The “Ransomware Pandemic” – Is Your Business Insured?
Responding to Ransomware Attacks. Finally, the report recommends that organizations take the following steps if involved in a ransomware attack:
- Follow the Ransomware Response Checklist on p. 11 of the CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide;
- Scan backup data with an antivirus program to check that it is free of malware, using an isolated, trusted system to avoid exposing backups to potential compromise;
- Report cybersecurity incidents to the appropriate authority; and
- Apply incident response best practices found in the joint Cybersecurity Advisory, Technical Approaches to Uncovering and Remediating Malicious Activity.
The cybersecurity authorities in the United States, Australia, and the United Kingdom “strongly discourage paying a ransom to criminal actors,” because paying the ransom not only promotes the ransomware business model, but also does not guarantee recovery of the victim’s files. In fact, the National Cyber and Security Centre has urged UK regulators to consider prohibiting insurance coverage for ransomware payments as a means of deterring ransomware attacks. For more information on trends in cyber insurance in light of the increase in global ransomware attacks, see the recent Covington Alert, The “Ransomware Pandemic” – Is Your Business Insured?
Resources. The joint cybersecurity advisory also includes a list of resources that organizations confronting cyber threats and evaluating cybersecurity best practices may find helpful, including StopRansomware.gov, CISA’s Ransomware Readiness Assessment, CISA’s cyber hygiene services, and information about the U.S. Department of State’s Reward for Justice Program