January saw a continuation of trends observed throughout the year of 2021 and continued to highlight the prevalence of highly sophisticated ransomware and the numerous, creative initial access points involved in its deployment. Since 2020 there have been 130 or more unique ransomware strains observed in the wild and it was a component of 10% of all breaches in 2021, which is double the frequency of the previous year. One of the most notable evolutions of this type of malware is the emergence of “ransomware-as-a-service” which enables attackers to purchase and often customize widely distributed ransomware rather than undertake the arduous task of producing their own code and infrastructure. Instead of kidnapping someone and cutting out all those magazine letters to create an untraceable note stating your demands, why not just pay a third party to carry it out on your behalf?
While phishing will always remain a staple point of entry into victim networks for ransomware and other payloads, we have seen a rise of attacks on unpatched vulnerabilities – Log4J being the most recent example – and other creative methods. The new and improved Lockbit 2.0 comes with built-in ads to persuade insiders at target organizations to provide access to attackers for a reward. Poisoned code repositories and applications are finding increased success in luring victims to willingly install backdoors and expose systems to malicious activity by masquerading as legitimate versions of themselves. As always, the best defense against these ever-evolving TTPs are proactive, in-depth security programs that reduce the risk of these initial access points and provide contingencies for incident response in the event of infection. The CISA has released a comprehensive guide for measures specifically aimed at ransomware as it gains dominance in the cyber arms race:
https://www.cisa.gov/uscert/ncas/alerts/aa22-040a. Read on to explore the rest of CyZen’s threat intelligence for the month of January: