Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Ransomware on the Rise in 2021

Ransomware continued to be the most significant cybersecurity threat facing critical infrastructure, healthcare, defense, and other industries, according to a report issued jointly on February 9 by law enforcement and cybersecurity agencies from the United States, United Kingdom, and Australia.

The report, entitled 2021 Trends Show Increased Globalized Threat of Ransomware, noted that ransomware tactics and techniques continued to evolve in 2021, demonstrating that threat actors using this malware variant continue to improve their technological sophistication resulting in an increased ransomware threat to organizations globally.

The report found a great deal of cross-over between which entities ransomware attackers targeted in each nation. Still, each nation’s agencies reported threat actors were somewhat discerning when attacking their respective countries.

In the U.S., the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the National Security Agency (NSA) reported ransomware attacks in 2021 affected 14 of the 16 U.S. critical infrastructure sectors, including the defense industrial base, emergency services, food and agriculture, government facilities, and information technology sectors.

The Australian Cyber Security Centre (ACSC) also noted attacks targeting that nation’s critical infrastructure entities, including healthcare and medical, financial services and markets, higher education and research, and energy sectors.

The National Cyber Security Centre (NCSC) in the U.K. said education was one of the top sectors targeted by ransomware actors, followed by businesses, charities, the legal profession, and public services in the local government and health sectors.

The report did not contain any statistics regarding the number of attacks that took place in 2021 nor which groups were primarily responsible, but it stated that ransomware attacks would continue as long as such activity remains profitable for the attackers.

“Every time a ransom is paid, it confirms the viability and financial attractiveness of the ransomware criminal business model. Additionally, cybersecurity authorities in the United States, Australia, and the United Kingdom note that the criminal business model often complicates attribution because there are complex networks of developers, affiliates, and freelancers; it is often difficult to identify conclusively the actors behind a ransomware incident,” the report said.


Stop Ransomware Before It Stops You

Modern organizations are often highly nuanced with various networks, locations, clouds, etc., making it difficult to maintain a consistent vulnerability management program across multiple environments. In this session, Director of Trustwave SpiderLabs EMEA, Ed Williams, discussed the hidden vulnerabilities that most often lead to exploitation and how to detect them before they cause damage.


Attack Trends and Behaviors

When it comes to gaining initial access to a potential target’s network, the report said attackers in 2021 used phishing attacks, stolen Remote Desktop Protocols (RDP) credentials, or brute force. 

Attackers used these tactics to target cloud infrastructures, managed service providers, critical infrastructure or industrial processes, the software supply chain, and striking on holidays and weekends when security teams might be off or paying less attention.

Once again, the quick move to remote work in 2020, which remained in effect for most of 2021, was one reason why ransomware attackers continued to use these specific infection vectors. This increase in remote work expanded the attack surface and left network defenders struggling to keep pace with many aspects of cybersecurity, including routine software patching.

The fact that so many organizations remain vulnerable to these attack vectors helped boost the market not only for ransomware-as-a-service providers but for third-party cyberattack suppliers with expertise in helping process ransomware payments, the report said.

Threat actors also employed an ecosystem of independent services that negotiated payments, assisted victims with making payments, and even arbitrated payment disputes between themselves and other cybercriminals. Meanwhile, NCSC-UK observed some ransomware adversaries offering their victims the services of a 24/7 help center to expedite ransom payment and restoration of encrypted systems or data, the report said.

The Threat Actors Ever-Changing Methodology

It is no longer a given that ransomware gangs operate independently and, in some cases, it was seen that they are actively. For example, the report noted some Eurasian ransomware groups shared victim information, diversifying the threat to targeted organizations. In one example, the BlackMatter ransomware group, after it announced it was shuttering its operation, transferred its existing victims to infrastructure owned by the group Lockbit 2.0.

Another change took place in October 2021, when the Conti ransomware group began selling access to its victims’ networks, enabling follow-on attacks by other cyber threat actors.

Threat actors also redoubled their effort to force victims to pay their ransom demand resulting in cases of double and triple extortion being increasingly observed.

Double extortion involved the threat actor using a combination of encryption and data theft to pressure victims to pay ransom demands. Triple extortion twists this concept by having the attacker threaten to publicly release stolen sensitive information, disrupt the victim’s internet access, and/or inform the victim’s partners, shareholders, or suppliers about the cyber incident.

The Good News from 2021

Not all of the news from 2021 was negative. The FBI saw a marketed decrease in attacks on “big-game” targets after incidents involving several major U.S. companies resulted in a strong response that ended up disrupting the gangs associated with the attacks. Subsequently, the FBI observed some ransomware threat actors redirecting ransomware efforts away from these high-profile targets and toward mid-sized victims to reduce scrutiny. 

The U.K. and Australia did not see a similar switch. Each observed attacks on organizations of all sizes throughout the year.

Mitigating the Ransomware Threat

Darren Van Booven, Lead Principal Consultant at Trustwave and former CISO of the U.S. House of Representatives, has noted that cybersecurity practitioners need to create a plan they can use to respond to the full life cycle of a ransomware attack.

Security practitioners should work with the organization’s C-level executives to answer questions and develop a ransomware protection plan. Consider how ransomware is prevented and detected in addition to how your organization would respond.

The plan should ask and answer a series of questions. These include how to contain the ransomware, identify affected systems, is negotiating with the attacker or paying the ransom on the table, and which external resources are needed to respond.

The report further recommended:

  • Utilize timely patching to keep all operating systems and software up to date.
  • Those using an RDP or similar service must be secured and closely monitored.
  • Implement a user training program and phishing exercises to raise awareness among your staff.
  • Require multi-factor authentication.
  • Segment networks.
  • Implement end-to-end encryption.
  • Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a network-monitoring tool.
  • Enforce the principle of least privilege through authorization policies.

Latest Trustwave Blogs

Defending Healthcare Databases: Strategies to Safeguard Critical Information

The healthcare sector continues to be a primary target for threat actors, with 2023 seeing a record number of data breaches and compromised records. While successful attacks are inevitable, it’s...

Read More

Trustwave SpiderLabs: Ransomware Gangs Dominate 2024 Education Threat Landscape

The security teams manning the defenses at the higher education and primary school system levels often find themselves being tested by threat actors taking advantage of the sector's inherent cyber...

Read More

LockBit Takedown: Law Enforcement Disrupts Operations, but Ransomware Threats Likely to Persist

The news that US, UK, and other international law enforcement agencies disrupted LockBit is welcome, as stopping any threat group activity is always a positive. The unfortunate aspect is this blow...

Read More