Double-extortion & DDoS add to software supply chain ransomware woes

• Zscaler found that ransomware attacks increased by 80% to March 2022 compared to the previous year, setting new records for both the volume of attacks and the cost of damages.
• Supply chain ransomware attacks multiply damages and allowing attackers to bypass traditional security controls.

It’s almost unsurprising that ransomware attacks are running amok – numerous reports have highlighted their prolific rise. Cybersecurity specialist Zscaler, in a recently-released ThreatLabz Ransomware Report, revealed an 80% increase in ransomware attacks between February 2021 to March this year. What is more worrying is how manufacturers, for the second year of the row, still remain the most targeted vertical.

As it is, global industry has had a wild ride for the last two years – much of it downwards. What sets this year apart, though, is the growth in double-extortion, supply chain attacks, ransomware-as-a-service, ransomware rebranding, and geo-political incited ransomware attacks. The report analyzes over a year’s data from the Zscaler Zero Trust Exchange, which processes more than 200 billion daily transactions and 150 million daily blocked attacks. The global cost of ransomware damages is forecast to grow to US$42 billion by 2024. 

Healthcare, F&B biggest jump in ransomware attacks 

In 2019 Zscaler said many ransomware groups updated their tactics to include data exfiltration, commonly referred to as a ‘double extortion’ ransomware: exfiltrate data, encrypt victims’ hard drives, extort money for de-encryption, extort money not to disseminate exfiltrated data. A year later, select groups added distributed denial of service tactics to ransomware to create greater business disruption, thus pressuring the victim to negotiate.

The growth rate of attacks on healthcare companies was particularly striking, Zscaler said, with double-extortion attacks growing by nearly 650% when compared to 2021. That sector was followed by the restaurants and food services industry, which saw over a 450% spike in ransomware.

“Double extortion ransomware increased by 117%, indicating that more […] attacks include data theft in their strategies. Some industries saw particularly high growth of double extortion attacks, including healthcare (643%), food service (460%), mining (229%), education (225%), media (200%), and manufacturing (190%),” the report stated. Manufacturing alone made up almost 20% of double extortion ransomware attacks.

The tactics and scope of ransomware attacks have been steadily evolving, but the end goal continues to be monetary via a disruption of the target organization, theft of sensitive information, and presentation of ransom demands. “The size of the ransom often depends on the number of systems infected and the value of the data stolen: the higher the stakes, the higher the payment,” Zscaler said in a statement.

No rest for the supply chain 

The most dangerous ransomware trend for this year involves software supply chain attacks that use established connections and shared files like central repositories of shared assets, code libraries, security patches (!) or system updates including firmware code blobs.

In fact, ThreatLabz noted nearly a 120% increase in double-extortion ransomware victims based on data published on threat actors’ data leak sites. “Exploiting trusted suppliers lets attackers breach a large number of organizations all at once, including organizations that otherwise have strong protections against external attacks,” it said.

The report shares how threat actors have exploited trusted platforms like SolarWinds and Kaseya, and common code libraries and code like Log4j. Zscaler expects this trend to only escalate in the coming years.

“Feeling increased heat from law enforcement, many ransomware groups have disbanded and reformed under new banners, where they use the same (or very similar) tactics. DarkSide rebranded as BlackMatter, DoppelPaymer rebranded as Grief, and Avaddon rebranded as Haron and Midas. Evil Corp, sanctioned by the US government, has consistently rebranded their ransomware operations,” Zscaler emphasized in its report.

Whatever their label, ransomware groups continue to evolve and persist. Their activities are profitable and fueled by affected victims paying up. Now might be a good time to test disaster recovery routines, especially with regards to speed of reinstatement of business critical systems.