Ransomware groups are showing massive sophistication in terms of attacks and the way they operate. This is one of the significant findings highlighted in cybersecurity solutions firm Kaspersky’s report covering new ransomware trends spotted in 2022.
Advancements in technology and geopolitical situations are factors that contributed to how ransomware groups evolved their attacks, which cut across all sectors, large or small in size.
“If last year we said ransomware is flourishing, this year it’s in full bloom. Although major ransomware groups from last year were forced to quit, new actors have popped up with never before seen techniques,” said Dmitry Galov, senior security researcher at Kaspersky’s Global Research and Analysis Team, in a media release. “Nevertheless, as ransomware threats evolve and expand, both technologically and geographically, they become more predictable, which helps us to better detect and defend against them.”
- Prolific use of cross-platform
Recognizing that people are present on many platforms, ransomware groups try to damage as many systems as possible using the same malware. They write codes that can be executed on several operating systems at once. Kaspersky found that Conti, one of the most active ransomware groups, has developed a variant, which is distributed through selected affiliates and targets Linux.
“In late 2021, Rust and Golang, cross-platform programming languages, became more widespread,” Kaspersky said. “BlackCat, a self-proclaimed ‘next-generation’ malware gang that has reportedly attacked more than 60 organizations since December 2021, wrote its malware in Rust. Golang was used in ransomware by DeadBolt, a group infamous for its attacks on QNAP.”
- Rebranding to evade detection
Because some groups have been shutdown, some ransomware groups rebrand so they can continue with their activities. Some groups developed and implemented complete toolkits that resembled ones from benign software companies.
“Lockbit stands out as a remarkable example of a ransomware gang’s evolution,” Kaspersky explained. “The organization boasts an array of improvements compared to its rivals, including regular updates and repairs to its infrastructure. It also first introduced StealBIT, a custom ransomware exfiltration tool that enables data exfiltration at the highest speeds ever – a sign of the group’s hard work put towards malware acceleration processes.
- Politically motivated attacks
Kaspersky experts have witnessed that the conflict in Ukraine has heavily impacted the ransomware landscape. Although such attacks are usually associated with advanced persistent threat (APT) actors, Kaspersky detected some major activities on cybercrime forums and actions by ransomware groups in response to the situation.
Shortly after the conflict began, ransomware groups took sides, which led to politically motivated attacks by some ransomware gangs in support of Russia or Ukraine. One of the malware that was freshly discovered during the conflict is the Freeud, developed by the Ukrainian supporters. Freeud features wiping functionality. If the malware contains a list of files, instead of encrypting, the malware wipes them from the system.
Kaspersky encourages organizations to follow these best practices that help safeguard your organization against ransomware:
- Always keep software updated on all the devices you use to prevent attackers from exploiting vulnerabilities and infiltrating your network.
- Focus your defense strategy on detecting lateral movements and data exfiltration to the internet. Pay special attention to outgoing traffic to detect cybercriminals’ connections to your network. Set up offline backups that intruders cannot tamper with. Make sure you can access them quickly when needed or in an emergency.
- Enable ransomware protection for all endpoints. There is a free Kaspersky Anti-Ransomware Tool for Business that shields computers and servers from ransomware and other types of malware, prevents exploits, and is compatible with already installed security solutions.
- Install anti-APT and EDR solutions, enabling capabilities for advanced threat discovery and detection, investigation, and timely remediation of incidents. Provide your SOC team with access to the latest threat intelligence and regularly upskill them with professional training. All of the above is available within the Kaspersky Expert Security framework.
- Provide your SOC team with access to the latest threat intelligence (TI). The Kaspersky Threat Intelligence Portal is a single point of access for Kaspersky’s TI, providing cyberattack data and insights gathered by our team for over 20 years. To help businesses enable effective defenses in these turbulent times, Kaspersky has announced access to independent, continuously updated, and globally sourced information on ongoing cyberattacks and threats, at no charge. Request access to this offer here.
Categories: Special Report