Staying ahead in a compounding threat landscape

The role of technology has become mission critical for organisations, underpinning their ability to deliver greatly improved services to customers, and operate at far higher levels of efficiency. 

However, prioritising this digitalisation has become an attractive target for threat actors. This challenge is compounded by an ongoing cyber security skills shortage that often leaves security teams understaffed and unable to keep pace with the increasing sophistication of cyber attacks.

We have even seen the start of a relentless conflict in Europe, heavily impacted by a fast-shifting and complex cyber landscape, resulting in extensive collateral damage to individuals and businesses, and organisations across the globe scrambling to stay ahead.

Identifying and understanding the key ransomware trends that have emerged over the last year is a crucial step in enabling security teams to develop targeted mitigation strategies and ensure they stay alert to the evolving threat landscape.

Evolving threat actors

Russia’s recent invasion of Ukraine catapulted cyber security to the forefront of public and private agendas, with cyber security teams bolstering the security of networks and critical infrastructure.

Since the beginning of the Ukraine invasion, more than 100 groups have conducted cyber attacks, including state-sponsored actors, hacktivists and cyber criminals.

VIEW ALL

Some groups even claimed attacks on critical infrastructure such as Killnet. It became the most notorious group globally for using simple DDoS tools to take down websites of critical infrastructure companies in the US and Europe, including airports, banks, and government agencies.

The use of ransomware by state-sponsored actors is not entirely new, with Iranian groups shown to employ ransomware back in 2020.

However, other nations are now exploring these threat vector points for potentially much larger disruptions. State-sponsored threat actors typically have the funding and the means to cause greater disruption than just exfiltrating or encrypting files.

For example, a recent report showed Chinese threat actor, Bronze Starlight, to be using several similar ransomware families such as LockFile, Night Sky and Pandora against targets across the world in a campaign believed to be a disguise for espionage rather than focused on immediate financial gain.

New extortion techniques

The proliferation of IoT devices compounds a network’s potential attack surface, opening new doors for cyber criminals to exploit. While double extortion became mainstream in 2021, in 2022, the major groups have begun targeting internet-exposed NAS devices to obtain master keys for a much higher ransom price.

Alongside the multiple extortion methods of DeadBolt and the ALPHV gang, the release of LockBit 3.0, a new version of the most prolific active ransomware, brought the possibility for other threat actors to buy stolen data.

In August, LockBit became a critical target of DDoS attacks after breaching the Entrust cyber security company. In response, LockBit promised to DDoS their victims in the future too, officially moving to a triple extortion model.

These incidents are part of a growing and alarming trend wherein large ransomware gangs, often operating under a RaaS model, cripple the operations of multiple organisations simultaneously to maximise their impact.

Moving forward, we can expect even more types of devices to become ransomware targets either for initial access or impact.

VoIP appliances, for example, were found to have zero-day remote code execution vulnerabilities exploited by the operators behind the Lorenz ransomware. As the most scanned devices on the internet, they could soon become a popular target for ransomware.

Assessment, automation, assistance

In reviewing the past year, two things are clear:

1. The attack surface is increasing. Not only IT workstations and servers are being targeted by ransomware groups, but also IoT in the form of NAS and VoIP.
2. Both cyber criminals and state-sponsored actors are targeting this increased attack surface to deploy ransomware.

Considering these trends, traditional cyber hygiene practices such as asset inventory, patching, credential management and network segmentation must be extended to encompass your entire digital terrain.

They must prioritise the increased attack surface based on up-to-date threat intelligence showing what types of devices are currently targeted.

Visibility and asset management lay the foundation for network security. You can’t protect what you can’t see, so industrial organisations must ensure they have visibility of all connected devices on their networks. To improve efficiency, network visibility solutions should be able to span across IT, OT and IoT devices, enabling the discovery of vulnerable devices in the network so that proper control and mitigation actions can be applied.

In addition, this solution should also continuously monitor the network for new devices, automatically detecting new connections, so there are no visibility gaps that could put the organisation at risk.

There are several undiscovered vulnerable devices that still exist in OT environments. When a device falls into this category, the focus must be on giving the connected device the minimum amount of privilege.

Therefore, if an attacker does gain access to it, they will have limited ability to exploit it. It is also important to deploy network segmentation so that organisations can ensure personal and remote devices will have limited network access and are kept away from critical data and resources.

The cyber domain will continue to be dynamic, and attackers will consider every tool in their arsenal to carry out devastating attacks. It is crucial for organisations to employ proactive defences to get ahead of potential threat vectors and keep their networks and critical processes safe.

Daniel dos Santos is the head of security research at Forescout Technologies.