How ransomware gangs and malware campaigns are changing
Deep Instinct released its 2022 Bi-Annual Cyber Threat Report which focuses on the top malware and ransomware trends and tactics from the first half of 2022 and provides key takeaways and predictions for the ever-evolving cybersecurity threat landscape.
“2022 has been another record year for cyber criminals and ransomware gangs. It’s no secret that these threat actors are constantly upping their game with new and improved tactics designed to evade traditional cyber defenses,” said Mark Vaitzman, Threat Lab Team Leader at Deep Instinct.
Malware and ransomware trends in H1 2022
- Changes in threat actor structure: Some of the most prevalent activities observed include changes within the world of ransomware gangs, including LockBit, Hive, BlackCat, and Conti. The latter has spawned “Conti Splinters” made up of Quantum, BlackBasta, and BlackByte. These three prominent former affiliate groups to the Conti operation emerged under their own operations following the decline of Conti.
- Malware campaigns in flux: The report highlights the reasons behind significant changes to Emotet, Agent Tesla, NanoCore, and others. For example, Emotet uses highly obfuscated VBA macros to avoid detection.
- As Microsoft shuts down one avenue, bad actors open others: Researchers found that the use of documents for malware has decreased as the prior number one attack vector, following Microsoft’s move to disable macros by default in Microsoft Office files. Threat actors have already been seen shifting gears and implementing other methods to deploy their malware, such as LNK, HTML, and archive email attachments.
- Major exploitable vulnerabilities: Vulnerabilities such as SpoolFool, Follina, and DirtyPipe highlighted the exploitability of both Windows and Linux systems despite efforts to enhance their security. Analysis of CISA’s published known exploited vulnerability catalog suggests that the number of exploited in-the-wild vulnerabilities spikes every 3-4 months and we’re expecting the next spike as we get closer to the end of the year.
- Data exfiltration attacks are now extending to third parties: Threat actor groups are utilizing data exfiltration within their attack flows in order to demand ransom for the leaked data. In the case of sensitive data exfiltration, there are less remediation options so many threat actors are going even further and demanding ransoms from third-party companies if the leaked data contains their sensitive information.
Not surprisingly, ransomware attacks remain a serious threat to organizations, as there are currently 17 leaked databases operated by threat actors who are leveraging the data for attacks on third-party companies, most notably social engineering, credential theft, and triple-extortion attacks.
Three specific predictions
- Insiders and affiliate programs: Malicious threat actors look for the weakest link. With continued innovations in cybersecurity some threat actors choose to locate either weak targets or simply pay an insider. Groups like Lapsus$ do not rely on exploits but instead look for insiders who are willing to sell access to data within their organization.
- Protestware on the rise: There is an increase in the trending phenomenon of protestware, which can be defined as self-sabotaging one’s software and weaponizing it with malware capabilities in an effort to harm all or some of its users. The war between Russia and Ukraine caused a surge in protestware, with the most notable example being the node-ipc wiper, a popular NPM package. It’s not easy to spot such supply chain attacks, and they are usually detected only after affecting several victims.
- End-of-year attacks: While we have not yet heard of a major vulnerability in 2022 similar to the Log4J or the Exchange cases in 2021; there is an increase year-over-year in the number of publicly assigned CVEs for reported vulnerabilities. Threat actors are still exploiting old vulnerabilities during 2022 simply because there is a plethora of unpatched systems for 2021 CVEs.