The US, UK, and Australia issue globalized ransomware threats advisory

The US, Australia, and the UK have come together to release a joint Cybersecurity Advisory highlighting the increasing ransomware threats.
11 February 2022

Ransomware threats are becoming such a huge problem for organizations and governments around the world. Several cybersecurity reports have already highlighted a global increase in sophisticated, high-impact, ransomware incidents against critical infrastructure organizations in 2021.

As such, cybersecurity agencies from the US, Australia, and the UK have come together to release a joint Cybersecurity Advisory highlighting the increasing ransomware threats. Among the agencies include the Cybersecurity and Infrastructure Agency (CISA), the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), the Australian Cyber Security Centre (ACSC), and the United Kingdom’s National Cyber Security Centre (NCSC-UK).

The joint cybersecurity advisory provides observed behaviors and trends as well as mitigation recommendations to help network defenders reduce their risk of compromise by ransomware.

The agencies from all three countries have observed the following behaviors and trends among cybercriminals in 2021:

  • Cybercriminals are gaining access to networks via phishing, stolen Remote Desktop Protocols (RDP) credentials or brute force, and exploiting vulnerabilities. Phishing emails, RDP exploitation, and exploitation of software vulnerabilities remained the top three initial infection vectors for ransomware incidents in 2021.
  • Increased usage of cybercriminal services-for-hire especially with ransomware-as-a-service (RaaS). Ransomware threat actors employed independent services to negotiate payments, assist victims with making payments, and arbitrate payment disputes between themselves and other cybercriminals.
  • Cybercriminal groups are sharing victim information, diversifying the threat to targeted organizations.
  • Shifting away from “big-game” hunting in the United States to the smaller guys in the supply chain, especially mid-sized victims.
  • Having a diversified approach to extorting money by using triple extortion. This includes threatening to publicly release stolen sensitive information, disrupt the victim’s internet access, and/or inform the victim’s partners, shareholders, or suppliers about the incident.

Ransomware groups have also increased their impact by targeting cloud infrastructures to exploit known vulnerabilities. Some ransomware threats targeted cloud accounts, cloud application programming interfaces (APIs), and data backup and storage systems to deny access to cloud resources and encrypt data.

Managed service providers (MSPs) are also being targeted as they have MSPs have widespread and trusted access into client organizations. By compromising an MSP, a ransomware threat actor could access multiple victims through one initial compromise. Cybersecurity authorities in the United States, Australia, and the United Kingdom assess there will be an increase in ransomware incidents where threat actors target MSPs to reach their clients.

Other areas include attacks on industrial processes and the software supply chain. The FBI observed that several ransomware groups have developed code designed to stop critical infrastructure or industrial processes.

Dealing with ransomware threats

Speaking to TechHQ on the advisory, Steve Judd, Solutions Architect at Jetstack pointed out that the advisory highlights growing trends for exploiting both software supply chains and overly permissive account privileges in order to learn more about an organization’s IT environment and move laterally through it.

Amongst the suggested mitigations a very important principle is mentioned: Zero Trust. Though it sounds like a marketing buzzword, Judd explained that it should form a fundamental part of any organization’s security strategy.

“Put simply, Zero Trust means only giving your accounts (user and machine identities) the minimum permissions they need and only at the time they need them to do their thing. This principle sounds simple in theory but practice? Not so much. Nevermore so than in the world of ephemeral workloads, such as those running in Kubernetes clusters, where containers rapidly appear and disappear.

To manage machine identities in such environments needs automation. For example automating the creation, rotation, and revocation of machine identities via certificates and cryptographic keys as well as providing visibility into identity validity and usage,” said Judd.

Meanwhile, Steve Cottrell, EMEA CTO at Vectra AI highlighted to TechHQ that the joint security advisory confirms that all organizations are now facing an increased level of risk associated with the threats presented by ransomware.

“It stands to reason that so long as ransom payments are being made, we can expect this now highly sophisticated industry to continue to grow. With the emergence of highly professional Ransomware as a Service (RaaS) operators, the barrier to entry for criminals has never been lower. Notably, the advisory highlights the importance of AI-enabled network detection capabilities and their ability to detect and mitigate ransomware attacks early in the attack phase before encryption occurs. “ commented Cottrell.