CISA Alert AA22-040A – 2021 trends show increased globalized threat of ransomware.

This is a CISA Cybersecurity Alert. ID number Alpha Alpha Two Two tack Zero Four Zero Alpha.

Original release date: February Ninth, twenty twenty two.

In 2021, cybersecurity authorities in the US, Australia, and the UK observed an increase in sophisticated, high-impact ransomware incidents against critical infrastructure organizations. CISA, the FBI, and NSA observed incidents involving ransomware against 14 of the 16 US critical infrastructure sectors, including the Defense Industrial Base, Emergency Services, Food and Agriculture, Government Facilities, and Information Technology Sectors. 

Ransomware tactics and techniques continued to evolve in 2021, which demonstrates ransomware threat actors’ growing technological sophistication and an increased ransomware threat to organizations globally.

Phishing emails, RDP exploitation, and exploitation of software vulnerabilities remained the top three initial infection vectors for ransomware incidents. Once a ransomware threat actor has achieved code execution on a device or network access, they can deploy ransomware. 

The market for ransomware became increasingly “professionalized” in 2021, and the criminal business model of ransomware is now well established. In addition to their increased use of ransomware-as-a-service, ransomware threat actors employed independent services to negotiate payments, assist victims with making payments, and arbitrate payment disputes between themselves and other cyber criminals.

Ransomware groups have increased their impact by targeting cloud systems and managed service providers; attacking industrial processes; attacking the software supply chain; and targeting organizations on holidays or weekends.

The cybersecurity authorities of the US, Australia, and the UK recommend network defenders apply the mitigations listed in the alert documentation to reduce the likelihood and impact of ransomware incidents. A link to this advisory and other resources can be found in the show notes.

All organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at central@cisa.dhs.gov or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov.

This report was written by CISA, the United States Cybersecurity and Infrastructure Security Agency, and edited and adapted for audio by the CyberWire as a public service. Please visit www dot cisa dot gov to read the full report which may include additional details, links, and illustrations. A link to this report can be found in the show notes.

This has been a CISA Cybersecurity Alert.