The Gately Report: Biggest Cyberattacks So Far this Year, Explosive Ransomware Protection Market Forecast
Big game ransomware attacks are on the rise this year.
![System hacked System hacked](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/blt225704eb289af82d/65241e3028ff126e9c81d5f2/1-System-Hacked.jpg?width=700&auto=webp&quality=80&disable=upscale)
Shutterstock
A large-scale phishing campaign that used adversary-in-the-middle (AiTM) phishing sites stole passwords, hijacked a user’s sign-in session, and skipped the authentication process even if the user had enabled multifactor authentication (MFA), according to Microsoft. The attackers then used the stolen credentials and session cookies to access affected users’ mailboxes and perform follow-on business email compromise (BEC) campaigns against other targets.
Based on Microsoft’s threat data, the AiTM phishing campaign attempted to target more than 10,000 organizations since last September.
“It was ultimately a spear phishing attack, but one that really targeted Microsoft email,” said WatchGuard’s Corey Nachreiner. “It was very sophisticated. It stole session cookies, which would give them persistent access at least for a period of time to these email accounts of up to 10,000 organizations they were targeting, and very stealthy techniques to hide from the user as they were using that inbox for further bad stuff. Microsoft does a relatively good job monitoring and protecting, and obviously they eventually recognized this and presumably are stopping it. But we consider it a pretty big and sophisticated attack to do so well at actually getting all the session cookies of all these Microsoft 365 users.”
The Lapsus$ cybercriminal gang did a “pretty big bonanza” earlier this year, stealing and leaking data from several big companies. Nvidia, Samsung and T-Mobile were among the first targeted.
Lapsus$ got into some of Microsoft’s network, stealing source code for things like Cortana, and it stole 2.5% of Okta’s customer data. It also attacked Ubisoft and Globant.
“The level of breach they had in each company was slightly different,” Nachreiner said. “In some, they had … access to a ton of data. Lapsus$ basically was able to hack all of these networks … you get ransomware on all of them, and more importantly, they have this underground site, which they’re starting to make more public because … they will actually post samples of all the data they leaked, kind of shaming the company to get the press to notice. And at the end of the day, they potentially encourage the company to pay the ransom in hopes that this data doesn’t leak.”
The Conti ransomware family attacked the Costa Rican government, causing it to declare a national state of emergency. The attack started by affecting some Ministry of Finance computers, and some government buildings were shut down.
“They asked for pretty big ransoms of $10 million- $20 million when they realized who they got into,” Nachreiner said. “Later, the same Conti group was targeting health care targets in Costa Rica as well. And there was some suggestion, based on some of the messaging seen on the underground, that there may even be political motivations for why they did this. But the big part of the attack is Costa Rica declaring a state of emergency based on a cyberattack for the first time.”
This is an example of how bad guys have moved to big game ransomware, he said.
“They’re looking for a certain type of victim,” Nachreiner said. “In this case, it’s showing even governments are a certain type of victim, but it could be health care because of uptime needs for data in order to have surgeries and [so forth]. It could be manufacturing; it could be big-name companies. What these bad guys are finding when they do big-game ransomware is … that if they can really affect a number of [a target’s] computers and take the business down, that target will be really pressured to want to pay ransom quickly because every second of downtime for data is critical. Big-game ransomware started with health care and manufacturing, but I think the Costa Rica example shows that governments are a great target, too.”
Venky Raju is field CTO Field at ColorTokens, a provider of autonomous zero-trust cybersecurity solutions.
“Fortunately, the Conti gang dissipated around June, but not before causing extensive damage to critical government and financial systems in Costa Rica,” he said. “We received a number of inquiries on protecting legacy systems that no longer receive security patches and were therefore very vulnerable. In fact, a survey by ColorTokens and Chase Cunningham in 2021 revealed CISOs’ concerns of legacy systems being a drag on zero-trust implementations.”
The Russia-Ukraine war marks the first time a two-way cyber war is taking place alongside a physical conflict, Nachreiner said. Among the attacks are state-sponsored Russian attackers targeting Ukrainian websites with distributed-denial-of -ervice (DDoS) attacks.
“They’re doing a lot of DDoS campaigns and financial cyberattacks against various Ukrainian companies and government sites while they’re carrying on a physical campaign as well,” he said. “But it’s also going the other way, too, and it’s not necessarily just Ukraine. I’m sure Ukraine might have some both defensive and offensive cyber actions against Russia, but more interestingly … I would say most democratic or Western nations are pro-Ukraine and a lot of hacktivists from around the world have started doing things against Russia. I would definitely put this more on disruption than breaching the military organization and affecting some physical campaign. But it’s very interesting to see how a physical war is certainly from this day forward going to carry a cyber war along with it, both from the state-sponsored attackers, but potentially also from hacktivists that have a view on it that might target one or another site as well.”
In April, fintech giant Block, formerly known as Square, confirmed a data breach that exposed sensitive information of more than 8.2 million users. It involved a former employee who downloaded reports from Cash App that contained some U.S. customer information.
“I threw this one in more because of the value of the Cash App and the amount of personal data records,” Nachreiner said. “To some extent, these personally identifiable information (PII) breaches, you … get fatigue from hearing about them so much. But this is one I just picked because the Cash App itself is actually one of the more popular methods of payment. So if I were a customer, I certainly wouldn’t want my personal data out there. And 8.2 million records isn’t the biggest one ever.”
In January, Crypto.com confirmed 483 of its users were hit in a hack, leading to unauthorized withdrawals of bitcoin and Ether worth $35 million. The company had initially said $15 million was taken in the heist.
“There are a number of cryptocurrency-related hacks, but the Crypto.com one was interesting in that it’s one of the bigger exchange shares or wallets out there,” Nachreiner said. “For a period of time, these threat actors were able to slowly steal cryptocurrency from some of the wallets of customers that are on Crypto.com. And it was also kind of interesting that there was two-factor authentication (2FA) on Crypto.com as well, and using similar things like that session cookie, they were able to bypass the 2FA.”
Marquard & Bahls, a German energy provider, was attacked, destabilizing its IT infrastructure. As a result, the company was forced to temporarily shut down 200 German fuel stations. The company blamed the attack on the BlackCat ransomware group.
“I see mixed data I about this particular attack, but I thought it was pretty big,” Nachreiner said. “They also supply jet fuel and other things like that.”
In May, SpiceJet, India’s second-largest airline, was hit with a ransomware attack that caused flight delays ranging from two to five hours, unavailable online booking systems and inaccessible customer service. While SpiceJet’s IT team was able to thwart the attack before it fully took over, customers and employees still experienced the ramifications.
“The fact that you’re starting to see ransomware shutting down planes, even if it’s just for half a day, it’s a pretty significant thing,” Nachreiner said. “It disrupts schedules. It’s pretty easy for flights from one company being disrupted, starting to cause a chain of disruptions throughout the day for everyone. I mostly included it because of the physical repercussions of not being able to fly for half a day. For all of those customers, SpiceJet planes were grounded for about half the day while they sorted their systems out.”
In January, Bernalillo County, New Mexico’s largest county, suffered a ransomware attack. The attack impacted the 675,000 residents in the county, including those living in Albuquerque, New Mexico’s most populous city.
“But the one thing that was really interesting to me, and again it goes to the theme of cyberattacks affecting physical, is they also got into the government-run facilities for the jail and basically the camera feed, so the security cameras … used to monitor the inmates were offline for a period of time,” Nachreiner said. “More importantly, they couldn’t actually open all the doors because they’re networked. So apparently the inmates were stuck in cells for a period of time. But the opposite could be even worse if you start disabling all the security systems and opening doors of jails.”
In April, the United States linked North Korean hackers to the theft of hundreds of millions of dollars’ worth of cryptocurrency tied to the online game Axie Infinity. Ronin, a blockchain network, lets users transfer crypto in and out of the game.
“If you’ve been following cryptocurrency and blockchain-related hacks, there have been tons of them,” Nachreiner said. “The Ronin blockchain had an actual breach to where the attackers allegedly made off with $600 million in cryptocurrency.”
In other cybersecurity news …
With ransomware continuing to plague organizations globally, it’s no surprise the ransomware protection market is set to more than quadruple by 2031, reaching nearly $83 billion.
That’s according to a new report by Allied Market Research, which expects a compound annual growth rate (CAGR) of more than 17% through 2031. The market generated more than $17.3 billion in 2021.
Leading market players include Malwarebytes, Bitdefender, Intel Security, Kaspersky, SentinelOne, Sophos, Trend Micro and more.
The increase in penetration of ransomware as a service (RaaS), the rise in digitization of businesses, and the emergence of cryptocurrencies such as Bitcoin are driving global market growth. However, lack of awareness about cyberattacks and budgetary constraints restrain the market growth. On the other hand, the rise in demand for multi-layer security protection in organizations and a surge in adoption of cloud-based services present new opportunities in the coming years.
Based on industry vertical, the IT and telecom segment accounted for the largest market share in 2021, holding nearly one-fourth of the global ransomware protection market. It’s expected to maintain its lead status through 2031. This is due to the increase in use of mobile devices, the shift toward digitization and the rise in technology initiatives in organizations.
However, the health care segment is projected to have the fastest CAGR, at nearly 24% from 2022-2031. That’s due to the increase in internet penetration, which led to the exposure of medical devices to new cybersecurity vulnerabilities. In addition, the rise in ransomware attacks on hospitals and implanted devices, and data breaches of sensitive data supplements the growth of this vertical.
Based on region, North America contributed to the largest market share in 2021, accounting for around two-fifths of the global ransomware protection market. It should maintain its dominance in terms of revenue by 2031. This is attributed to the rise in usage of ransomware protection in health care and other sectors to save data from breaches, and enhance operations and customer experience.
However, the firm expects Asia Pacific to record the fastest CAGR, at nearly 20% through 2031. This is due to strong IT infrastructure, and solid software and services offerings, along with a rise in penetration of cloud-based offerings and a surge in demand for ransomware protection in health care, banking, financial services and insurance (BFSI), and government sectors for security purposes.
Building materials giant Knauf has been hit with a cyberattack claimed by the newly emerging Black Basta ransomware gang.
Black Basta has already published 20% of exfiltrated files online, which include email communication, user credentials, employee contact information, production documents and ID scans.
While it is not clear exactly which kind of cyberattack Knauf has suffered, signs point to ransomware. The entirety of Knauf’s IT systems remain offline as the company attempts to isolate the incident.
“We are currently working heavily to mitigate the impact to our customers and partners – as well as to plan a safe recovery,” Knauf said in a message on its webpage.
Josh Rickard is security automation architect at Swimlane.
“With all IT systems down in an attempt to isolate this incident, Knauf is not able to carry out routine business processes in an efficient and reliable way,” he said. “Time spent offline can lead to production decline, dissatisfied customers and ultimately loss of revenue, making the effects of these kinds of attacks even worse. In order to mitigate the impact of ransomware and other malicious cyberactivity, organizations must be equipped with the proper cybersecurity controls to handle these kinds of threats.”
Stephan Chenette is AttackIQ‘s co-founder and CTO.
“If PII is included in these leaked files, it can be bought and sold for top dollar on the dark web, further exposing victims to future fraud or phishing attacks,” he said. “As evidenced by this and many other recent ransomware attacks, it’s no longer an issue of just whether or not to pay the ransom. It is likely that the organization will suffer reputational damage, and loss of data and business. Because of this, it’s important for organizations to defend against ransomware by understanding the common tactics, techniques and procedures used by the adversary.”
While the Conti group may have publicly announced that it was stopping operations, that doesn’t mean the group has totally disappeared.
Since the announcement in May, Intel 471 researchers have observed Conti-loyal actors splinter and move in different directions within the cybercrime underground. Some actors have leaned into side projects that take advantage of segments of Conti’s prior operations, like network access or data theft. Others have allegedly forged alliances with other RaaS groups, building upon individual relationships that were cultivated during Conti’s existence.
Whatever path former Conti-affiliated actors have chosen, they are still focused on making profits and staying out of law enforcement custody as they move past the information leaks and subsequent media attention of the last few months.
The Black Basta ransomware gang, which started operations a month before Conti announced its shutdown, has shown signs of overlap with its TTPs, Intel 471 said. Black Basta’s data leak blogs, payment sites, recovery portals, victim communications and negotiation methods all bear similarities with Conti’s operations. Despite those similarities, Intel 471 can’t fully confirm that Black Basta is solely a rebrand launched by former Conti group members.
Brad Crompton is director of intelligence for Intel 471‘s Shared Services.
“It’s important to follow these threat actors because it’s highly likely that they will resurface as part of some other criminal undertaking, or will use specific TTPs that may enable tracking new aliases that these threat actors may choose to operate under, or enable mitigation of specific TTPs,” he said. “The public saw Conti fracture and eventually cease operations once the ContiLeaks exposed their inner workings. By continuing to follow their actions, it continually makes it more difficult for them to remain operationally secure, bringing unwanted attention to their schemes, and making it much harder for them to operate successfully.”
By working as freelancers or joining other RaaS groups, it allows other criminal groups to become that much stronger, Crompton said.
“Think of it the same way as a company looking to recruit talent after a competitor goes out of business,” he said. “There are skills that can be applied to their own operations, which only serves to strengthen their attacks. Moreover, new activities may highlight business sectors that these RaaS groups seek to target, or new TTPs that are being used. By monitoring for specific targeting of sectors or TTPs used, businesses can remain prepared and stay one step ahead of pending threats.”
Given that former Conti actors or affiliates have branched out to some of the most active RaaS groups currently operating, the threat is serious, Crompton said.
“Conti had some skilled operators along the various steps of a ransomware attack,” he said. “By integrating those people into their own schemes, other RaaS groups like LockBit 3.0 or ALPHV only grow stronger. This is a perfect example of how financially-motivated cybercriminals are opportunistic above everything else. Their first loyalty is to money, and these actors will gravitate towards whatever is the easiest path to that. We would expect the same shift if a different group like LockBit 3.0 or ALPHV were doxxed, with those actors moving to other groups that would allow them to make money as quickly and easily as possible.”
Illumio, the zero-trust segmentation provider, has launched a new zero-trust assessment program. It evaluates the impact zero-trust initiatives are having on organizations via a self-guided tool or alongside an Illumio security expert.
By answering a few questions, respondents will receive a written assessment of their organization’s zero trust maturity, including zero trust technology investments.
Raghu Nandakumara is Illumio‘s head of industry solutions.
“Today, cyberattacks are the norm and no organization, of any size, in any industry, is immune,” he said. “As more organizations look to zero trust to bolster business resilience, they must first discern where they are in their zero trust journey to properly allocate resources and determine which technologies are best suited for their unique business needs. The goal of this new assessment program is to help organizations better understand how mature their current zero trust program is, and to further articulate the power and promise of zero trust segmentation – a technology category and key pillar of zero trust designed to stop the spread of breaches across hybrid IT.”
This assessment can help drive more informed conversations between the partner and the prospect, Nandakumara said.
“The report that comes from the assessment helps security teams understand the specific impact zero trust and segmentation could have on their company,” he said. “That means partners can have more productive follow-up conversations and illustrate the value of zero trust segmentation more simply and effectively.”
There are many unknowns for organizations looking to get started with zero trust today, Nandakumara said.
“By equipping organizations with the questions they should be thinking about, our partners and customers are able to help prospects build better and more achievable zero trust plans, with custom guidance and data-driven insights,” he said.
Illumio, the zero-trust segmentation provider, has launched a new zero-trust assessment program. It evaluates the impact zero-trust initiatives are having on organizations via a self-guided tool or alongside an Illumio security expert.
By answering a few questions, respondents will receive a written assessment of their organization’s zero trust maturity, including zero trust technology investments.
Raghu Nandakumara is Illumio‘s head of industry solutions.
“Today, cyberattacks are the norm and no organization, of any size, in any industry, is immune,” he said. “As more organizations look to zero trust to bolster business resilience, they must first discern where they are in their zero trust journey to properly allocate resources and determine which technologies are best suited for their unique business needs. The goal of this new assessment program is to help organizations better understand how mature their current zero trust program is, and to further articulate the power and promise of zero trust segmentation – a technology category and key pillar of zero trust designed to stop the spread of breaches across hybrid IT.”
This assessment can help drive more informed conversations between the partner and the prospect, Nandakumara said.
“The report that comes from the assessment helps security teams understand the specific impact zero trust and segmentation could have on their company,” he said. “That means partners can have more productive follow-up conversations and illustrate the value of zero trust segmentation more simply and effectively.”
There are many unknowns for organizations looking to get started with zero trust today, Nandakumara said.
“By equipping organizations with the questions they should be thinking about, our partners and customers are able to help prospects build better and more achievable zero trust plans, with custom guidance and data-driven insights,” he said.
Cybercriminals stayed busy during the first half of 2022 and the biggest cyberattacks involved big game ransomware attacks, increasingly sophisticated malware attacks and more.
Corey Nachreiner is WatchGuard Technologies‘ CTO. We asked him about the biggest cyberattacks so far this year.
WatchGuard’s Corey Nachreiner
“To be honest, from just the big attacks, they continue to elevate, but at this point it’s more of the same,” he said. “I think in the past three to five years, we’ve just seen a lot of cyberattack activity. Unfortunately, it seems like cyberattacks and the whole having to defend against them is getting worse. So during 2021, it was very much the same thing, with lots of big-game ransomware happening and governments were already involved in attacks. We had seen a number of nation-states participating in … big attacks where they’re not just targeting other countries, they target private infrastructure in those countries as a way to get to governments in those countries.”
It’s no surprise that 2022 is continuing 2021 cyberattack trends, Nachreiner said.
“Yes, there are slightly different attacks here and there that have different ramifications, but it all follows the trend of 2021,” he said.
Bigger Year for Ransomware
In terms of ransomware, 2022 is shaping up to be the biggest year yet for attacks, Nachreiner said. In fact, the industry has already reached a grim milestone in 2022 — already 80% of the total ransomware in 2021.
“It just seems like ransomware has the attention of threat actors again and not just the big game stuff they’re trying,” he said. “There are new ransomware-as-a-service (RaaS) variants that they’re spamming out to a lot of the world. So we’re definitely seeing in 2022 a resurgence in ransomware and a resurgence in malware attacks targeting office workers. And I think the second is probably very much based on some people returning back to the office. People are starting to return to office work … and we’ve seen malware follow it.”
John Bambenek is principal threat hunter at Netenrich. He said the repeat victims of Marriott and Experian stand out so far this year.
Netenrich’s John Bambenek
“I have joked the best time to be a CISO for a company is right after a breach, for about two years,” he said. “Checkbooks are open, organization change is possible, and board buy-in is assured. After two years, organizational inertia sets in and things drift back to its steady state. Experian in particular stands out considering the several issues they’ve had in the last few years that shows my joke may not be as true as I would hope.”
Scroll through our slideshow above for the biggest cyber incidents in the first half of 2022, and more cybersecurity news.
Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn. |
About the Author(s)
You May Also Like