One ransomware attack disrupts multiple companies in Q1 2022

Increased threats to business services demonstrates cybercriminals desire to disrupt multiple companies with one attack, according to Trellix’s latest Threat Report.
22 July 2022

Ransomware-as-a-service? There’s a marketplace on the dark web for it (Photo by Michael M. Santiago / GETTY IMAGES NORTH AMERICA / Getty Images via AFP)

  • With just one ransomware attack, multiple companies are being disrupted, especially in the business services sector.
  • Trellix data shows business services accounting for 64% of total US ransomware detections. It was the second most targeted sector, behind telecom, across global ransomware detections, malware detections, and nation-state backed attacks in the first three months of this year.
  • Trellix also noted that following the January arrests of members of the REvil ransomware gang, payouts to attackers declined. 

We are living through times where there’s almost never the same ransomware attack twice. In fact, the reason ransomware attacks are rising has to do with an evolution in how such attacks are conceived and executed. Simply put, the newer the tactics, the more dire the consequences of a successful attack is. The Russia-Ukraine conflict has been re-shaping cybercrime to a point where organizations can only do so much to protect against it.

A recent report by a cybersecurity firm Trellix, titled The Threat Report: Summer 2022, found that lately, the threat landscape has changed, as multiple domains have partially merged. “The first quarter of 2022 in cybersecurity was more about evolution than revolution. The techniques and prevalence of a ransomware attack advanced while Russian cyberattacks continued a slow-building evolution fed by the continuing conflict in Ukraine,” the cybersecurity company said.

Prior to this, Trellix noted that although Russian cybercriminal groups have always been active, their tactics, techniques, and procedures had not significantly evolved over time. In the first three months of this year alone, Trellix found that there have been an increased number of threats to business services. That means companies providing IT, finance and other types of consulting and contract services were targeted by adversarial actors more often. 

That, according to Trellix, demonstrates cybercriminals’ desire to disrupt multiple companies with one attack. “Business services accounted for 64% of total US ransomware detections and was the second most targeted sector behind telecom across global ransomware detections, malware detections, and nation state-backed attacks in Q1 2022,” it said.

Trellix also noted that following the January arrests of members of the REvil ransomware gang, payouts to attackers declined. The company particularly observed ransomware groups building lockers targeting virtualization services with varied success. “Long has there been speculation with regards to nation state involvement in (organized) cybercrime. Leaked chats from the quarter’s second most active ransomware gang, Conti, which publicly expressed allegiance to the Russian administration, seem to confirm the government is directing cybercriminal enterprises,” it noted.

Trellix believes that the criminals benefit by getting “immunity” of sorts, whereas the nation state benefits from covert operation under the flag of the actor, especially when collaborating with a ransomware gang, such as Conti. The encrypted systems provide little information about the intrusion and activities on the system. This further masks the actions that were performed on the system, Trellix said.

Besides all that, Trellix said telemetry analysis revealed phishing URLs and malicious document trends in email security. “Most malicious emails detected contained a phishing URL, used to steal credentials or lure victims to download malware. We also identified emails with malicious documents and executables like infostealers and trojans attached,” it added.

Trellix’s lead scientist and senior principal engineer, Christiaan Beek, concluded that while adversaries know they are being watched closely, the absence of new tactics observed in the wild during the war in Ukraine tells us that tools are being held back. “Global threat actors have novel cyber artillery ready to deploy in case of escalation and organizations need to remain vigilant.”