Joint Alert on Higher Risk of Ransomware Attacks on Critical Infrastructure

Cybersecurity agencies in Australia, the United States, and the United Kingdom, issued a joint security advisory concerning the greater worldwide threat of ransomware attacks and the increased risk of targeted attacks upon critical infrastructure entities.

The Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) have noticed high-impact ransomware attacks on 14 of the 16 critical infrastructure industries in 2021, which include government services, financial services, water, and wastewater systems, transportation systems, energy, and medical care and public health.

The UK’s National Cyber Security Centre (NCSC-UK) states ransomware is currently the largest cyber threat confronting the country. Education is the sector most attacked. There have likewise been more attacks on companies, charities, law agencies, local government public services, and the medical sector. The Australian Cyber Security Centre (ACSC) reveals ransomware groups are attacking critical infrastructure sectors such as healthcare and medical, energy, financial services and markets, research, and higher education.

In the cybersecurity alert, the FBI, the CISA, and the NSA reveal facts concerning ransomware trends seen in 2021 ransomware attacks and the tactics, techniques, and procedures identified to be employed by ransomware groups to gain access to systems, move laterally, and boost the effectiveness of their attacks and recommend mitigations that may lessen the possibility of a ransomware attack being successful and the effect of a successful attack.

2021 Ransomware Attack Trends

In the U.S., the first 6 months of 2021 saw ransomware grops attack ‘big game’ targets like Colonial Pipeline, JBS Foods, Kaseya; nonetheless, the increased critique on ransomware groups subsequent to these attacks resulted in the shift of their target to mid-sized targets; nevertheless, big game targeting went on all through 2021 in the U.S. and Australia.

In Europe, ransomware groups are giving victim data to other cybercriminal groups. The BlackMatter ransomware operation stopped but existing victims were transferred to the LockBit 2.0 infrastructure and the Conti ransomware group is identified to have sold access credentials to victims’ systems to other cybercriminal gangs.

Although double extortion strategies are typical, 2021 saw a rise in tripe extortion attacks where, besides encryption, files are exfiltrated and a ransom is demanded for payment to avert the posting of the stolen information, Internet access is interrupted, and threats are given to notify shareholders, partners, and suppliers concerning the attack.

Strategies Employed to Obtain Access to Victims’ Sites

The FBI, CISA, and the NSA state that ransomware groups have progressively advanced technological infrastructure and the ransomware threat is growing worldwide. Ransomware groups are employing various methods to acquire access to networks, which makes applying defensive steps to stop the attacks a big problem.

Preliminary access to sites is acquired by means of phishing attacks to get credentials, utilizing stolen Remote Desktop Protocol (RDP) credentials, brute force strategies to figure weak credentials and exploiting unpatched vulnerabilities. CISA has discovered a number of new vulnerabilities that ransomware gangs are actively targeting. The vulnerabilities are already included in the Known Exploited Vulnerabilities Catalog, which currently has 368 vulnerabilities. These attack vectors are known to be successful because of the greater attack surface with the increase of remote working and schooling during the pandemic. Therefore, IT security teams find it difficult to patch vulnerabilities and deal with security vulnerabilities while helping their remote employees and students.

Ransomware groups are currently working as if professional businesses and are more and more outsourcing particular capabilities to specialist cybercriminal gangs, who help with payments, negotiations, settlement, and offer 24/7 assistance facilities for victims.

Escalating the Effect of Ransomware Attacks

The severity of ransomware attacks has increased in 2021. The attacks are executed to trigger all possible disruptions to boost the chances of the ransom being given. Ransomware groups are attacking cloud infrastructures and are taking advantage of known vulnerabilities in cloud software, virtual machine program, and virtual machine orchestration program. There has been a rise in ransomware attacks on managed service providers as well as their downstream customers, on industrial operations, and the software supply chain. Attacks are frequently carried out during weekends or holidays when fewer network defenders and support staff are available to recognize and react to attacks.

Protecting Against Ransomware Attacks

The security alert mentions a lengthy list of mitigations to minimize the possibility of a successful attack and the magnitude of an attack in case perimeter protection be breached, such as restricting the capability of threat actors to know an organization’s IT setting and move laterally.

The checklist of proposed mitigations is on this page.