Ransomware-Related Data Leaks Jump 82% in 2021

Despite the best efforts by law enforcement, data leaks related to ransomware climbed 82 percent in 2021 over the previous year, according to the 2022 CrowdStrike Global Threat report released Tuesday.

In 2021, the report identified 2,686 attacks, compared to 1,474 in the previous year.

Feeding the increase in data snatching, the report noted, was an increase in “Big Game Hunting” — broad, high-visibility attacks that “ripped across industries, sowing devastation and sounding the alarm on the frailty of our critical infrastructure.”

“The growth and impact of BGH in 2021 was a palpable force felt across all sectors and in nearly every region of the world,” the report maintained. “Although some adversaries and ransomware ceased operations in 2021, the overall number of operating ransomware families increased.”

According to the report, one of the drawbacks for criminal elements engaged in BGH is the attention the attacks draw to their perpetrators.

Increased media and law enforcement attention after the Colonial Pipeline and JBS Foods incidents resulted in a reduction in data leaks and access broker advertisements, the report revealed.

“However,” the report added, “one key theme highlighted throughout 2021 is that adversaries will continue to react and move operations to new approaches or malware wherever possible, demonstrating that the ever-adaptable adversary remains the key threat within the eCrime landscape.”

Living Off the Land

The report also noted that many threat actors have moved beyond malware to succeed in their malicious goals.

Attackers are increasingly attempting to accomplish their objectives without writing malware to the endpoint, the report observed. Rather, they have been observed using legitimate credentials and built-in tools — an approach known as “living off the land” — in a deliberate effort to evade detection by legacy antivirus products.

Of all detections indexed by the CrowdStrike Security Cloud in the fourth quarter of 2021, it added, 62 percent were malware-free.

Davis McCarthy, a principal security researcher at Valtix, provider of cloud-native network security services in Santa Clara, Calif. agreed that adversaries are increasingly “living off the land.”

“They’re running common sysadmin commands, and then manually installing ransomware,” he told TechNewsWorld. “Malware is still used in their campaigns, but the delivery method is more creative — like the SolarWinds attack.” In that attack, malware was injected into a software upgrade that was distributed by the company to its customers.

Avoiding Red Flags

While malware may be part of an attack, threat actors don’t have to rely on it as much anymore for initial access, maintained Hank Schless, senior manager for security solutions at Lookout, an endpoint security provider in San Francisco.

Adversaries have moved toward either compromising account credentials or finding vulnerable apps and servers as their point of entry, he explained.

“Access with legitimate credentials allows the attacker to enter an organization’s infrastructure under the guise of being a known user, which decreases the likelihood of raising any red flags,” he told TechNewsWorld.

Credentials are frequently stolen through phishing campaigns targeting users on mobile devices,” he continued. “On smartphones and tablets, attackers have countless ways of socially engineering individuals over SMS, third-party chat platforms and social media apps.”

He added that initiating access through vulnerable apps and servers is another way for attackers to be able to quietly enter the infrastructure through an open door.

“The risk of that happening is equal across cloud infrastructure, SaaS apps, private apps and web-facing servers,” he said. “With such a complex ecosystem of hybrid resources, it can be incredibly difficult for IT and security teams to have visibility into where vulnerabilities exist across the infrastructure.”

Lock and Leak

Although malware usage may be declining overall, there are some niches where it’s increasing, asserted Chris Hauk, a consumer privacy champion at Pixel Privacy, a publisher of consumer security and privacy guides.

“Recent reports say that malware attacks are increasing in volume and complexity in some cases, particularly against Linux servers and cloud infrastructure, as they are many times poorly managed and misconfigured,” he told TechNewsWorld.

The report noted that nearly half of all intrusion activity (49 percent) during the year was related to financially-motivated eCrime. It also identified a number of themes among nation-state adversaries.

For example, threat actors based in Iran were using ransomware combined with “lock-and-leak” disruptive information operations, where an attacker not only encrypts a target’s data to collect a ransom, but steals the data, too, to either sell on the dark web or force the original target to pay to get the data back.

McCarthy explained that “lock-and-leak” is gaining popularity in the ransomware community. “Ransomware operators are shifting their tactics in response to the enterprise having adequate backups of their data,” he said. “Leaking data can be just as damaging as losing it for an organization.”

Such operations do seem to be growing in popularity among bad actors, because they can double-dip when it comes to receiving a ransom, Hauk observed. They can collect a ransom for unlocking the data, then demand an additional payment for preventing the release of data to outsiders.

“If the victimized company refuses to pay the second ransom,” he said, “the bad guys can still score a payday by possibly selling the stolen information to other bad actors.”

Targeting CSPs

Meanwhile, threat actors connected to China have become leaders in exploiting vulnerabilities. The number of China-nexus actors deploying exploits for new vulnerabilities was at a significantly elevated rate in 2021, when compared to 2020, the report noted.

CloudStrike also noticed a change in tactics by Chinese adversaries. “For years, Chinese actors relied on exploits that required user interaction,” the report explained, “whether by opening malicious documents or other files attached to emails or visiting websites hosting malicious code.”

“In contrast,” it continued, “exploits deployed by these actors in 2021 focused heavily on vulnerabilities in internet-facing devices or services.”

Cloud service providers were a preferred target of an adversary called Cozy Bear connected to Russia. During the year, the report found the group expanded its targeting of IT to cloud service providers in order to exploit trusted relationships and gain access to additional targets through lateral movement.

Cloud-based applications will be attracting more ransomware attacks soon, contended Adam Gavish, co-founder and CEO of DoControl, a provider of data access monitoring, orchestration, and remediation across SaaS applications in New York City.

“With the surge of cloud adoption, attackers have put SaaS applications in the crosshairs,” he told TechNewsWorld. “Weaponizing the many vulnerabilities that exist with SaaS applications is the next phase of advanced ransomware attacks.”

In 2021, CrowdStrike Intelligence observed adversaries continue to adapt to security environments impacted by the ongoing COVID pandemic, the report noted. These adversaries are likely to look at novel ways in which they can bypass security measures to conduct successful initial infections, impede analysis by researchers and continue tried-and-tested techniques into 2022.

John P. Mello Jr.

John P. Mello Jr. has been an ECT News Network reporter since 2003. His areas of focus include cybersecurity, IT issues, privacy, e-commerce, social media, artificial intelligence, big data and consumer electronics. He has written and edited for numerous publications, including the Boston Business Journal, the Boston Phoenix, Megapixel.Net and Government Security News. Email John.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Malware

Technewsworld Channels