With no end in sight to the ransomware epidemic, national security authorities in the United States, UK, and Australia are warning that ransomware groups are continuing to shift their tactics to stay ahead of defenses and adjusting their targeting to draw less attention to their operations.
In a new advisory published Wednesday, authorities said that the ransomware threat has become increasingly globalized in the last year as groups have diversified their businesses and targeting. In the U.S., ransomware groups have targeted organizations of all sizes and in a wide variety of industries, but the noisiest attacks have hit large companies in critical infrastructure. The attacks on the Colonial Pipeline, JBS Foods, and Kaseya last year drew a huge amount of attention from the media as well as from law enforcement agencies and the White House. The Colonial Pipeline attack in particular focused intense attention on the DarkSide ransomware group, and though the company paid the ransom, the FBI later recovered $2.3 million of it.
In 2020 alone, 14 of the 16 designated critical infrastructure in the U.S. were targeted by ransomware attacks, according to the advisory from the FBI, CISA, NSA, Australian Cyber Security Center, and UK National Cyber Security Center. But, in the second half of the year, ransomware groups shifted away from those big-time organizations in favor of smaller targets in the U.S.
“In the first half of 2021, cybersecurity authorities in the United States and Australia observed ransomware threat actors targeting ‘big game’ organizations—i.e., perceived high-value organizations and/or those that provide critical services—in several high-profile incidents. These victims included Colonial Pipeline Company, JBS Foods, and Kaseya Limited. However, ransomware groups suffered disruptions from U.S. authorities in mid-2021. Subsequently, the FBI observed some ransomware threat actors redirecting ransomware efforts away from ‘big-game’ and toward mid-sized victims to reduce scrutiny,” the advisory says.
"By compromising an MSP, a ransomware threat actor could access multiple victims through one initial compromise."
The same did not hold true in other countries, though. In both the UK and Australia, ransomware groups continued to target large organizations, critical infrastructure operators, as well as smaller businesses. Some of the non-CI targets in all of those countries included cloud platform providers and managed service providers, both of which offer access to a broad number of potential victims.
“Ransomware threat actors also targeted cloud accounts, cloud application programming interfaces (APIs), and data backup and storage systems to deny access to cloud resources and encrypt data. In addition to exploiting weaknesses to gain direct access, threat actors sometimes reach cloud storage systems by compromising local (on-premises) devices and moving laterally to the cloud systems. Ransomware threat actors have also targeted cloud service providers to encrypt large amounts of customer data,” the advisory says.
“MSPs have widespread and trusted accesses into client organizations. By compromising an MSP, a ransomware threat actor could access multiple victims through one initial compromise. Cybersecurity authorities in the United States, Australia, and the United Kingdom assess there will be an increase in ransomware incidents where threat actors target MSPs to reach their clients.”
When it comes to defenses and mitigations, the agencies recommend implementing 2FA wherever possible, segmenting networks to prevent lateral movement, deploying multiple backups in several locations to aid in recovery in the event of a successful ransomware attack, and collecting telemetry from any cloud services.