Ransomware groups shift from big game hunting

Ransomware groups are redirecting focus from big game hunting as law enforcement action accelerates, according to a joint cybersecurity advisory from authorities in the United States, United Kingdom and Australia.

The Cybersecurity and Infrastructure Security Agency, along with the FBI, the National Security Agency, the Australian Cyber Security Centre and The National Cyber Security Centre co-published a blog Wednesday that detailed collective observations of ransomware trends in 2021. Two significant takeaways were a global increase in "sophisticated, high-impact ransomware incidents against critical infrastructure" and a decrease in "big game" targets.

As described in the advisory, "big game" organizations are "perceived high-value organizations and/or those that provide critical services."

While authorities in the U.S. and Australia observed attacks against these types of organizations in the first half of 2021 that yielded substantial payouts, including the Colonial Pipeline Co., JBS Foods and Kaseya Ltd., ransomware actors shifted tactics in the latter half of the year. The advisory attributes the shift to U.S. authorities disrupting ransomware groups in mid-2021. One example occurred in June, when the FBI seized back a portion of the ransom paid by Colonial.

"Subsequently, the FBI observed ransomware threat actors redirecting ransomware efforts away from 'big game' and toward midsized victims to reduce scrutiny," the advisory said.

CrowdStrike initially documented the use of big game hunting in 2018 and referred to it as "low-volume, high-return criminal activity." In 2019, the FBI issued a public service announcement warning of high-impact ransomware attacks against U.S. businesses and organizations. It highlighted a decline in "broad indiscriminate ransomware campaigns", but an increase in losses from ransomware attacks.

Since then, its use has both waned and grown, with an uptick during the pandemic of targets in the education, government and health sectors.

In response to increased law enforcement action, Ryan Olson, vice president of threat intelligence for Palo Alto Networks' Unit 42 group, told SearchSecurity that a self-selection process is likely to occur among threat actors.

"Bringing attention at that level isn't beneficial to business," Olson said. "They don't want to go to jail. They don't want to have public opinion shifted. They don't want the President talking about their attacks. There's no benefit to them being famous in that way."

While the U.S. observed a shift and the NCSC-UK saw "some big game victims," the ASCS saw the targeting of "Australian organizations of all sizes, including critical services and big game throughout 2021."

Among all three countries, significant attacks against critical infrastructures increased. Incidents involving ransomware affected 14 of the 16 U.S. critical infrastructure sectors last year.

"Although most ransomware incidents against critical infrastructure affect business information and technology systems, the FBI observed that several ransomware groups have developed code designed to stop critical infrastructure or industrial processes," the advisory said.

That aligns with a report by Dragos released last year that stated threats against critical infrastructure increased threefold in 2020. It cited several challenges in securing those types of organizations, including a lack of security teams and a suitable Common Vulnerability Scoring System.

Another notable trend identified in the advisory was sharing victim information.

"Eurasian ransomware groups have shared victim information with each other, diversifying the threat to targeted organizations," the advisory said.

One example occurred after BlackMatter ceased operations, which reportedly stemmed from pressure by local authorities. After it shut down, the group transferred its existing victims to infrastructure owned by another group, known as LockBit 2.0, according to the advisory.

"In October 2021, Conti ransomware actors began selling access to victims' networks, enabling follow-on attacks by other cyber threat actors," the advisory said.

Additional ways ransomware groups profited last year included targeting the cloud and managed service providers, along with attacks against the supply chain. Operators also took advantage of timing by targeting organizations on the weekends or holidays.

The joint advisory offered mitigation steps like maintaining up-to-date systems, implementing a training program and when it comes to the cloud, backing up to multiple locations and requiring multi-factor authentication for access and data encryption. The proper outlets to report ransomware incidents for all three countries was also listed.