The gravitational force of ransomware’s black hole is pulling in other cyberthreats to form one massive, interconnected ransomware delivery system and has significant implications for IT security, according to the Sophos 2022 Threat Report.
Sophos’ security researchers and threat hunters from Sophos Managed Threat Response, who conducted the research, believe that “the ransomware landscape will become both more modular and more uniform, with attack ‘specialists’ offering different elements of an attack ‘as-a-service’ and providing playbooks with tools and techniques that enable different adversary groups to implement very similar attacks.”
The Sophos research also saw that attacks by single ransomware groups gave way to more ransomware-as-a-service (RaaS) offerings during 2021, with specialist ransomware developers focused on hiring out malicious code and infrastructure to third-party affiliates.
“Some of the most high-profile ransomware attacks of the year involved RaaS, including an attack against Colonial Pipeline in the US by a DarkSide affiliate,” Sophos said. “An affiliate of Conti ransomware leaked the implementation guide provided by the operators, revealing the step-by-step tools and techniques that attackers could use to deploy the ransomware.
The report also found that established cyberthreats will continue to adapt to distribute and deliver ransomware. These include loaders, droppers, and other commodity malware; increasingly advanced, human-operated Initial Access Brokers; spam; and adware. In 2021, Sophos reported on Gootloader operating novel hybrid attacks that combined mass campaigns with careful filtering to pinpoint targets for specific malware bundles.
Ransomware attackers use multiple forms of extortion to pressure victims into paying the ransom and this trend is expected to continue. In fact, Sophos believes there will be an increase in range and intensity. In 2021, Sophos incident responders cataloged 10 different types of pressure tactics, from data theft and exposure to threatening phone calls, distributed denial of service (DDoS) attacks, and more.
Cryptocurrency will continue to fuel cybercrimes such as ransomware and malicious cryptomining, and Sophos expects the trend will continue until global cryptocurrencies are better regulated. In 2021, Sophos researchers uncovered cryptominers such as Lemon Duck and the less common, MrbMiner, taking advantage of the access provided by newly reported vulnerabilities and targets already breached by ransomware operators to install cryptominers on computers and servers.