The onslaught of ransomware attacks in 2020 and 2021 have proven that current cyber defense methods are no longer effective. In 2022 we will see a shift in thinking among security leaders and advocates that will help slow the growth of attacks.
Historically, defenders have focused on protecting specific entry points, tracking a single threat associated with criminal activity, such as phishing campaigns, unpatched firewalls, Microsoft Exchange vulnerabilities, and so on. But the introduction and rapid growth of Ransomware-as-a-Service (RaaS) since 2019. has since allowed ransomware groups to greatly expand their targets, increasing the threat and leaving organizations vulnerable from multiple angles. This makes the traditional way of thinking about protection much less effective.
RaaS allows newer threat actors to easily launch ransomware attacks, while giving more experienced groups a chance to profit from their “affiliates.” The affiliate system has turned ransomware into a hot-swappable market, allowing syndicates to jump around and use different tactics to gain access to a target’s system. If Conti is turned off, partners can go straight to BitLocker. If this is stopped, they can join BlackMatter or one of the other RaaS offerings advertised on underground forums. The fluidity of affiliates—some belonging to multiple RaaS offerings simultaneously—means that ransomware is difficult to track using current methods.
In 2022 we will expand the way we think about ransomware actors. They are not one homogenous group, but rather a collective of dozens of independent threats working in cooperation. Defenses will expand to track individual partners regardless of which ransomware they deploy. There’s a growing mantra in the information security space that it’s never a good idea to name threat actors after the tools they use, because the tools and actors are so fluid. We will eventually fix this.
While many ransomware threat actors are based in Russia, we are also seeing an increase in attacks coming from China. The market will continue to diversify as more cybercriminals see ransomware as a lucrative business and the affiliate system makes entry easier. From January to July 2021. ransomware attacks came through phishing campaigns, Remote Desktop Protocol, Citrix, Pulse Secure VPN and others, all used in different ways. The variety of attack vectors is vast, and the list of vulnerabilities will continue to grow as threat actor methods advance and exploitable weaknesses are discovered. This requires organizations to take a one-size-fits-all defense strategy, protecting all possible entry points, rather than devoting resources to blocking what they see as the biggest threat at the moment.
This is a methodology that is already recommended by security experts, and in 2022. this approach will gather momentum, becoming increasingly urgent. Companies’ budget constraints often make it difficult to implement multiple large security upgrades quickly and simultaneously, but organizations that choose incremental changes will put themselves at risk. By the time a vulnerability is patched, ransomware actors will have found access through another route.
