On February 9, 2022 the United States, United Kingdom, and Australia issued a joint Cybersecurity Advisory on the “Increased Globalized Threat of Ransomware” against critical infrastructure sectors (“Advisory”). The Advisory lists trends in cyber-criminal activity from the last year and also provides mitigation strategies and recommendations to reduce the risk of compromise and the impact of ransomware incidents.
The Advisory Illustrates That Critical Infrastructure Is A Global Target
Within the United States, the Advisory notes there have been ransomware attacks against “14 of the 16 U.S. critical infrastructure sectors,” including the Defense Industrial Base, Emergency Services, Food and Agriculture, Government Facilities, and Information Technology Sectors. Australia reports targeting of sectors including Healthcare and Medical, Financial Services and Markets, Higher Education and Research, and Energy, while the United Kingdom notes Education is one of the top sectors targeted by ransomware actors.
While The Ransomware Model Remains Consistent, Criminals Are Exploring Additional Extortion Opportunities
The Advisory indicates that phishing, Remote Desktop Protocols (“RDP”), and exploited vulnerabilities continue to be key vectors for ransomware intrusion. It also notes that “professional” ransomware actors became increasingly common in 2021 and that ransomware threat actors may now use independent services to negotiate payments, assist victims with making payments, or even arbitrate payment disputes between themselves and other cyber criminals.
While the Advisory notes there may be a shift away from targeting “big game” organizations due to law enforcement pressure, the UK observed targeting of organizations of all sizes throughout the year. Importantly, there has been a notable increase in the use of “triple extortion”: threaten to (1) publicly release stolen sensitive information; (2) disrupt the victim’s internet access, and/or (3) inform the victim’s partners, shareholders, or suppliers about the incident.
The Advisory Lists Common Ransomware Mitigation Steps
In a common governmental refrain, the Advisory discourages payment of the ransom on the grounds that this confirms the viability and financial attractiveness of the ransomware criminal business model. The Advisory does provide helpful reminders of mitigating steps that may help protect against these attacks. These include:
- Patch and update operating systems and software in a timely fashion.
- Eliminate or minimize use of RDP and require multi-factor authentication (“MFA”) and white listing for any RDP that is required.
- Implement a user training program and conduct phishing exercises.
- Require strong and unique passwords for all accounts, and MFA for as many services as possible.
- Protect cloud storage by backing up to multiple locations, requiring MFA for access, and encrypting data in the cloud.
- Implement end-to-end encryption, detect and investigate abnormal activity, document external remote connections, implement time-based access for privileged accounts, maintain offline backups of data and regularly test backup restoration, and ensure all backup data is encrypted.
