In early February, the Department of Homeland Security Cybersecurity & Infrastructure Security Agency (“CISA”) announced the publication of a joint cybersecurity advisory observing “an increase in sophisticated, high-impact ransomware incidents against critical infrastructure organizations globally” during 2021.  The report—which was coauthored by cybersecurity authorities in the United States (CISA, the Federal Bureau of Investigation, and the National Security Agency), Australia (the Australian Cyber Security Centre), and United Kingdom (the National Cyber Security Centre)—emphasizes that the continued evolution of ransomware tactics and techniques throughout the past year “demonstrates ransomware threat actors’ growing technological sophistication and an increased ransomware threat to organizations globally.”

The joint report provides technical details regarding the observed behaviors and trends of ransomware actors, mitigation recommendations for network defenders to reduce their risk of compromise by ransomware, and step-by-step advice for responding to ransomware attacks.

Ransomware Trends.  The report details a variety of behaviors and trends that cybersecurity authorities observed among cyber criminals over the past year.

  • Gaining Access to Networks: The top three “initial infection vectors” for ransomware incidents in 2021 remained phishing emails, remote desktop protocols (RDP) exploitation, and exploitation of software vulnerabilities.
  • Using Cyber Criminal Services-for-Hire: The market for ransomware grew in sophistication in 2021, as ransomware threat actors not only made increased use of ransomware-as-a-service, but also “employed independent services to negotiate payments, assist victims with making payments, and arbitrate payment disputes between themselves and other cyber criminals.” The advisory noted that this business model “often complicates attribution” of ransomware incidents to specific threat actor(s).
  • Sharing Victim Information: Ransomware groups in Eurasia have shared victim information with each other, including selling access to victims’ networks, which “diversif[ied] the threat to targeted organizations.”
  • Shifting Away from “Big-Game” Hunting in the United States: U.S. authorities observed that, over the course of 2021, some cybercriminals shifted their ransomware efforts from large organizations, including those that provide critical services, toward mid-sized victims after several high-profile incidents resulted in scrutiny and disruption from government authorities. Australian and U.K. authorities, however, observed that ransomware threat actors continued to target organizations of all sizes.
  • Diversifying Approaches to Extorting Money: Ransomware threat actors increasingly used “triple extortion” methods as part of ransomware incidents by “threatening to (1) publicly release stolen sensitive information, (2) disrupt the victim’s internet access, and/or (3) inform the victim’s partners, shareholders, or suppliers about the incident.”
  • Increasing Their Impact: Authorities observed that cybercriminals have increased the scale and disruptive nature of their attacks by targeting cloud infrastructures (including the cloud providers themselves), managed service providers (MSPs), industrial processes (including code designed to stop critical infrastructure or industrial processes), and the software supply chain, as well as by conducting attacks on holidays and weekends. The authorities authoring the alert assessed that “there will be an increase in ransomware incidents where threat actors target MSPs to reach their clients.”

Mitigation Recommendations.  CISA’s advisory identified five “immediate actions” that entities can “take now to protect against ransomware”:

  • Update your operating system and software.
  • Implement user training and phishing exercises to raise awareness about the risks of suspicious links and attachments.
  • If you use Remote Desktop Protocol (RDP), secure and monitor it.
  • Make an offline backup of your data.
  • Use multifactor authentication (MFA).

The report also advises that network defenders may “reduce the likelihood and impact of ransomware incident” by taking the following steps (some of which mirror CISA’s immediate actions listed above):

  • Keeping all operating systems and software up to date, including by prioritizing known exploited vulnerabilities and automating software security scanning and testing when possible;
  • Securing and closely monitoring RDP or other potentially risky services, including external connections to third party vendors;
  • Implementing a user training program and phishing exercises;
  • Requiring multi-factor authentication for as many services as possible, “particularly for webmail, VPNs, accounts that access critical systems, and privileged accounts that manage backups;”
  • Requiring all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to have strong, unique passwords;
  • If using Linux, using a Linux security module (such as SELinux, AppArmor, or SecComp) for defense in depth; and
  • Protecting cloud storage by backing up to multiple locations, requiring MFA for access, and encrypting data in the cloud.

The report further recommends that network defenders may “limit an adversary’s ability to learn an organization’s enterprise environment and to move laterally” through the following steps:

  • Segmenting networks;
  • Implementing end-to-end encryption;
  • Identifying, detecting, and investigating abnormal activity and potential traversal of the indicated ransomware with a network-monitoring tool;
  • Documenting external remote connections;
  • Implementing time-based access for privileged accounts;
  • Enforcing principle of least privilege through authorization policies;
  • Reducing credential exposure;
  • Disabling unneeded command-line utilities; constraining scripting activities and permissions, and monitoring their usage;
  • Maintaining offline (i.e., physically disconnected) backups of data, and regularly testing backup and restoration;
  • Ensuring that all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure; and
  • Collecting telemetry from cloud environments.

The advisory also recommended that critical infrastructure organizations with industrial control systems or operational technology (OT) networks should review the joint CISA-FBI Cybersecurity Advisory DarkSide Ransomware: Best Practices for Preventing Business Disruption from Ransomware Attacks for more recommendations.  CISA’s mitigation recommendations align with steps that cyber insurance policyholders can take to manage ransomware risk as insurers have scaled back coverage in response to the increase in global ransomware attacks.  For more information on recent trends in cyber insurance, see the recent Covington Alert, The “Ransomware Pandemic” – Is Your Business Insured?

Responding to Ransomware Attacks.  Finally, the report recommends that organizations take the following steps if involved in a ransomware attack:

The cybersecurity authorities in the United States, Australia, and the United Kingdom “strongly discourage paying a ransom to criminal actors,” because paying the ransom not only promotes the ransomware business model, but also does not guarantee recovery of the victim’s files.  In fact, the National Cyber and Security Centre has urged UK regulators to consider prohibiting insurance coverage for ransomware payments as a means of deterring ransomware attacks.  For more information on trends in cyber insurance in light of the increase in global ransomware attacks, see the recent Covington Alert, The “Ransomware Pandemic” – Is Your Business Insured?

Resources.  The joint cybersecurity advisory also includes a list of resources that organizations confronting cyber threats and evaluating cybersecurity best practices may find helpful, including StopRansomware.gov, CISA’s Ransomware Readiness Assessment, CISA’s cyber hygiene services, and information about the U.S. Department of State’s Reward for Justice Program

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Micaela McMurrough Micaela McMurrough

Micaela McMurrough serves as co-chair of Covington’s global and multi-disciplinary Technology Group, as co-chair of the Artificial Intelligence and Internet of Things (IoT) initiative. In her practice, she has represented clients in high-stakes antitrust, patent, trade secrets, contract, and securities litigation, and other…

Micaela McMurrough serves as co-chair of Covington’s global and multi-disciplinary Technology Group, as co-chair of the Artificial Intelligence and Internet of Things (IoT) initiative. In her practice, she has represented clients in high-stakes antitrust, patent, trade secrets, contract, and securities litigation, and other complex commercial litigation matters, and she regularly represents and advises domestic and international clients on cybersecurity and data privacy issues, including cybersecurity investigations and cyber incident response. Micaela has advised clients on data breaches and other network intrusions, conducted cybersecurity investigations, and advised clients regarding evolving cybersecurity regulations and cybersecurity norms in the context of international law.

In 2016, Micaela was selected as one of thirteen Madison Policy Forum Military-Business Cybersecurity Fellows. She regularly engages with government, military, and business leaders in the cybersecurity industry in an effort to develop national strategies for complex cyber issues and policy challenges. Micaela previously served as a United States Presidential Leadership Scholar, principally responsible for launching a program to familiarize federal judges with various aspects of the U.S. national security structure and national intelligence community.

Prior to her legal career, Micaela served in the Military Intelligence Branch of the United States Army. She served as Intelligence Officer of a 1,200-member maneuver unit conducting combat operations in Afghanistan and was awarded the Bronze Star.

Photo of Ashden Fein Ashden Fein

Ashden Fein is a vice chair of the firm’s global Cybersecurity practice. He advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance.

For cybersecurity matters, Ashden counsels clients…

Ashden Fein is a vice chair of the firm’s global Cybersecurity practice. He advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance.

For cybersecurity matters, Ashden counsels clients on preparing for and responding to cyber-based attacks, assessing security controls and practices for the protection of data and systems, developing and implementing cybersecurity risk management and governance programs, and complying with federal and state regulatory requirements. Ashden frequently supports clients as the lead investigator and crisis manager for global cyber and data security incidents, including data breaches involving personal data, advanced persistent threats targeting intellectual property across industries, state-sponsored theft of sensitive U.S. government information, extortion and ransomware, and destructive attacks.

Additionally, Ashden assists clients from across industries with leading internal investigations and responding to government inquiries related to the U.S. national security. He also advises aerospace, defense, and intelligence contractors on security compliance under U.S. national security laws and regulations including, among others, the National Industrial Security Program (NISPOM), U.S. government cybersecurity regulations, and requirements related to supply chain security.

Before joining Covington, Ashden served on active duty in the U.S. Army as a Military Intelligence officer and prosecutor specializing in cybercrime and national security investigations and prosecutions — to include serving as the lead trial lawyer in the prosecution of Private Chelsea (Bradley) Manning for the unlawful disclosure of classified information to Wikileaks.

Ashden currently serves as a Judge Advocate in the
U.S. Army Reserve.

Photo of Caleb Skeath Caleb Skeath

Caleb Skeath advises clients on a broad range of cybersecurity and privacy issues, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, regulatory inquiries, and defending against class-action litigation. Caleb holds a Certified Information Systems Security Professional (CISSP) certification.

Caleb specializes in assisting…

Caleb Skeath advises clients on a broad range of cybersecurity and privacy issues, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, regulatory inquiries, and defending against class-action litigation. Caleb holds a Certified Information Systems Security Professional (CISSP) certification.

Caleb specializes in assisting clients in responding to a wide variety of cybersecurity incidents, ranging from advanced persistent threats to theft or misuse of personal information or attacks utilizing destructive malware. Such assistance may include protecting the response to, and investigation of an incident under the attorney-client privilege, supervising response or investigation activities and interfacing with IT or information security personnel, and advising on engagement with internal stakeholders, vendors, and other third parties to maximize privilege protections, including the negotiation of appropriate contractual terms. Caleb has also advised numerous clients on assessing post-incident notification obligations under applicable state and federal law, developing communications strategies for internal and external stakeholders, and assessing and protecting against potential litigation or regulatory risk following an incident. In addition, he has advised several clients on responding to post-incident regulatory inquiries, including inquiries from the Federal Trade Commission and state Attorneys General.

In addition to advising clients following cybersecurity incidents, Caleb also assists clients with pre-incident cybersecurity compliance and preparation activities. He reviews and drafts cybersecurity policies and procedures on behalf of clients, including drafting incident response plans and advising on training and tabletop exercises for such plans. Caleb also routinely advises clients on compliance with cybersecurity guidance and best practices, including “reasonable” security practices.

Caleb also maintains an active privacy practice, focusing on advising technology, education, financial, and other clients on compliance with generally applicable and sector-specific federal and state privacy laws, including FERPA, FCRA, GLBA, TCPA, and COPPA. He has assisted clients in drafting and reviewing privacy policies and terms of service, designing products and services to comply with applicable privacy laws while maximizing utility and user experience, and drafting and reviewing contracts or other agreements for potential privacy issues.