Let’s discuss this joint bulletin from the CISA, FBI, and NSA. I did a quick “so what does this mean?” commentary of choice bits below, with an analysis at the end.
Joint Cybersecurity Advisory here.
Ransomware tactics and techniques continued to evolve in 2021, which demonstrates ransomware threat actors’ growing technological sophistication and an increased ransomware threat to organizations globally.
Is this a surprise? No. It just seems like the chickens are coming home to roost and the roost has been missing good cybersecurity hygiene.
Complacency is the bane of readiness. This is in line with the trend of malware attacks skyrocketing because most organizations are not pivoting and evolving for the modern threat landscape.
- Sharing victim information. Eurasian ransomware groups have shared victim information with each other, diversifying the threat to targeted organizations. For example, after announcing its shutdown, the BlackMatter ransomware group transferred its existing victims to infrastructure owned by another group, known as Lockbit 2.0. In October 2021, Conti ransomware actors began selling access to victims’ networks, enabling follow-on attacks by other cyber threat actors.
I hope no victims were rationalizing that if they’ve been ransomed from, it won’t happen again. If you’re a victim, you should assume you’re a known victim and that hackers now know you’re vulnerable. After all, if you’ve been breached before it stands to assume you’re an easy target until you actually you know…implement cybersecurity measures.
I’d talk about how this might mean it’s a bad idea to have it publicized if you’ve been the victim of ransomware, or how if you’ve been ransomware’d you might want to retrace how it happened and maybe make a huge shift in personnel (or at the very least, their access privileges!) but that’s another topic.
Shifting away from “big-game” hunting in the United States.
- In the first half of 2021, cybersecurity authorities in the United States and Australia observed ransomware threat actors targeting “big game” organizations—i.e., perceived high-value organizations and/or those that provide critical services—in several high-profile incidents. These victims included Colonial Pipeline Company, JBS Foods, and Kaseya Limited. However, ransomware groups suffered disruptions from U.S. authorities in mid-2021. Subsequently, the FBI observed some ransomware threat actors redirecting ransomware efforts away from “big-game” and toward mid-sized victims to reduce scrutiny.
This is quite literally bad actors realizing that if they hit mid-sized victims the crime is treated as the corporate equivalent of going to small claims. Turns out big companies are either keeping cybersecurity experts on payroll or have the FBI on speed-dial, who knew? So bad actors are pivoting accordingly.
My takeaway from here is that if you aren’t big fish, the police are just going to nod and take notes and your insurance company (if you have a cybersecurity policy) is going to hit you with an increased premium. If you don’t look out for yourself in the hopes that the government will do it…well then.
- Diversifying approaches to extorting money. After encrypting victim networks, ransomware threat actors increasingly used “triple extortion” by threatening to (1) publicly release stolen sensitive information, (2) disrupt the victim’s internet access, and/or (3) inform the victim’s partners, shareholders, or suppliers about the incident. The ACSC continued to observe “double extortion” incidents in which a threat actor uses a combination of encryption and data theft to pressure victims to pay ransom demands.
Not much to say here besides the bad actors are improving their ROI on what they can get out of you. Although I do wonder how much more creative they can go from here - they’re threatening you on three fronts already.
Didn’t bother copying the entire section. It was a pretty long and exhaustive list but it boils down to:
- Backups and redundancies
- Limiting blast radius
- Zero Trust principles
All things that organizations may know of but aren’t doing, the corporate equivalent of not putting on seatbelts while driving. Moving on.
- Follow the Ransomware Response Checklist on p. 11 of the CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide.
I think this is actually a really good reminder since most organizations may not have a disaster response plan. That being said, having skimmed this guide, it’s trying to do too much in one guide. It really feels like multiple plans bundled up into one.
Every organization should take this guide as a leaping off point and then create an internal one that applies to the organization’s needs and addresses what the organization’s main concerns are.
Criminal activity is motivated by financial gain, so paying a ransom may embolden adversaries to target additional organizations (or re-target the same organization) or encourage cyber criminals to engage in the distribution of ransomware. Paying the ransom also does not guarantee that a victim’s files will be recovered. Additionally, reducing the financial gain of ransomware threat actors will help disrupt the ransomware criminal business model.
Economics is the best security. There’s no such thing as perfect impenetrable security. But there is “breaking into that isn’t worth it” because the costs of doing so cannot realistically yield any gains.
“Battle avoided is a battle won” applies to cybersecurity here.
- CISA’s Ransomware Readiness Assessment is a no-cost self-assessment based on a tiered set of practices to help organizations better assess how well they are equipped to defend and recover from a ransomware incident.
- CISA offers a range of no-cost cyber hygiene services to help critical infrastructure organizations assess, identify, and reduce their exposure to threats, including ransomware. By requesting these services, organizations of any size could find ways to reduce their risk and mitigate attack vectors.
These two resources seem excellent for informing organizations how ready they are. I wonder how many organizations have Red Team tested their own infrastructure?
The main question is: if your organization takes this assessment and fails - what are you going to do about it?
“This is your PSA: Things are ugly. Here’s some best practices and resources, but it’s every organization for themselves. If you aren’t following this and you get ransomware’d that’s really on you unless you have us on speed-dial.”
I feel like my commentary speaks for itself. Did I miss anything?