Industry executives and experts share their predictions for 2022.  Read them in this 14th annual VMblog.com series exclusive.

Crowd-Sourced Hacking Will Take the Ransomware Epidemic to New Heights

By James Turgal, vice president, cyber risk, strategy and board relations, Optiv Security

As prevalent and damaging as ransomware was in 2021, we need to gear up in the New Year, because the threat is only going to increase. In what I call "crowd-sourced" hacking, 2022 and beyond will see more splintering of ransomware groups and Ransomware-as-a-service (RaaS), as the splintered groups modus operandi morphs to allow for individual ransomware designers, infiltrators, payload deployers and payment collectors to continue to iterate and improve the product and execution of the attack. This splintered threat model allows cybercrime subject matter experts to emerge in all the areas necessary for a successful attack.

Threat actors will compartmentalize certain parts of the attack to key internal actors and pay for smaller, either affiliated or unaffiliated groups to carry out initial aspects of the attack. For example, threat actors will use affiliates to carry out certain stages of the attack, such as the spearfishing campaigns, then employ other affiliates to deploy tools, such as Cobalt Strike. Attackers are weaponizing red-team tools to utilize in the later stages of their attack strategy. These types of tools and their leaked source code and suite of tools, including Cobalt Strike and Metasploit, are now being utilized by either threat actors or their affiliates to laterally move across the ecosystem and even deploy the ransomware payload.

I believe "crowd-sourced" hacking will increase in 2022 because the FBI and other law enforcement organizations are increasing the pressure on ransomware groups, and the use of affiliates and smaller groups to carry out certain aspects of the attack help to increase the number of subjects and IP addresses to investigate. However, in my opinion, this only creates a false sense of security for the main threat actors.

Additionally, as law enforcement actions by the FBI and their intelligence community partners across the globe become more assertive with threat actors and increase the depth and breadth of their investigation and arrest, and seize more ransomware proceeds, I believe ransomware groups will become more aggressive with victims, attempting to punish them even further for either contacting law enforcement or employing the use of professional ransomware negotiators. I also think we'll see an increase in regulations of cryptocurrency clearinghouses and marketplaces, as well as unique utilization of law enforcement tools, such as the search warrants the FBI used in deleting Web-shells after the Nobelium attack.

Finally, in 2022, the cybersecurity landscape will see more renaming and rebranding of ransomware groups. For example, the perceived rise and fall and re-branding of threat groups such as DarkSide and REvil into a newly minted group named Black Matter. Further, in-fighting will occur as ransomware groups vie for power and credit, which could affect corporations, not unlike the 2021 situation where the Conti RaaS group published a Russian guide designed to instruct the affiliates in how to conduct attacks.

The bottom line is that ransomware epidemic is only going to get worse, and organizations should take care not to become complacent with their defense against it. Rather, organizations must continually improve and optimize their cybersecurity and cyber resilience plans, so as ransomware evolves, so does their strategy to fight it.  

##

ABOUT THE AUTHOR

James Turgal is the former executive assistant director for the FBI Information and Technology Branch (CIO). He now serves as Optiv Security's vice president, cyber risk, strategy and board relations. James has personally helped many companies respond to and recover from ransomware attacks and is well-versed in speaking with top-tier media.

James draws on his two decades of experience in investigating and solving cybercrimes for the FBI. He was instrumental in the creation of the FBI's Terrorist Watch and No-Fly Lists.