Ransomware has become one of the most well-known and prevalent threats against the enterprise today. This year alone, we have seen high-profile cases of ransomware infection -- including against Colonial Pipeline, Kaseya, and Ireland's health service -- cause everything from business disruption to fuel shortages, declarations of national emergency, and restricted medical care.
These attacks are performed for what can end up being multi-million dollar payouts and now these campaigns are becoming easier to perform with initial access offerings becoming readily available to purchase online, cutting out the time-consuming legwork necessary to launch ransomware on a corporate network.
There are a number of trends in the ransomware space of note, including:
Payouts: After DarkSide forced Colonial Pipeline to take fuel pipes out of operation, prompting panic-buying across the US, the firm paid a $4.4 million ransom. CEO Joseph Blount said it was the "right thing to do for the country." The largest ransom payment stands at over $30 million.
High revenue: After analyzing online criminal activity, KELA says that organizations with annual revenue of over $100 million are considered the most attractive.
Initial Access Brokers (IABs): IABs have become an established criminal business, often sought-after by ransomware groups looking for their next target.
Preferred methods of access include RDP and VPN credentials or vulnerabilities.
English speakers are also in high demand to take over the negotiation aspects of a successful attack.
Leak sites: Ransomware groups will now often threaten to leak sensitive data stolen during an attack if a victim does not pay. Cisco Secure calls this a "one-two-punch" extortion method.
Cartels: Researchers have found that 'cartels' are also forming, in which ransomware operators share information and tactics.
In a cybersecurity threat roundup report published on Tuesday, researchers from Trend Micro said that during the first half of this year, ransomware remained a "standout threat" with large companies particularly at risk -- due to their revenue and the prospect of big payouts -- in what is known as "big-game hunting."
During the first six months of 2021, 7.3 million ransomware-related events were detected, the majority of which were WannaCry and Locky variants.
However, this is approximately half the number of detections during the same period in 2020, a decline the researchers have attributed to a shift away from low-value attempts to big-game hunts.
"An incident with the DarkSide ransomware [Colonial Pipeline attack] brought heightened attention to ransomware operators, which might have prompted some of them to lie low," the researchers say. "Meanwhile, law enforcement agencies across the world conducted a series of ransomware operations takedowns that might have left an impact on wide-reaching active groups."
Banking, government entities, and manufacturing remain top targets for ransomware operators today.
Open source and legitimate penetration testing or cybersecurity tools are also being widely abused by these threat actors. Cobalt Strike, PsExec, Mimikatz, and Process Hacker are noted in the report as present in the arsenals of Ransomware-as-a-Service (RaaS) groups including Clop, Conti, Maze, and Sodinokibi.
In addition to ransomware, Business email compromise (BEC) rates have also increased slightly, by 4%, and cryptocurrency miners are now one of the most common strains of malware detected in the wild.
Trend Micro has also explored how misinformation relating to the COVID-19 pandemic is being used to spread malware. Phishing, social media, and social engineering are commonly employed to lure users into clicking on malicious attachments or visiting fraudulent domains, and coronavirus-related themes generally relate now not to the disease itself, but to testing and vaccination projects.
Malicious apps are part of the spread, some of which are spreading banking Remote Access Trojans (RATs) including Cerberus and Anubis.