Cybersecurity incidents are now considered among the greatest threats the world faces in the coming decade. Threats such as ransomware or data theft for extortion are only the end result of weaknesses in an organization’s security posture. Most of these types of attacks are preceded by other lower-order security incidents, such as a phishing attack or the successful delivery of a malware bot to a computer within the targeted organization. These types of incidents provide a foothold (or, sometimes, the initial access) that are just as often traded or sold as used by the threat actor who obtains them initially. No matter how small the attacks start, organizations stand to suffer big losses when they aren’t dealt with promptly.
Considering that some analysts predict that, by 2025, the damages caused by global cybercrime may reach US$10.5 trillion annually, it’s imperative for IT and business leaders to remain aware of attacker behavior patterns and to prioritize cybersecurity in their organization’s digital and IT strategies in 2022 and beyond.
Here are three key trends that will impact cybersecurity in 2022.
1. Ransomware will be a top cybersecurity risk in the coming year, as ransomware actor behavior becomes more uniform
In 2021, responding to a ransomware incident was the reason why nearly four out of five customers of Sophos’ Rapid Response team engaged with that service. We expect ransomware to remain a highly prevalent threat this year, due in part to changes in the criminals’ business model.
The ransomware “industry,” as it were, promotes specialization in smash-and-grab style break-ins, with the most successful ransomware groups operating a service model whose third-party affiliates lease access to the ransomware in exchange for the developer getting a cut of the proceeds. This model, known as ransomware-as-a-service (RaaS), has proven to be highly popular among criminals, displacing the model in which ransomware groups build, maintain, and deploy their own malware. For example, the Colonial Pipeline ransomware attack followed a RaaS model.
Because the model incentivizes the collection of ever greater ransom demands, ransomware developers who operate a RaaS criminal enterprise frequently offer guidance to their affiliate customers, helping to ensure their success, as well as a payday for themselves. Leaked copies of actual ransomware playbooks reveal the reason why so many attacks follow a common pattern — many different affiliates follow the playbooks closely. This complicates the process of attribution, which for a long time could be done by observing differences in threat group behavior, tools or techniques. No longer. Many ransomware attacks look the same, from this behavioral perspective.
After attackers acquire the malware they need, RaaS affiliates and other ransomware operators can turn to a criminal business-to-business support network. In the criminal underground, groups called Initial Access Brokers offer stolen credentials for potential victims for sale to other threat actors who may want to target a specific organization or industry vertical.
These worrying trends in both specialization and the support networks helping ransomware criminals deserve our attention. RaaS allows attackers of very low skill or small budgets to master ransomware and further propagate its use. Organizations must update their internal security monitoring and defenses beyond the detection of malware on endpoint systems.
Policies that segregate networks, applying multi-factor authentication (MFA) to critical systems, and a shifting to the zero-trust model of computing can all enhance your security posture. Just as importantly, defenders must investigate alerts rapidly, regardless of their apparent insignificance, as any intrusion can develop into a foothold that could lead to the loss of control of entire networks.
2. Cryptocurrency will continue to fuel cybercrimes such as ransomware and malicious crypto mining, and this trend is predicted to continue until global cryptocurrencies are better regulated
The volatile value of cryptocurrency will continue to spur cybercrime involving the acquisition of cryptocurrency, not only ransomware but also with malicious crypto mining. Every time new server-side security vulnerabilities appear, threat actors take advantage of them to spread surreptitious crypto-miner software to as many machines as possible and exploits capable of delivering those attacks persist in the wild indefinitely.
Beyond merely earning money for an anonymous criminal, these crypto miners can drive huge costs for pay-per-compute-time cloud services. They also contribute to global climate change by increasing demand on the supply of electricity and may even cause some hardware to fail prematurely. Coupled with the fact that in 2020, attackers earned more than US$406 million in easily-money-laundered cryptocurrency from ransoms, it’s hard to ignore the close relationship between criminal activity and cryptocurrencies.
Our research studies crypto miners such as Lemon Duck and MrbMiner, which routinely employ exploits against a large number of server software vulnerabilities. To prevent cryptominers from taking hold in the network, organizations need to ensure they have defense-in-depth security in place (such as MFA, and the use of virtual local area networks to segregate network segments), and reduce the number of inbound methods of reaching the company network from the public internet to as few as possible.
3. The use of multiple forms of extortion by ransomware attackers to pressure victims into paying ransom is expected to continue and increase in range and intensity
We expect ransomware attackers to expand their use of alternative methods to pressure victims into paying and have identified at least 10 different types of pressure tactics, such as threatening to expose data stolen from the organization and implementing distributed denial of service (DDoS) attacks to extract the payout from victims. Some criminals have even been bold enough to call their victims on the telephone to demand payment.
Looking ahead, both the range and intensity of ransomware attacks are expected to increase.
To minimize the impact of cyberattacks, companies should invest resources in strengthening corporate defenses and disaster recovery efforts; conduct frequent data backups and combine human experts and anti-ransomware technology. They also need to prepare a malware recovery plan that undergoes constant testing and updates to help the company get back on its feet as soon as possible should the worst happen.
As we move into 2022, organizations should look to bolster their IT infrastructure capabilities against highly adaptive ransomware attacks and the exploitation of exposed systems by crypto miners. It is worth considering partnering with a third-party IT service provider to complement internal IT teams and further enhance IT defenses. To ensure comprehensive IT protection from malicious actors, companies also need to increase employee awareness of cybersecurity via regular security training, for instance, to avoid reusing passwords or clicking links in suspicious emails.
