- Home >
- Services >
- Access to Knowledge >
- Trend Monitor >
- Domain of Application >
- Trend snippet: Ransomware attacks still prove profitable
Trends in Security Information
The HSD Trendmonitor is designed to provide access to relevant content on various subjects in the safety and security domain, to identify relevant developments and to connect knowledge and organisations. The safety and security domain encompasses a vast number of subjects. Four relevant taxonomies (type of threat or opportunity, victim, source of threat and domain of application) have been constructed in order to visualize all of these subjects. The taxonomies and related category descriptions have been carefully composed according to other taxonomies, European and international standards and our own expertise.
In order to identify safety and security related trends, relevant reports and HSD news articles are continuously scanned, analysed and classified by hand according to the four taxonomies. This results in a wide array of observations, which we call ‘Trend Snippets’. Multiple Trend Snippets combined can provide insights into safety and security trends. The size of the circles shows the relative weight of the topic, the filters can be used to further select the most relevant content for you. If you have an addition, question or remark, drop us a line at info@securitydelta.nl.
visible on larger screens only
Please expand your browser window.
Or enjoy this interactive application on your desktop or laptop.
Ransomware attacks still prove profitable
with ransomware threat actors proving most successful against the manufacturing industry, followed by financial services, healthcare, technology and construction.
Top four industry targets remain the same
The number of ransomware attacks decreased slightly in Q3 compared to Q2 of calendar year 2021, with manufacturing,
financial services, healthcare and technology remaining the most targeted industries. Targeting against the construction sector
increased, making it the fifth-most-targeted industry during Q3 (see Figure 2).
New RAMP forum creates rampage
Following the DarkSide group’s dissolution after the Colonial Pipeline attack,1 the Groove ransomware collective emerged in September 2021 and created the RAMP forum, which connects orphaned affiliates with ransomware-as-a-service (RaaS) operators. This forum’s emergence could mean there is continued growth for RaaS activity and poses a significant and continuing threat to businesses.
Media reporting increases impact
Active media reporting reflects a “scoop-and-scandal”-driven culture in the cybersecurity community and unintentionally increases cyber threat actors’ influence. Cyber criminals used this publicity in Q3 calendar year 2021 to criticize rivals and increase pressure on victims.
Affiliate disputes are on the rise
There’s a growing number of disputes between ransomware affiliates and ransomware group operators. Former affiliates of ransomware groups disclosed sensitive information, leading to a proliferation of potent ransomware tools and techniques.
Attack playbook isn’t the whole story
The Conti Playbook—an attack playbook disclosed by a former member of the Conti ransomware threat group—suggests
Conti affiliates tend to use options like well-established cybercrime botnets, malicious spam and spear phishing.
Cloud plays into ransomware’s hands
Cloud environments were and continue to be attractive targets, perhaps due to lower monitoring levels than on-premise
environments. In this way, cloud-related malware has evolved faster than more traditional malware in 2021 based on
analysis of the rate of code changes between cryptominers (a primary malware malicious actors deploy in compromised
cloud environments) compared to code changes in botnets and ransomware. This comparison of the rate of code
change highlights significant threat actor investment in cloud-focused tools— particularly in modifying pre-existing tools.2
During multiple incident response engagements in 2021, Accenture observed ransomware and extortion operators
targeting cloud infrastructure and hosted backups in attempts to increase operational impact. This included exploitation of
SAML (Security Assertion Markup Language 2.0) identity federation in use to access Amazon Web Services (AWS) via Microsoft Azure Active Directory (Azure AD), using previously compromised credentials to enable unauthorized console access to several AWS resources and support further objectives.3 At least one ransomware group used an offensive cloud toolset that vxunderground researchers leaked from threat group TeamTNT in October 2021; this toolset specializes in cryptojacking operations. This use indicates a trend of ransomware groups’ custom tool development for increased cloud infrastructure targeting.4
Underground forum members are trading in endpoint accesses
Underground forums are showing increased interest in accessing compromised virtual private networks (VPNs) via stolen credentials and the use of public and zero-day exploits. For example, Accenture analysis of September to November 2021 network access seller data shows malicious actors selling victim network accesses on underground forums gained almost all those accesses via VPNs whose credentials were compromised and used by threat actors to authenticate.5
Data extortion is rising without ransomware deployment
In the second half of 2021, Accenture observed new threat groups establishing infrastructure and ramping up attacks solely focused on data exfiltration and extortion rather than more destructive ransomware deployments. We expect to see this trend continue to rise in Q1 CY2022, as this simplified approach enables the execution of attacks and subsequent extortion attempts more quickly and at scale.
Actors infer insidious insiders
Along with an unsubstantiated claim of insider access at Accenture, actors using LockBit implied in November 2021 they have
an insider at another major corporation.6 Robust insider threat programs can help to quickly confirm or refute threat actor claims which may be intended to deceive responders. This can backfire on threat actors as it can lower their credibility and therefore their chances of obtaining ransom payments.