Laura
20/08/2022
Whitepaper
Even as other events push cyber attacks out of the headlines, ransomware risk hasn’t stopped growing. In a 2022 survey of IT professionals working in organisations with between 100 and 5,000 employees, about two-thirds of companies globally reported experiencing a ransomware incident recently.
Behind today’s threat are familiar faces. Although some ransomware gangs have disappeared over the past 12 months (i.e., the Night Sky ransomware threat that was only active for a short period of time in 2022), for the vast majority of threat actors, “retirement” ends up being little more than a rebranding exercise. Members of the notorious BlackMatter ransomware crew, which shut down its operations last year, are now suspected of being behind the new ALPHV gang. And the Russia-based REvil ransomware group (aka Sodinokibi), thought to be defunct since October 2021, has, to quote The Register, recently come back from “the bowels of the dark web.”
Few organisations are able to spot threats from these groups fast enough. On average, cybercriminals spend 11 days in a target’s network before they are found out, with detection often only happening because ransomware is launched. By automating detection, investigation, and response, security solutions like SenseOn can dramatically cut down ransomware mitigation times, stopping threats before damage happens.
Two Groups Dominate the Ransomware Threat Landscape Today
Remarkably, just two groups — Conti and LockBit 2.0 — accounted for more than half (57.8%) of all ransomware incidents in the first quarter of 2022.
Conti, the ransomware cartel behind attacks on organisations like the Health Service Executive in Ireland and the Scottish Environment Protection Agency, may have suffered a data breach of its own earlier in the year, but the group is still in business. Conti ransomware was responsible for 20% of all ransomware campaigns between January and March of this year, targeting businesses like the marketing giant RR Donnelley, electronics company (and supplier of Apple and Tesla) Delta Electronics, and famous snack producer KP Snacks.
In April, Conti attacked Costa Rican government agencies. This attack forced the Costa Rican president Rodrigo Chaves to declare a state of national cybersecurity emergency. In response, the US is now offering a reward of up to $15 million for information on the group.
LockBit 2.0, a ransomware-as-a-service (RaaS) gang, topped Conti, executing 38% of ransomware attacks in Q1 of 2022. Like Conti, LockBit 2.0 has had a busy April, having attacked Rio de Janeiro’s finance department systems. More recently, Top Aces, a supplier of fighter jets for airborne training exercises, reported being hit by LockBit 2.0 ransomware. LockBit 2.0 was also the most widespread ransomware strain in Q4 of 2021. The gang is perhaps best known for attempting to coax corporate employees to help them infiltrate networks in return for “millions of dollars.”
Both Conti and LockBit 2.0 exfiltrate data and publish it on their leak sites if victims ignore their ransom demands. Since the start of the year, LockBit 2.0 has exposed data on more than 200 victims.
Other Ransomware Groups and Strains to Watch Out for
Although the most prominent, LockBit 2.0 and Conti are by no means the only ransomware groups organisations are up against in 2022. Other gangs (and ransomware variants) like Hive, BlackByte, Quantum, ALPHV, AvosLocker, and Onyx, to name just a few, are just as dangerous and active, often displaying no qualms about who they target.
- Hive: Known for going after healthcare institutions, Hive has been described by the Department of Health and Human Services (HHS) Cybersecurity Program as “exceptionally aggressive.” Motivated by financial gain, Hive exploits weaknesses in VPNs and RDPs and uses phishing attacks to enter victims’ networks, after which it both encrypts and steals data. Besides Windows, Hive’s malware tools can also encrypt Linux and FreeBSD operating systems.
- BlackByte: In February 2022, the FBI and the USSS issued a joint statement, warning US and foreign businesses about the threat that BlackByte presents. The statement noted that BlackByte had compromised at least several US critical infrastructure sectors since November 2021. BlackByte is a “big game ransomware group” targeting high-profile organisations in industries like energy and healthcare. Like Hive, BlackByte also leverages double extortion techniques to pressure victims into making ransom payments. It avoids systems with Russian languages.
- Quantum. A rebrand of the MountLocker, XingLocker, and AstroLocker operations, the Quantum ransomware strain is known for its remarkably fast time-to-ransom, with hackers able to go from initial compromise to deployment and execution in just 3 hours and 44 minutes. In some instances, the Quantum ransomware operators can encrypt files in just 45 minutes. This means that defenders have a very short amount of time to notice and stop attacks.
- ALPHV: Also known as BlackCat or Noberus, ALPHV takes ransomware up a notch by using triple-extortion tactics, i.e., executing DDoS attacks in addition to encrypting systems/files and exfiltrating data. ALPHV has been found to use big game hunter TTPs, something that has caused security experts to speculate whether the new group (ALPHV was first observed late in 2021) might be a rebranding of BlackMatter (aka DarkSide, the gang behind the Colonial Pipeline attack which disrupted fuel supply chain on the US east coast). What’s notable about ALPHV is that it’s the first ransomware gang to successfully infiltrate organisations using malware created using the programming language Rust. Between November 2021 and March 2022, ALPHV has breached more than 60 entities in multiple industries globally.
- AvosLocker: A RaaS variant, AvosLocker uses legitimate tools and known vulnerabilities to turn off the victim’s antivirus software and evade detection tools. In instances where victims refuse to pay up, the group has been observed to call them to negotiate and/or threaten them with DDoS attacks. Similar to REvil, AvosLocker also auctions off stolen data on its site. The FBI and FinCEN released a joint advisory on AvosLocker in March 2022.
- Onyx. Instead of encrypting files larger than 2MB, Onyx destroys them, making it impossible for the victim to decrypt them, even if they pay for a decryption key (only files smaller than 2MB can be recovered). This is apparently a feature rather than a bug, and Onyx’s strategy remains unclear. However, this new ransomware gang also steals data.
Prevent & Limit the Impact of Ransomware with Security Automation
When it comes to cyber threats, attribution is interesting, but defence is more important. When an attack happens, the first thing on any defender’s mind is not where did it come from but “how do I make it go away?”
Although prevention-first solutions are still important, mitigating ransomware risk means rethinking cybersecurity controls. Detection-based solutions like EDR, NDR, and SIEM can help organisations detect ransomware, but they are also the leading cause of a phenomenon known as alert fatigue that causes missed alerts and long response times.
When an attack chain is in progress, the longer it takes to find, isolate and remove a threat, the more damage happens. A few hours of delay can cause a career-ending amount of damage. In this situation, the time it takes to sort through logs from different systems can be operationally fatal. To remove the risk of this kind of nightmare scenario, security controls need to combine and automate detection, investigation, and response functions.
As a security automation platform, SenseOn integrates security tools like EDR and SIEM into a single platform, giving defenders complete visibility into what’s happening within their digital estate. Using a blend of detection methods, SenseOn identifies and correlates behaviour that deviates from what’s considered “normal” for any given organisation, surfacing alerts that are only genuine threats. To ensure a speedy response to critical threats, SenseOn can also automatically isolate infected devices to prevent ransomware from spreading without any human input.
Resources
Explore our collection of eBooks, webinars, articles, and more to help you maximize your understanding of emerging threats, adversary techniques and how to detect cyber attacks.
Visit resource hub
Blog
Automating the MITRE ATT&CK Framework
Blog
Why I Stopped Using a SIEM – and Why You Should Too
Sign up to our newsletter
Join thousands of like-minded professionals who are already receiving our blog updates and best practice guides.