Pierluigi Paganini February 12, 2022

CISA, FBI and NSA published a joint advisory warning of ransomware attacks targeting critical infrastructure organizations.

Cybersecurity agencies from the U.K., the U.S. and Australia have published a joint advisory warning of an increased globalised threat of ransomware worldwide in 2021.

Almost any sector was hit by sophisticated, high-impact ransomware attacks, including the Defense Industrial Base, Emergency Services, Food and Agriculture, Government Facilities, and Information Technology Sectors. 

“In 2021, cybersecurity authorities in the United States, Australia, and the United Kingdom observed an increase in sophisticated, high-impact ransomware incidents against critical infrastructure organizations globally.” reads the joint advisory. “Ransomware tactics and techniques continued to evolve in 2021, which demonstrates ransomware threat actors’ growing technological sophistication and an increased ransomware threat to organizations globally.”

The report also provides details about observed behaviors and trends among cyber criminal organizations in 2021, phishing attacks, stolen Remote Desktop Protocols (RDP) credentials or brute force, and the exploitation of vulnerabilities are the most popular infection vectors.

The agencies warn of the use of cybercriminal services-for-hire, highlighting that the market for ransomware is becoming increasingly “professional.” Ransomware gangs increased in using ransomware-as-a-service (RaaS) model, they also started employing independent services to negotiate payments, assist victims with making payments, and arbitrate payment disputes between themselves and other cyber criminals.

Another phenomenon that characterized the last year is an important shift from “big-game” hunting in the United States (i.e. Colonial Pipeline, JBS, and Kaseya) to mid-sized victims and evade the law enforcement’s scrutiny.

Law enforcement also observed ransomware gangs diversifying approaches to extorting money, such as the use of “triple extortion” by threatening to publicly release stolen sensitive information, while disrupting the victim’s internet access and/or informing the victim’s partners, shareholders, or suppliers about the security breach.

Below is the list of mitigations recommended by the cybersecurity agencies:

• Keep all operating systems and software up to date,
• If you use RDP or other potentially risky services, secure and monitor them closely,
• Implement a user training program and phishing exercises to raise awareness among users,
• Require MFA for as many services as possible,
• Require all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to have strong, unique passwords.
• If using Linux, use a Linux security module (such as SELinux, AppArmor, or SecComp) for defense in depth. 
• Protect cloud storage by backing up to multiple locations, requiring MFA for access, and encrypting data in the cloud.
• Segment networks,
• Implement end-to-end encryption,
• Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a network-monitoring tool,
• Document external remote connections,
• Implement time-based access for privileged accounts,
• Enforce principle of least privilege through authorization policies,
• Reduce credential exposure,
• Disable unneeded command-line utilities; constrain scripting activities and permissions, and monitor their usage,
• Maintain offline (i.e., physically disconnected) backups of data, and regularly test backup and restoration,
• Ensure all backup data is encrypted,
• Collect telemetry from cloud environments.

The agencies urge victims of ransomware to report incidents and never pay the ransom.

“Cybersecurity authorities in the United States, Australia, and the United Kingdom strongly discourage paying a ransom to criminal actors.” concludes the advisory. “Criminal activity is motivated by financial gain, so paying a ransom may embolden adversaries to target additional organizations or encourage cyber criminals to engage in the distribution of ransomware. Paying the ransom also does not guarantee that a victim’s files will be recovered. Additionally, reducing the financial gain of ransomware threat actors will help disrupt the ransomware criminal business model.”

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]