Record number of attacks and growth of almost 120 percent with double extortion
Zscaler, Inc. (NASDAQ: ZS), a leader in cloud security, publishes the results of the annual ThreatLabZ Ransomware Report, which shows an 80 percent increase in ransomware attacks compared to the previous year. The most common ransomware trends in 2022 include double blackmail, supply chain attacks, ransomware-as-a-service, ransomware rebranding, and geopolitically motivated ransomware attacks. The report analyzes the amount of data a year from the world’s largest security cloud, which processes more than 200 billion transactions and 150 million blocked attacks daily via the Zscaler Zero Trust Exchange platform. The study shows which industries are most targeted by cyber criminals, explains the damage caused by double extortion and attacks on the supply chain, and catalogs the active ransomware groups.
The manufacturing sector was the most affected for the second year in a row; the healthcare sector recorded the largest jump in ransomware attacks with an increase of almost 650 percent
The most important results at a glance:
- Ransomware attacks have increased by 80 percent compared to the previous year, and eight of the eleven largest ransomware families are distributed via ransomware-as-a-service.
- Almost every fifth ransomware attack targets companies in the manufacturing industry, making this industry the most frequently affected for the second year in a row.
- The healthcare sector saw a 650 percent increase and the restaurant and catering industry saw a 450 percent increase, making the sectors with the largest increase in ransomware attacks compared to 2021.
- Ransomware families are giving themselves new names to evade law enforcement and continue to infect businesses.
- Ransomware attacks through supply chains multiply the damage and allow attackers to bypass traditional security controls.
The Russia-Ukraine war is accompanied by an increase in ransomware in combination with other attack techniques, such as the combination of PartyTicket ransomware and HermeticWiper malware
Deepen Desai, CISO of Zscaler
“Modern ransomware attacks only require a single successful compromise of an asset in order to gain access to a network and spread laterally there. Especially older VPNs and flat network architectures pose a great danger. Attackers successfully search for vulnerabilities in the supply chains of companies, as well as critical vulnerabilities, such as Log4Shell, PrintNightmare and others. Since ransomware-as-a-service is available on the Darknet, more hackers are turning to ransomware. They realize that the chances of a big foray are good for them,” explains Deepen Desai, CISO of Zscaler .
The tactics and scope of ransomware attacks are constantly evolving. However, the overarching goal still remains the disruption of the business operations of a company and the theft of sensitive information for ransom extortion. The amount of the ransom often depends on the number of infected systems and the value of the stolen data: the higher the stake, the higher the required payment. In 2019, many ransomware groups updated their tactics and incorporated data theft before encrypting the files, which is called double blackmail. A year later, some groups added another layer of attack with distributed denial of service (DDoS) tactics, which bombard the victim’s website or network with requests in order to disrupt business operations and thus put pressure on the victim to enter into negotiations with the extortionists.
The most dangerous ransomware trend this year are supply chain attacks that target suppliers and their business relationships and connections, as well as shared files, networks or solutions for attacks on the customers of this supplier as a second stage. ThreatLabZ also found an almost 120 percent increase in victims of ransomware attacks with double blackmail, in which stolen data was published on hackers’ websites.
For the second year in a row, companies in the manufacturing industry were the most affected: almost one in five ransomware attacks were directed against manufacturers. However, the number of attacks on other industries is growing rapidly. The growth rate of attacks on the healthcare system was particularly striking, with the number of attacks with double blackmail increasing by almost 650 percent compared to 2021. This was followed by the catering industry, which recorded a ransomware increase of over 450 percent.
As a result of the growing attention that ransomware attackers have received from governments around the world, many groups have disbanded and re-formed under a different name. For example, DarkSide was renamed BlackMatter, DoppelPaymer was renamed Grief, and Rook was renamed Pandora. However, the threat potential emanating from these groups has not changed, as tactics have also been adapted in many cases. Many of these groups have changed their business model and are now offering tools for sale on the Dark Web and increasing their scope through ransomware-as-a-service.
Earlier this year, in response to the economic sanctions imposed on Russia, the US government issued a statement warning of malicious cyber attacks on the US. The statement called for immediate measures to strengthen the defense in public and private organizations. Other states on the side of Ukraine have issued similar warnings. As a result, ThreatLabZ has identified attacks in which the ransomware PartyTicket and the malware HermeticWiper were used against Ukraine. In addition, the Conti threat group carried out attacks against various government entities and the ThreatLabZ team will continue to monitor these geopolitical developments.
Desai continues: “In order to minimize the likelihood of foreign intrusion and the damage of a successful ransomware attack, companies must apply defense-in-depth strategies. These include the reduction of the attack surface, the introduction of a zero trust architecture including access control based on the least privilege, as well as the continuous monitoring and verification of data in all environments.“
Companies that want to mitigate the continuous risks of ransomware and attacks with double or triple extortion should consider the following important preventive measures to increase the inviolability of the network. The Zscaler Zero Trust Exchange integrates defense measures against ransomware in a holistic approach that interrupts every phase of a possible attack and minimizes the damage:
- Prevent compromise with consistent security policies: Full SSL inspection, browser isolation, inline sandboxing and policy-driven access control prevents access to malicious websites.
- Elimination of lateral movement by removing applications from the Internet and implementing a Zero Trust Network Access (ZTNA) architecture: users are connected directly to applications and not to the network to limit the radius of action of an attack.
- Shut down compromised users and Insider threats: By combining inline application inspection and built-in deception features, attackers are detected, tricked and stopped.
- Preventing data loss: Theft by hackers is prevented by using state-of-the-art software and training, the use of inline data loss prevention and data that is checked both in motion and at rest.
For more details on how to protect against ransomware and threats, as well as how to develop a ransomware incident response plan, see the full 2022 ThreatLabZ State of Ransomware Report.
The ThreatLabZ team analyzed data from the Zscaler Zero Trust Exchange, which secures over 200 billion transactions worldwide and blocks 150 million threats every day. ThreatLabZ analyzed one year’s global ransomware data from the Zscaler Cloud along with information from external sources from February 2021 to March 2022 to identify key trends, vulnerable industries and regions, and new tactics.