Europol, the European Union Agency for Law Enforcement, recently issued the 2021 version of its Internet Organised Crime Threat Assessment (IOCTA).
The fact that cybercrime has been on the rise is old news; what is new in the IOCTA report is just how sharp that rise has been. The number of ransoms paid for ransomware attacks more than tripled between 2019 and 2020, with over $400 million forked over in Europe alone. The average payment more than doubled, from $115,123 in 2019 to $312,493 in 2020.
In last year’s report, Europol said that “cybercrime is an evolution not a revolution.” This year’s report qualifies that assertion, stating “the past 12 months have been a testament to the fact that exceptional circumstances accelerate that evolution.” By “exceptional circumstances” of course, they mean the Covid pandemic.
Cybercriminals’ modi operandi have changed significantly over the past year. In this post, we’ll look at how the tactics cybercriminals are using have evolved. In a later post we’ll look at how hackers’ tools have changed.
Expanded use of coercive methods
As we reported in our post on 2021 Ransomware Trends, extortion has become a common feature of ransomware attacks. Cybercriminals download data before encrypting the victim’s servers and then demand payment not only to unlock the server but also additional payment to ensure (or so they claim) that they will not sell the sensitive data.
Victims, however, are under increasing pressure to not pay ransoms, and some, such as government-funded organizations, are prohibited from doing so by law. Greedy cybercriminals have to some extent encouraged this resistance: Because some sell sensitive data even after victims have paid the ransoms demanded to keep them from releasing it, victims who have good backups may see little reason to pay up.
The new Europol report says cybercriminals have therefore upped the ante with additional extorsion techniques. They may contact the victim’s clients, employees, or business partners to alert them that their personal information will be sold on the dark web or released publicly if the victim doesn’t pay up. They might call, or threaten to call journalists, to publicize data breaches that victim prefer to keep under wraps.
Some perpetrators, especially those operating as part of organized crime networks, have been launching DDoS (Distributed Denial of Service) attacks to shut down the victims’ websites to legitimate users until ransoms are paid.
More calculated target selection
In the past, many ransomware attacks used spray-and-pray spam methodology, sending the same phishing email to thousands of companies or individuals in hope of hitting a jackpot.
Today’s cybercriminals are becoming much more strategic, focusing on targets that can afford to pay high ransoms and/or operate in areas where downtime can be very costly or damaging, and are therefore more incentivized to pay ransom to get back in business quickly.
Some cybercrime gangs are using human operators to research potential victims and target specific companies with tailored phishing and social engineering attacks.
Cybergangs are also intentionally avoiding certain targets in hopes of drawing too much attention from law enforcement. The DarkSide gang said it would moderate which targets it goes after in the wake of the high-profile Colonial Pipeline attack. Some ransomware that is available as a service has built-in restrictions that bar the software from being used against specific types of targets, such as social or governmental services, or targets located in the Commonwealth of Independent States.
The increasing sophistication of these ransomware tactics makes it even more risky to rely on user training as the primary protection against phishing and social engineering attacks. As the attacks grow more tailored to individual targets – and to the specific weaknesses and vulnerabilities of each one — it becomes increasingly likely that even trained users could fall victim and click on the wrong link or open the wrong file.
Zero Trust techniques such as Remote Browser Isolation (RBI), content disarm and reconstruction (CDR), and microsegmentation are the most effective ways to foil these types of attacks entirely or at a minimum, limit their severity. RBI confines active website code to virtual browsers that are isolated in the cloud and CDR cleanses files of malware before they are downloaded so that malware triggered by links in phishing mails or file attachments, or embedded within websites, can’t reach user devices or networks. Microsegmentation stops malware that does get in, through any attack vector, from spreading throughout the network.
Greater focus on the supply chain
The high-profile success of some supply chain attacks, such as the Solar Winds attack, has led many cybercriminals to focus on the rich potential of this delivery channel.
Once hackers have penetrated a company that digitally delivers solutions and updates to many customers, they can silently lurk within, researching which customers are the best targets and the optimal way to deliver malware via the initial target’s supply chain. Today, IT-infrastructures of diverse organizations are so fully intertwined that once one company’s supply chain has been breached, doors may be opened to other suppliers’ delivery chain, resulting in valuable “scalability” for cybercrime gangs.
Supply chain attacks are very difficult to detect and defend against once set in motion: every company depends on suppliers to deliver digital updates and enhancements and often, there is no good alternative to trusting suppliers. Doing due diligence on suppliers – making sure they have the appropriate Zero Trust tools in place to protect against cyber-attacks – is essential, but time and resource-intensive. Many organizations lack the bench strength to attend to their own cyber-defenses, much less those of suppliers.
Since defending against supply chain attacks can be difficult, it’s important to put measures in place that will minimize damage in the event of an attack.
Network protection and visibility tools can quickly identify threats and neutralize them. Microsegmentation limits hackers’ ability to move within your network if they do manage to get in.
Cybercriminals’ increasing sophistication is evident in their tactics as well as their target selection. Their technical sophistication is increasing as well, and they’re finding better ways to cover their tracks.
The best way to protect against sophisticated cyberattacks is to leverage equally sophisticated Zero Trust strategies for prevention, detection and mitigation, such as those available in the ZTEdge platform. With the growing prevalence of supply chain attacks, vendors that operate digital supply chains should be particularly diligent in ensuring that their cybersecurity protections are top-notch, to protect their own interests as well as their customers’ organizations.