By
Candid Wüest, VP of Acronis Research
In 2022, the world continued to experience
numerous ransomware attacks across a myriad of industries. From supply chains
to school districts to video game companies, cyber criminals have continued to
expand their victim pool, and are showing no signs of slowing down anytime
soon.
In fact, a recent report shows that the average cost of data
breaches is expected to surpass $5 million per incident in 2023, driving home
the need for better security tactics to be implemented earlier rather than
later. As teams kick off the new year, it remains crucial for security teams to
understand the past to create a better future.
2022 Rewind
Looking back at the second half of 2022, teams
saw a decline in the number of new crime syndicates and volume of attacks - but
this doesn't mean that the remaining gangs in business were suffering. They
were mainly focusing their efforts. A common approach last year was the rebrand
of popular gangs to a new name, bringing most of the team with them - in an
attempt to decrease law enforcement attention. This was the case for groups
like Egregor, REvil, BlackMatter and DoppelPaymer.
There were several ransomware groups that
dominated the market towards the end of the year, including LockBit, Hive,
BlackCat and Black Basta. The same report highlighted that these groups, among
others, were adding between 200 and 300 new victims per month to the total list
of compromised users around the world. These threat actors also continued to
target the government, healthcare, and education industries.
In addition to consistently claiming new
victims, the attack patterns of these major groups shifted over the second half
of the year. For example, BlackCat has utilized a triple-extortion approach
with data exfiltration and DDoS attacks, hitting victims with different tactics
at the same time if the organization doesn't pay the ransom. Tactically,
phishing and malware remain two of the most common threats facing organizations. Additionally,
some of the major players in the ransomware space have expanded their attacks
beyond Windows into MacOS and Linux. As more organizations pivot to the cloud,
we can deduct that this will become an area of focus for these gangs in 2023
and beyond.
The changes in how ransomware gangs are
choosing their victims, paired with their diverse infiltration tactics, makes
mitigating the risk of these attacks even more challenging for security teams. With new attack approaches arising
almost weekly, security teams must think creatively about their weaknesses in
order to protect their organizations from emerging threats. Some tactics that
we may witness more in 2023 include a heightened focus on uninstalling security
tools, deleting backups, and disabling disaster recovery plans wherever
possible, especially as organizations roll out new technology and shift to the
cloud. Basically, using the preinstalled software package for their attacks and
then disabling everything. Also new technologies such as ChatGPT can help cyber
criminals to streamline their attacks even further.
New Technology Means New Threats
As we've learned time and time again, new
technology brings about new complexity and vulnerabilities. Innovation is at
the heart of the technology industry, and oftentimes we see the security
associated with it fall short. As new devices and software become available,
security teams are working tirelessly to map a strategy for protecting and
integrating them - meanwhile, ransomware groups are looking for a way in.
This leaves teams in a bind, caught between
diving headfirst into new platforms, systems or tools that users need, while
also recognizing that an imminent threat awaits them. To combat this,
organizations must avoid getting blinded by the perpetual race to innovate and
ensure their security teams test and integrate new technology well. It is also crucial
to prioritize the most important tools first and vet these new tools to ensure
a safe adoption.
MFA (multi-factor authentication) fatigue is a
great example of how a new tool designed to bolster security has been used
against organizations by exploiting the weakest link - the human element.
Ransomware groups have adapted to the flaws associated with MFA, like spamming
users with dozens of alerts until they approve an entry to stop the spam.
Tactics like MFA fatigue, remain a popular choice among cybercriminals who aim
to exfiltrate and leak sensitive information to garner funds in ransomware
attacks, and some will use this same data later on to fuel additional attacks
down the road.
This leads to the question on everyone's mind
- how do we mitigate these threats? What can security professionals do to
thwart ransomware gangs and their tactics? How do we prepare users?
Back
to the Future
Looking back at the success of ransomware
gangs in previous years and the rising average cost of a single data breach,
security professionals have an uphill battle - but not an impossible one.
Mitigating these threats often starts with the proper training for employees.
MFA attacks and phishing schemes specifically are sometimes avoidable at the
user level if a company invests the time and resources to help their teams
understand what to watch out for and how to report it. But also, a technology
part is needed to complete the defense in depth strategy.
Key areas to address are patching your
operating system and the applications that users frequently access and ensuring
that your cybersecurity tools are running properly - and working well with each
other. Beyond that, teams should use strong authentication methods while
working with any business data that could be compromised. Employees should also
be prepared for phishing attempts.
The new year is always a time for change and
introspection, even for security professionals. In looking back, 2022 saw
growth, expansion, and consolidation for ransomware gangs, but it also saw a
variety of security advancements. Teams that use the lessons learned from the
last year will undoubtedly be prepared for what will be a busy year combatting
the advancements of threat actors.
##
ABOUT THE AUTHOR
Candid Wüest is the VP of Cyber Protection Research at Acronis, the Swiss-Singaporean cyber protection company, where he researches new threat trends and comprehensive protection methods. He has worked for 16+ years as the tech lead for Symantec's global security response team. Wüest is a frequent conference speaker, holds a Master of Computer Science from ETH Zurich, various certifications and patents.