Ransomware Research: 17 Leaked Databases Operated by Threat Actors Threaten Third Party Organizations
Ransomware remains a serious threat to organizations, Deep Instinct, a New York-based deep learning cybersecurity specialist, said in its recently released 2022 Interim Cyber Threat Report.
It’s no surprise, the company said, as there are currently 17 leaked databases operated by threat actors who are leveraging the data for attacks on third-party companies, most notably social engineering, credential theft, and triple-extortion attacks.
Ransom Gangs Changing Tactics
Here are the report’s key findings:
- Changes in ransomware gangs, including LockBit, Hive, BlackCat, and Conti. The latter has spawned “Conti Splinters” made up of former affiliates Quantum, BlackBasta, and BlackByte.
- Significant changes to tactics by Emotet, Agent Tesla, NanoCore, and others. For example, Emotet uses highly obfuscated VBA macros to avoid detection.
- The use of documents for malware has decreased as the top attack vector, following Microsoft’s move to disable macros by default in Microsoft Office files. Threat actors have already pivoted to other methods such as LNK, HTML, and archive email attachments.
- Vulnerabilities such as SpoolFool, Follina and DirtyPipe highlighted the exploitability of both Windows and Linux systems despite efforts to enhance their security.
- The number of exploited in-the-wild vulnerabilities spikes every 3-4 months. The next spike is expected to occur by the end of the year.
- Threat actor groups are extending data exfiltration attacks to demand ransoms from third-party companies if the leaked data contains their sensitive information.
What the Future Holds
The report also makes three predictions:
- More inside jobs. Malicious threat actors look for the weakest link, which is often in the supply chain. Groups like Lapsus$ do not rely on exploits but instead look for insiders who are willing to sell access to data within their organization.
- Rise of protestware. Look for a spike in protectware, which is self-sabotaging one’s software and weaponizing it with malware capabilities in an effort to harm all or some of its users. The war between Russia and Ukraine has caused a surge in protestware.
- End of year attacks. While no major vulnerability in 2022 has emerged similar to the Log4J or the Exchange cases in 2021, there is an increase year-over-year in the number of publicly assigned CVEs for reported vulnerabilities. For now, threat actors are still exploiting old vulnerabilities during 2022 simply because there is a plethora of unpatched systems for 2021 CVEs but that will change.
Mark Vaitzman, Threat Lab team leader at Deep Instinct, warned organizations to be on their guard:
“2022 has been another record year for cyber criminals and ransomware gangs. It’s no secret that these threat actors are constantly upping their game with new and improved tactics designed to evade traditional cyber defenses. Defenders must continue to be vigilant and find new approaches to prevent these attacks from happening.”