Ransomware attackers are growing bolder and using new extortion methods
IT and OT environments are increasing targets and threat actors are using Dark Web forums to launch cybercrimes, according to Accenture’s 2021 Cyber Threat Intelligence report.
It’s hardly surprising that threat actors are pervasive and aggressive, but a new report finds in the first half of 2021, they have been testing new extortion methods, targeting critical infrastructure business operations continuity in particular. This was one of four key trends identified in Accenture’s 2021 Cyber Threat Intelligence Report.
The report also identified the rise of the Cobalt Strike, commodity malware invading operational technology from the IT space and Dark Web actors challenging IT and OT networks as the three other main cybersecurity trends.
Meanwhile, the White House is stepping up federal efforts to fight domestic and foreign cyberattacks, and on Thursday launched a ransomware task force aimed at helping businesses and state and local governments combat cybersecurity threats.
SEE: How to prevent ransomware attacks with a zero-trust security model (TechRepublic)
The Accenture report highlights what the firm characterized as the often unseen connection between the new ecosystem, the Dark Web economy, ransomware disruptions, commodity malware and pirated software abuse and their collective, disruptive effects on both IT and OT environments.
“Threat actors are connecting the dots to improve their tactics and collaborate with each other to take advantage of an evolved ecosystem,” Accenture said in a blog. “Not only have we seen increased pressure from threats related to remote working vulnerabilities, but also cybercrime actors have profited from the crucial roles played by local government, healthcare and supply chain providers.
The report found that:
Dark Web forums are a feeding ground for new threat actors. Online forums are making it easier and cheaper than ever for newcomers to launch cybercrime operations. Along with traditional commerce in malware logs, threat actors are selling parser tools that more easily compile logs, credentials, certificates and cookies. Such tools help other threat actors, including inexperienced ones, create new campaigns and assume the identities of legitimate users in a target network.
Ransomware actors are growing bolder. They are targeting manufacturing and a range of critical infrastructure sectors—from financial, to energy, to food production worldwide—using high-pressure tactics to escalate infection consequences. Increasingly, they deploy multiple pressure points at once to extract ransom payments.
Threat actors are abusing pirated versions of the commercial penetration testing framework Cobalt Strike. Their use of this familiar tool for malicious purposes adds to the perennial arsenal of commodity malware—an enduring feature of cybercrime operations that spreads easily within victim networks.
Hidden threats and payment pressures
The Accenture report noted that information is easy to buy—-and even easier to use. Since the beginning of the year, there has been a “slight but noticeable increase in threat actors selling malware logs” on the Dark Web, which contain data from information-stealing malware. Information stealers collect and log several types of data, including system information, web browser bookmarks, web session cookies, login credentials and payment card numbers.
The global ransomware crisis has entered a new phase with threat actors adopting stronger pressure tactics and attacking targets such as manufacturing and critical infrastructure, the blog said.
There are four techniques ransomware actors use: Local denial of access (encryption); leak extortion (also known as “name and shame” tactics); distributed denial-of-service (DDoS); and contact with a victim’s customers.
“To pay or not to pay ransoms is still a big question in many people’s minds,” the blog stated. “Accenture has reinforced United States federal government guidance: Don’t pay ransoms. Companies could be subject to financial penalties if they inadvertently pay a sanctioned entity and cannot guarantee the return or deletion of stolen data.
Instead, organizations should focus on prevention and recoverability: Protect against commodity malware; stay alert for Dark Web sales of stolen credentials; segment systems to minimize the lateral movement of ransomware; deploy good logging systems to detect anomalous network behavior, and create backups and playbooks to strengthen operational resilience.
Be proactive and act fast
When a breach occurs, Accenture recommends reacting quickly, working with legal counsel and applying incident response and communications best practices. With all these trends happening together, it can be a particularly worrying time for OT and critical infrastructure providers. Three possible things to remember are:
- Preparation and preventative measures are paramount. In industrial OT, just as in purely IT environments, when these measures are neglected or fail, threat mitigation becomes reactive, focusing on triage and response.
- Threat actors’ use of easily purchased commodity malware, if not detected quickly, can help an adversary buy time to traverse from IT to OT networks.
- DarkSide ransomware use against a critical infrastructure target is a reminder that OT environments are in the crosshairs.
“For OT and critical infrastructure and key resources providers in the United States, the Executive Order on Improving the Nation’s Cybersecurity issued in May 2021 goes a long way toward addressing these threats and trends,” Accenture said.
Providers are hitting back as they work to improve software design, secure supply chains, invest in more easily secured digital technologies, improve cybersecurity focus and work more transparently with government counterparts to drive a more stable business environment, Accenture said.