CISA Releases Joint Cybersecurity Advisory on Ransomware Trends and Recommendations in 2021


In early February, the Department of Homeland Security Cybersecurity & Infrastructure Security Agency (“CISA”) announcement the publication of a joint cybersecurity council observing “an increase in high-impact, sophisticated ransomware incidents against critical infrastructure organizations globally” in 2021. The report, which was co-authored by cybersecurity authorities in the United States (CISA, the Federal Bureau of Investigation and the National Security Agency), Australia (the Australian Cyber ​​Security Centre) and the United Kingdom (the National Cyber ​​Security Centre) – point out that the continuing evolution of ransomware tactics and techniques over the past year “demonstrates the growing technological sophistication of ransomware threat actors and an increased threat of ransomware to organizations globally.

The joint report provides technical details regarding observed behaviors and trends of ransomware actors, mitigation recommendations for network defenders to reduce their risk of ransomware compromise, and step-by-step guidance for responding to attacks of ransomware.

Ransomware trends. The report details a variety of behaviors and trends that cybersecurity authorities have observed among cybercriminals over the past year.

  • Access networks: The top three “initial infection vectors” for ransomware incidents in 2021 remained phishing emails, exploiting remote desktop protocols (RDP), and exploiting software vulnerabilities.
  • Using cybercriminal services for hire: The ransomware market has become more sophisticated in 2021, as ransomware threat actors have not only increasingly used ransomware as a service, but have also “employed independent services to broker payments, assist victims to make payments and arbitrate payment disputes between themselves and other cybercriminals.The advisory noted that this business model “often makes it difficult to attribute” ransomware incidents to a specific threat actor or actors.
  • Sharing information about victims: Ransomware groups in Eurasia shared victim information with each other, including selling access to victim networks, which[ied] the threat to the targeted organizations.
  • Moving away from “big game” hunting in the United States: US authorities have observed that during 2021, some cybercriminals shifted their ransomware efforts from large organizations, including those providing critical services, to medium-sized victims after several high-profile incidents publicized events have resulted in scrutiny and disruption by government authorities. However, authorities in Australia and the UK have observed that ransomware threat actors continue to target organizations of all sizes.
  • Diversify approaches to extort money: Ransomware threat actors have increasingly used “triple extortion” methods in ransomware incidents by “threatening to (1) publicly disclose stolen sensitive information, (2) disrupt access victim’s Internet and/or (3) inform the victim’s partners, shareholders, or suppliers about the incident. »
  • Increase their impact: Authorities have observed that cybercriminals have increased the scale and disruptive nature of their attacks by targeting cloud infrastructures (including cloud providers themselves), managed service providers (MSPs), industrial processes ( including code designed to shut down critical infrastructure or industrial processes) and the software supply chain, as well as carrying out attacks on holidays and weekends. The authorities behind the alert estimated that “there will be an increase in ransomware incidents where threat actors target MSPs to reach their customers.”

Mitigation recommendations. The CISA advisory identified five “immediate actions” that entities can “take now to protect against ransomware”:

  • Update your operating system and software.
  • Implement user training and phishing exercises to raise awareness of the risks of suspicious links and attachments.
  • If you are using Remote Desktop Protocol (RDP), secure and monitor it.
  • Make an offline backup of your data.
  • Use multi-factor authentication (MFA).

The report also states that network defenders can “reduce the likelihood and impact of a ransomware incident” by taking the following steps (some of which mirror CISA’s immediate actions listed above):

  • Keep all operating systems and software up-to-date, including prioritizing known exploited vulnerabilities and automating software security scanning and testing where possible;
  • Secure and closely monitor RDP or other potentially risky services, including external connections to third-party providers;
  • Implement a user training program and phishing exercises;
  • Require multi-factor authentication for as many services as possible, “especially for webmail, VPNs, accounts that access critical systems, and privileged accounts that manage backups;”
  • Require all accounts with password logins (for example, service account, administrator accounts, and domain administrator accounts) to have strong and unique passwords;
  • If you are using Linux, use a Linux security module (such as SELinux, AppArmor, or SecComp) for defense in depth; and
  • Protect cloud storage by backing up to multiple locations, requiring MFA for access, and encrypting data in the cloud.

The report further recommends that network defenders can “limit an adversary’s ability to learn an organization’s business environment and move laterally” by taking the following steps:

  • Network segmentation;
  • Implement end-to-end encryption;
  • Identify, detect and investigate anomalous activity and potential traversal of indicated ransomware with a network monitoring tool;
  • Documentation of external remote connections;
  • Implement time-based access for privileged accounts;
  • Enforce the principle of least privilege through authorization policies;
  • Reduce exposure of credentials;
  • Disable unnecessary command line utilities; limit scripting activities and permissions, and monitor their use;
  • Maintain offline (i.e. physically disconnected) data backups and regularly test backup and restore;
  • Ensure that all backup data is encrypted, immutable (i.e. cannot be modified or deleted) and covers the entire data infrastructure of the organization; and
  • Collecting telemetry from cloud environments.

The advisory also recommended that critical infrastructure organizations with industrial control systems or operational technology (OT) networks review the joint CISA-FBI cybersecurity advisory DarkSide Ransomware: Best Practices for Preventing Business Disruption from Ransomware Attacks for more recommendations. CISA’s mitigation recommendations align with steps cyber insurance policyholders can take to manage ransomware risk, as insurers have reduced their coverage in response to the increase in global ransomware attacks. For more information on recent trends in cyber insurance, see the recent Covington Alert, The “Ransomware Pandemic” – Is Your Business Insured?

Respond to ransomware attacks. Finally, the report recommends that organizations take the following steps if they are involved in a ransomware attack:

Cybersecurity authorities in the United States, Australia and the United Kingdom “strongly advise against paying ransom to criminal actors” because paying the ransom not only promotes the ransomware business model, but also does not guarantee the recovery of victim’s files. In fact, the National Cyber ​​and Security Center has urged UK regulators to consider banning insurance coverage for ransomware payments to deter ransomware attacks. For more information on cyber insurance trends in light of the rise in global ransomware attacks, see the recent Covington Alert, The “Ransomware Pandemic” – Is Your Business Insured?

Resources. The joint cybersecurity advisory also includes a list of resources that organizations dealing with cyber threats and evaluating cybersecurity best practices may find helpful, including: StopRansomware.govCISA Ransomware Readiness AssessmentCISA cyber hygiene servicesand information about the United States Department of State Justice Reward Program


Comments are closed.