Federal Advisory Highlights Increased Globalized Ransomware Threat
A joint advisory on ransomware issued by the FBI, CISA, and the NSA recapped ransomware activity in 2021 and showed why the threat continues to loom large for enterprises.
It's difficult to argue with some of the successes around ransomware so far in 2022, especially some with the U.S. government’s efforts to counter the threat through disruptions and arrests actually resulting in some tangible wins.
As an industry, before we focus on 2022 however, it makes sense to close the book on 2021 first.
That was the aim of the FBI, CISA, and several other federal agencies last week in a joint cybersecurity advisory.
In a report issued on Wednesday, the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the National Security Agency (NSA) looked back at the past 12 months, breaking down ransomware trends, what;'s worked for attackers, and how to best defend against ransomware.
The reverberations of the threat were felt across practically critical industry: The agencies said they observed ransomware attacks against 14 of the 16 critical infrastructure sectors in 2021.
Two other agencies, the Australian Cyber Security Centre (ACSC) and the United Kingdom’s National Cyber Security Centre (NCSC-UK) are named as co-authors on the report. While the targets there varied, Australia said the healthcare and medical, financial services and markets, higher education and research, and energy sectors were targeted there, the UK said education was a big target. Collectively, the groups stressed that ransomware continues to pose a threat, globally, to organizations last year.
For those already in the trenches - or those who just follow cybersecurity headlines, some of the behaviors and trends listed in the report may not be a complete surprise. Groups in 2021 continued to exploit vulnerabilities, carry out phishing attacks, and steal Remote Desktop Protocol (RDP) credentials to infiltrate networks and spread ransomware. That's when they weren't using a ransomware-as-a-service group to do the work for them.
What’s interesting is seeing what techniques have worked for the groups. According to the agencies, attackers have managed to stay afloat by targeting exploits in cloud infrastructure and cloud service providers:
“Ransomware threat actors also targeted cloud accounts, cloud application programming interfaces (APIs), and data backup and storage systems to deny access to cloud resources and encrypt data. In addition to exploiting weaknesses to gain direct access, threat actors sometimes reach cloud storage systems by compromising local (on-premises) devices and moving laterally to the cloud systems.”
That's in addition to managed service providers - the agencies stress there will likely be an increase in ransomware attacks where MSPs are targeted in an attempt to reach their client base - industrial processes, and the software supply chain.
CISA in particular has warned about why these vectors remain appealing for ransomware groups in the past.
Last June, following the Colonial Pipeline attack, it advised critical infrastructure owners and operators to take measures to address the risk of ransomware attacks, outlining recommendations for preparedness.
In July, shortly after the Kaseya VSA supply chain attack, it issued instructions for MSPs who may have been affected by the attack but also general tips on how MSPs and small businesses can strengthen their security.
Last week’s joint advisory ends with a lengthy list of mitigations, many which are hopefully already in place at enterprises worldwide at this point, designed to diminish the likeliness of a ransomware attack and weaken the severity of such attacks.
While the actual list of recommendations is nearly four pages long and worth digging into in full, some of them include:
- Keep all operating systems and software up to date.
- If you use RDP or other potentially risky services, secure and monitor them closely
- Implement a user training program and phishing exercises
- Require MFA
- Require all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to have strong, unique passwords.
- If using Linux, use a Linux security module (such as SELinux, AppArmor, or SecComp) for defense in depth.
- Protect cloud storage by backing up to multiple locations, requiring MFA for access, and encrypting data in the cloud.