A lock symbol with red dots representing malware.
Image: Alex/Adobe Stock

The ransomware landscape has not changed in terms of volume, yet the researchers from SecureWorks report that incident response engagements in May and June 2022 saw the rate of successful ransomware attacks reduce. However, it is still too early to make conclusions about it. Several reasons might explain the decrease in successful ransomware attacks, in particular the disruptive effect of the war in Ukraine on ransomware threat actors, the economic sanctions designed to create friction for ransomware operators and the demise of Gold Ulrick’s Conti ransomware-as-a-service operation.

Ransomware trends for 2022

The researchers also wonder whether a new trend appears, consisting of hitting a larger number of smaller organizations rather than hitting large corporations, as this might be a way for cybercriminals to bring less Law Enforcement effort against them.

SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)

Network defenders, on the other side, see their window of opportunity reduced for managing a successful defense against ransomware. That window ranges from the time of the initial compromise to the deployment of the ransomware and the encryption of data. In 2022, the median length for that window is 4.5 days, compared to 5 days in 2021, while the mean dwell time in 2021 was 22 days as opposed to 11 days in 2022. This means that ransomware operators are more efficient at managing their time and do waste less time idling on a compromised system than before.

The strongest measure against those attacks is of course to prevent or detect the initial breach, before any additional payload is deployed and before the attacker launches his lateral movements operations.

The main initial vectors of compromise are unsurprisingly the exploitation of remote services and the abuse of credentials (Figure A).

Figure A

Initial access vectors for ransomware attacks, June 2021 to June 2022.
Image: SecureWorks. Initial access vectors for ransomware attacks, June 2021 to June 2022.

Ransomware operators are also increasingly using cross-platforms malware, developed in Rust or Go programming language, which allow them to compile the malware on several different platforms without the need to change the code.

“Hack and Leak” attacks also still a threat

Some cybercrime gangs have decided not to use ransomware. They are instead compromising systems and stealing sensitive information, before asking for a ransom. If it is not paid, the data is being leaked publicly.

The groups using this kind of attack are generally compromising systems via internet-facing VPN services, on which they are likely leveraging vulnerabilities or using weak or stolen credentials. Once inside the system, they often use native tools from the operating system to accomplish their tasks, which makes them harder to detect.

The biggest initial compromise vector: Remote services exploitation

Exploiting vulnerabilities on Internet-facing systems, be it devices, servers or services, became the most common initial access vector (IAV) in 2021 according to SecureWorks. Threat actors are prone to use any vulnerability that might help them compromise systems, while defenders tend to be late at patching.

The most dangerous vulnerabilities are those who allow remote code execution without any authentication.

The researchers also note that it is more interesting from a defense point of view to try to detect the vulnerabilities and not the exploits, since the latter ones can be sometimes modified and might evade detections.

Infostealer and loader malware

The return of Emotet, a loader malware with the capability to plant additional malware in systems, showed how some cybercriminal gangs can be persistent, even when law enforcement takes their infrastructure down.

Loaders are pieces of software used at the initial stage of infection, to install additional malware, which are often ransomware or infostealers. Bumblebee is cited as an example of a rapidly-growing threat used to drop Cobalt Strike and Metasploit payloads, or even the new Sliver framework payloads, but there are several efficient loaders around.

Infostealer malware is often used to gather valid credentials which are then sold on cybercriminal underground marketplaces such as Genesis Market, Russian Market or 2easy.

Genesis market has been active since 2018 and sells access to victims’ computers which can lead to credential theft. Each access is listed with the credentials available on the machine and a custom bot software allowing cybercriminals to clone the victim’s browser (Figure B).

Figure B

A listing of compromised machines on the Genesis marketplace.
Image: SecureWorks. A listing of compromised machines on the Genesis marketplace.

The main infostealer malware families are currently RedLine, Vidar, Raccoon, Taurus and AZORult according to the researchers.

Drive-by download is still a thing

Drive-by download is a technique used to have unsuspecting users download malware by visiting compromised or fraudulent websites.

Threat actor Gold Zodiac for example makes a heavy use of Search Engine Optimization (SEO) poisoning, using layers of public blog posts and compromised WordPress sites to bring infecting links on top of Google’s search engine results. Once a user visits one of those, he is being tricked into downloading GootLoader, which in turn leads to the download of Cobalt Strike payloads for ransomware delivery.

Business email compromise

Business email compromise (BEC) stays as a major threat alongside ransomware in 2022. The FBI reports losses of $2.4 billion USD in 2021.

SecureWorks analysis reveals a 27% increase year-on-year in the first half of 2022 compared to the same period in 2021, with incidents still using quite the same simple but effective techniques.

The most common method for attackers is to try to have a targeted company make a wire transfer to a banking account they own, by impersonating a manager or director of the company and using different social engineering techniques. Attackers generally compromise email accounts from the company to make their emails look more legitimate.

Cyberespionage quietly continues

Nation-state sponsored cyber espionage operations have kept flowing and did not bring so many new techniques over 2022, as the attackers probably don’t need such a high level of sophistication to successfully accomplish their work.

Chinese threat actors keep mainly using PlugX and ShadowPad as their main malware, often using DLL sideloading to install and execute their malware. Some actors have raised the bar on their techniques by using most of their arsenal in memory and less on the compromised hard drives.

Iran keeps targeting Israel and other Middle East countries, in addition to dissidents at home and abroad. 2021 and 2022 have also seen an increase in the strength of the ties between some threat actors and the Iranian government. From a technical point of view, most iranian actors use DNS tunneling as an evasion technique. Some actors have also been observed deploying ransomware, but it is probably used for disruption more than any financial gain.

Russian cyberespionage capabilities have not changed much, still targeting the West, especially the NATO alliance. While advanced destructive capabilities were expected to be seen from Russia since the beginning of the war with Ukraine, the attempts done have not had much of an impact in the conflict, according to SecureWorks. Yet the reports from the Ukrainian National CERT (Computer emergency Response Team), the CERT-UA, depict a steady cadence in the targeting of Ukrainian targets by the Russians.

North Korean threat actors still focus on financial attacks, especially on cryptocurrencies. In March 2022, the infamous Lazarus threat actor managed to steal over $540 million by compromising some of the validator nodes of Ronin, an Ethereum-based cryptocurrency wallet.

MFA bypass

Several threat actors have successfully compromised accounts that were not yet using multi-factor authentication (MFA) and added their own devices, so that MFA would be bypassed if it would be activated.

Another technique still largely used is the “prompt bombing” technique, where the attacker floods the target with repeated login attempts which generate many MFA prompts. The attacker hopes the user will be distracted or exasperated enough to accept one of them.

Attackers might also use social engineering techniques to bypass MFA, by calling users on the phone and using various strategies to make the user validate an authentication on a targeted service.

Other methods might be the use of phishing kits using transparent reverse proxies, to collect credentials and session cookies in real time and bypass MFA.

Disclosure: I work for Trend Micro, but the views expressed in this article are mine.

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays