Trellix finds business services top target of ransomware attacks
According to cybersecurity firm Trellix’s quarterly Threat Report: Summer 2022, released today, the line between ransomware gangs and nation-states continued to blur between Q4 2021 to Q1 2022. The Conti cyber gang in particular may be selecting targets based on a Kremlin wish list.
Conti, which publicly expressed allegiance to Russian in February, “seem to confirm the government is directing cyber criminal enterprises,” the report said.
Russia recorded a 490% increase of incidents reported during this same period.
“With increased cyber activity from Russia targeting Ukraine and other countries during the war, the spike in incidents targeting Russia is likely driven by counter attacks,” said Christiaan Beek, lead scientist and senior principal engineer at Trellix.
At 35%, the U.S. reported the most incidents overall. Of note is a lack of new malware tools being deployed since the start of the Ukraine invasion and war. While this may seem like good news, it may just be a matter of time before this changes.
“Adversaries know they are being watched closely; the absence of new tactics observed in the wild during the war in Ukraine tells us tools are being held back,” said Beek in a press release. “Global threat actors have novel cyber artillery ready to deploy in case of escalation, and organizations need to remain vigilant.”
On a positive note, the report found that fewer organizations are having to pay the full ransoms demanded by attackers.
Industries most targeted for ransomware attacks
Business services providers (64%) and telecoms (53%) were the most targeted industries for ransomware attacks.
“The telecom sector often scores high in our data,” said Beek. “It doesn’t necessarily mean this sector is highly targeted.”
This is because telecom contains ISPs (internet service providers) that own IP address spaces. Detections from the IP address space of the ISP are showing up as telecom detections, but the detection could be one of the ISP’s clients in a completely different industry.
Healthcare continues to be an industry under threat; although, the report did note that attackers are not going after medical devices such as IV pumps ” … but this doesn’t mean we can relax.”
Top ransomware queries and families used
Cobalt Strike was used in 32% of the top 10 U.S. ransomware queries in the first quarter of 2022. The next most prevalent tools were RCLONE (12%), BloodHound (10%) and Bazar Loader (10%).
Lockbit was the most prevalent of ransomware families; it was used in 26% of the top 10 queries in the U.S. in Q1 2022, ahead of Conti (13%), BlackCat (11%) and Ryuk (10%), the report said.
SEE: LockBit beats REvil and Ryuk in Splunk’s ransomware encryption speed test (TechRepublic)
Overall, ransomware family detections were down considerably between the fourth quarter of 2021 and the first quarter of 2022. Lockbit was down 44%, Conti 37% and Cuba 55%.
Critical infrastructure under increased threat
Because industrial control systems and building access control systems are old and not often or easily updated, they are increasingly common targets. HID Mercury, a ubiquitous control panel used across the industry in access control solutions, is particularly vulnerable.
Trellix uncovered four zero-day vulnerabilities and four previously patched vulnerabilities that were never published as common vulnerabilities and exposures. If breached, hackers could run code, reboot systems, and perform tasks such as remotely locking and unlocking doors all while avoiding detection via the management software.
“According to a study done by IBM in 2021, the average cost of a physical security compromise is $3.54M and takes an average of 223 days to identify a breach,” Trellix’s report said. “The stakes are high for organizations that rely on access control systems to ensure the security and safety of facilities.”
Email security trends
Most malicious emails contain a phishing URL used to redirect users to a credential-stealing webpage or to trick victims to download malware, the report said. Emails with malicious attachments, such as documents and executables like infostealers and trojans, were also common.
The common malware families being deployed in the first quarter of 2022 were Phorpiex, Electron Bot, RedLine Stealer, Agent Tesla and Remcos RAT.
Nations under threat
In the countries where Trellix has customers, 31% of the Q1 2022 nation-state activity targeted Turkey, followed by Israel with 18%, the U.K. with 11%, Mexico with 10% and the U.S. with 8%.
The most active nation-state actor in the quarter was APT36, an advanced persistent threat actor most likely backed by the Pakistani government and primarily targeting defense organizations in India. This is followed by China’s APT27 and Russia’s APT28 and APT29, said Beek.
“Organizations must be vigilant of the pervasiveness of cyberattacks to protect against the latest threats in real time,” said Beek. “We highly urge every organization to take close note of ransomware TTPs [tactics, techniques and procedures], especially if they have already determined state-sponsored groups are likely to target them.”
About the report
The threat report uses proprietary data from Trellix’s network of over one billion sensors, open-source intelligence and Trellix Threat Labs investigations into prevalent threats like ransomware and nation-state activity. A detection occurs when a file, URL, IP address, suspicious email, network behavior or other indicator is detected and reported via the Trellix XDR ecosystem.