Joint advisory warns of global increase in sophisticated ransomware

11 Feb 2022

Image: © NicoElNino/Stock.adobe.com

Recent reports have noticed an increase in sophisticated ransomware attacks targeting Linux-based systems and critical infrastructure sectors.

Cybersecurity authorities in the US, UK and Australia have issued a joint advisory warning on the increase in sophisticated, high-impact ransomware attacks on critical infrastructure.

In the US, the FBI, the Cybersecurity and Infrastructure Security Agency and the NSA observed ransomware attacks against 14 of the 16 US critical infrastructure sectors in 2021. These include the defence industrial base, emergency services, agriculture, government facilities and IT.

“Ransomware tactics and techniques continued to evolve in 2021, which demonstrates ransomware threat actors’ growing technological sophistication and an increased ransomware threat to organisations globally,” the agencies said in a joint statement this week.

The UK’s National Cyber Security Centre recognises ransomware as “the biggest cyber threat facing the United Kingdom”. The cybersecurity authority said education is one of the top UK sectors targeted by ransomware, but it also noted attacks targeting businesses, charities, the legal profession and public services.

Meanwhile, the Australian Cyber Security Centre noticed a similar trend of cyberattacks aimed at the country’s critical infrastructure sectors, such as medical, financial services, energy and the higher education sector.

“If the ransomware criminal business model continues to yield financial returns for ransomware actors, ransomware incidents will become more frequent,” the agencies said. “Every time a ransom is paid, it confirms the viability and financial attractiveness of the ransomware criminal business model.”

A shift towards mid-sized victims

A report by these security agencies said the first half of 2021 saw a rise in ransomware attacks towards “big game” or high-value organisations that provide critical services, including the Colonial Pipeline and JBS Foods. However, ransomware groups suffered disruptions by US authorities by the middle of 2021.

“Subsequently, the FBI observed some ransomware threat actors redirecting ransomware efforts away from ‘big game’ and toward mid-sized victims to reduce scrutiny,” the agencies said.

They provided a list of ways organisations can try to mitigate the risk of being affected by a ransomware attack. These include keeping all operating systems and software up to date, closely monitoring riskier services such as remote desktop protocol, and implementing a user training programme to raise awareness among employees.

Alon Arvatz, senior director of product management at cyber intelligence company IntSights, which is owned by Rapid7, said the joint advisory is an “important step” in ensuring organisations bolster their security against ransomware attacks. He said understanding the threats organisations are exposed to can be the difference between quickly dealing with malicious code or malware causing “significant damage” to a network.

“Whilst this is a step in the right direction, organisations must work to fully understand the ‘context’ behind cyberattacks,” Arvatz added. “Security teams have to be aware of the cybercriminals which are likely to target them, the techniques they use, and which systems they are most likely to target.

“With this knowledge, organisations can then increase their security in areas of the network most vulnerable and know how to defend against cyberattacks which do breach their network.”

Linux attacks

A recent report released by cloud computing company VMware said there has been a rise in cybercrime aimed at Linux-based systems in order to infiltrate corporate and government networks.

The report noted that Linux is a common operating system for multi-cloud environments such as data centres and powers many of the world’s most popular websites. However, most current malware countermeasures are focused on addressing Windows-based threats, which cybercriminals have taken notice of.

“Cloud infrastructures and data centres host key components, such as email servers and customer databases, that have been the target of high-profile intelligence-gathering breaches,” the report said.

VMware also said that ransomware attacks on Linux systems are using more sophisticated techniques, and many of the attacks it noticed against cloud deployments were targeted rather than opportunistic.

“Ransomware attacks against cloud environments are often combined with data exfiltration, implementing a double-extortion scheme that improves their odds of success,” it added.

The report said one of the most common tools used by attackers is Cobalt Strike and its recent variant of Linux-based Vermilion Strike, which helps give remote access to hackers. A version of Cobalt Strike was used last year in the HSE cyberattack.

VMware said said organisations need to “bolster their ability to identify and defend against these types of attacks”.

Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.

Leigh Mc Gowran is a journalist with Silicon Republic

editorial@siliconrepublic.com