The cybercrime landscape is changing, and ransomware group tactics are shifting accordingly
On January 14th, 2022, Russian authorities announced they had dismantled REvil, the aggressive ransomware groups that made headlines after successfully attacking Colonial Pipeline. Several of its leading members were arrested in a large-scale operation that took place over 25 locations across the enormous country.
Only a few months earlier, the ruthless Conti ransomware gang – known for specifically targeting hospitals and critical infrastructure – found itself victimized by threat intelligence agents. A cryptocurrency exchange executive connected with the related criminal syndicate called Ryuk was arrested around the same time.
Many commentators see this as the beginning of the end for ransomware gangs that have run rampant over the last few years. Unfortunately, this opinion might be too optimistic.
Ransomware is Still Big Business
Nobody should understate the importance of holding threat actors accountable for cybercrimes. The authorities deserve praise for successfully attacking and dismantling ransomware groups. But business leaders must avoid being lulled into a false sense of security.
Dismantling one or two cybercrime groups – even major ones – doesn’t make ransomware any less profitable. As long as it continues to generate financial gains, new threat actors will rise up to take the place of old ones. The most dangerous of these will be the hackers who learn from their predecessors’ mistakes.
IT leaders and executive decision-makers will need to develop robust strategies for countering tomorrow’s cybersecurity threats and the latest ransomware group tactics. Security teams that successfully predict how today’s cybercrime trends will evolve in the future will be prepared to meet those threats when they come.
Having the right data is key. Organizations need to deploy security resources according to comprehensive threat intelligence data. The more you know about tomorrow’s ransomware groups and the tactics they use, the better prepared you can be.
Ransomware Group Tactics On the Rise in 2022
We’ve gathered data on some of the most concerning cybercrime groups to watch in 2022 and identified some of the ransomware group tactics and patterns they share. Cybersecurity solutions that directly address these tactics, techniques, and procedures may become the best investments security leaders can make at this early stage.
HelloKitty / FiveHands – DDoS Ransoms
The ransomware group variously known as HelloKitty or FiveHands made headlines for attacking the Polish video game developer CD Projekt Red. The group allegedly stole source code for several Triple-A game titles, including Witcher 3 and Cyberpunk 2077.
One of the unique aspects of this attack is that it included a coordinated DDoS attack. First, the group launched an encryption-based ransomware attack, demanding payment for confidential files. When the victim did not pay, attackers applied additional pressure by launching a DDoS attack at the same time, disrupting the victim’s ability to organize a coherent response.
In some cases, the DDoS attack comes first, acting as a distraction to prevent security teams from noticing the infiltration of ransomware distributables. A low volume attack sustained for a few minutes may be just enough time for attackers to slip into the network unnoticed, and it costs next-to-nothing to conduct.
Both SunCrypt and Avaddon are cybercriminal syndicates known to use ransomware and DDoS attacks in unison. In many cases, these groups used the DDoS component as a secondary tactic to bring victims to the negotiation table. The DDoS attack may prevent the victim from deploying ransomware remediation solutions, forcing them to pay at least part of the ransom.
Security leaders need to be aware of these multi-staged attacks and deploy robust solutions that can handle a variety of complex attack scenarios. If you use backup software to mitigate ransomware attacks, you’ll need to make sure your backups can operate even when crowded out by a sustained DDoS attack.
Lockbit 2.0 – Insider Threats
Lockbit 2.0 made headlines in 2021 for openly inviting rogue corporate employees to help them victimize large corporations. In exchange for network access, the ransomware group would pay “millions of dollars” to insiders who execute Lockbit 2.0 malware on the network.
There’s currently no way to tell how many corporate insiders took the bait, or whether Lockbit 2.0 actually delivered on its highly improbable promise. However, the fact that ransomware groups have begun brazenly recruiting insiders to carry out their attacks means that every privileged account in every corporate network is now a potential threat.
Disgruntled employees, third-party partners, and even cybersecurity consultants can all become threats if this approach catches on. Businesses will need to implement strict policies for handling account creation, management, and deletion to combat this threat. Behavioral analytics can play an important role detecting rogue accounts, but prevention-based solutions like data exfiltration protection should be enabled on every account.
Maze – Double Extortion
Maze was one of the first groups to use double extortion in November 2019. These attacks pair a generic encryption-based ransomware attack with the additional threat of publishing sensitive data if victims don’t comply with attackers’ demands.
While Maze pioneered this two-pronged attack structure, it proved so successful that the entire ransomware industry soon caught on. Now, groups like REvil, Netwalker, and Mespinoza have put new twists on the well-known tactic.
REvil had established a pattern of extorting its victims with the same data multiple times. After getting a successful ransom payment, the group apparently decided that phishing for new victims is harder than re-extorting old ones, so they would simply demand victims pay again. Many new groups are likely to follow suit.
Both Netwalker and Mespinoza have earned a reputation for posting sensitive data even when victims pay the full amount as demanded. This actually hurts their credibility, since it disincentives victims from paying at all – but they do it anyway.
Prevention is the best way to mitigate double extortion threats. Good security policies and powerful network solutions like data exfiltration protection will prevent attackers from obtaining sensitive records in the first place.
Protect Your Organization from New Cybercrime Threats
Ransomware groups are beginning to notice that their victims are better prepared and less cooperative than ever before. High-profile arrests have damaged the cybercrime industry temporarily, but it’s only a matter of time before new threat actors start using new ransomware group tactics to defraud business owners. Protect your organization and its users with prevention-based solutions designed to mitigate the latest threats that define the larger cybercrime landscape.
