Trend
Ransomware
2022 brought significant developments to the ransomware ecosystem, but the basic–and detectable–adversary behaviors remain the same.
Pairs With This Song
Threat Sounds
The original blink-182 lineup got back together in 2022, and so did several former Conti ransomware operators, operating under new names such as Black Blasta and Quantum.
Analysis
The ransomware landscape continued to shift in 2022. While some metrics suggested that ransomware was less prevalent, other metrics suggested that ransomware was more prevalent for specific sectors. The community observed new ransomware groups popping up, while others disappeared. Regardless of the exact numbers, ransomware continues to be one of the most pressing threats to every organization.
A visibility challenge
A major challenge with ransomware is that no one sees all ransomware intrusions, so no one knows how bad the problem really is. From Red Canary’s perspective, we didn’t see much ransomware in 2022—no ransomware group made it into our top 20 threats, and we saw fewer ransomware incidents as compared to 2021. However, that reflects our visibility rather than the true prevalence of ransomware. As with any intrusion, ransomware doesn’t come out of thin air—it’s part of a larger chain of events, as depicted in this diagram.
We focus on trying to detect ransomware precursor activity in the initial access, reconnaissance, and lateral movement phases and help our customers stop it before it gets to exfiltration or encryption. The result is that we see many more so-called ransomware precursors than we do actual ransomware payloads. In fact, eight out of our top 10 threats are regularly observed during early stages of ransomware intrusions.
Top ransomware precursors
Red Canary observes some later-stage ransomware intrusions that involve encryption, but these usually come to us through incident response (IR) partners who are called in after an organization realizes they have a ransomware intrusion and then bring Red Canary in for further monitoring and detection. Across the board, our partners reported a drastic decrease in new reported ransomware cases as compared to 2021. While the reason for this is unclear, one possible factor is the higher barrier to obtaining cyber insurance policies in 2022 due to the prevalence of ransomware-related claims. If fewer organizations have cyber insurance due to challenges obtaining it, fewer IR firms may be called in to respond to ransomware intrusions. This change in IR firm visibility may have contributed to the decrease in Red Canary’s visibility of ransomware in 2022.
What we can say is that ransomware continues to cause significant damage. Since none of us have perfect visibility, it’s important to also look at the visibility others have into the ransomware ecosystem. Recorded Future’s analysis of ransomware group leak sites demonstrates that ransomware is still prevalent. Additionally, significant ransomware attacks in 2022 such as the ones against the Costa Rican government and the Los Angeles School District also demonstrate that ransomware remains an impactful threat.
Affiliate model
One challenge in tracking and responding to ransomware intrusions is that different adversaries are often involved at different phases of the intrusion. As depicted in the below diagram, one adversary might be in charge of initial access, and then pass that access to a different adversary to continue the intrusion.
This makes tracking ransomware groups even more difficult, as intrusions can be a “mix and match” of different affiliates providing access to different ransomware groups. Throughout 2022, ransomware groups continued to rely on affiliates to give them initial access to an environment before they stole or encrypted files. Our partners at Microsoft have an excellent breakdown of this ecosystem we recommend for further reading.
Renaming
We observed many of the same malware families that were previously “ransomware precursors” continue to lead to ransomware—however, they often led to different ransomware families than in previous years. As we’ve observed over the past several years, ransomware groups continued to “disappear” from existence under one name, often followed by another group under a new name appearing with similar tools and TTPs.
| Malware family (precursor) | 2021 ransomware group | 2022 ransomware group |
|---|---|---|
| Malware family (precursor): | 2021 ransomware group : Conti | 2022 ransomware group: Black Basta |
| Malware family (precursor): | 2021 ransomware group : Conti | 2022 ransomware group: Quantum |
| Malware family (precursor): Zloader/BATLOADER | 2021 ransomware group : Conti | 2022 ransomware group: |
As this table shows, a significant ransomware development in 2021 was the fall of Conti and the rise of other ransomware groups. Many researchers assess that groups like Black Basta have some relationship to Conti based on similarities between tools and techniques, suggesting operators may have simply started operating under a different name after Conti gained widespread law enforcement scrutiny.
Extortion without encryption
As we discussed in last year’s report, adversaries aren’t just encrypting data anymore, they’re stealing it as well and demanding payment or they will leak the data. This shift toward exfiltration and extortion, often without encryption at all, continued in 2022. Notably, the extortion group known as LAPSUS$/DEV-0537 conducted multiple high-profile intrusions against large organizations such as Nvidia and Okta. These intrusions were particularly notable because the adversaries stole data and threatened companies with its release if they didn’t pay—but unlike traditional ransomware, they never encrypted data. This “extortion-only” approach is significant because it changes how organizations need to think about this category of threat. LAPSUS$-style TTPs are also significantly different from traditional ransomware operators, with use of techniques like MFA bypass or even insider recruitment to obtain credentials, which influences how organizations need to think about detection and response.
Take action
Though the ransomware ecosystem certainly changed in 2022, the good news for defenders is that the techniques these adversaries use often remain the same. While there is no single silver bullet to preventing ransomware, the tried-and-true guidance of patching known vulnerabilities is a solid approach to preventing initial access, as many ransomware intrusions start this way. If an organization can’t keep up with patching all vulnerabilities, prioritizing based on something like CISA’s Known Exploited Vulnerabilities catalog may be helpful.
As LAPSUS$-style TTPs are being used by extortion groups, organizations should also consider how they could prevent techniques like MFA bypass. Implementing strong Conditional Access and MFA policies is the best mechanism to combat this technique. Preventing users from using SMS or phone calls for MFA is recommended and implementing a FIDO2 key or authenticator app with number matching or similar is preferred, as outlined here.
Detection opportunities
When it comes to detecting ransomware, the earlier you detect it, the better. While you may not be able to prevent initial access, having detection in depth along multiple intrusion phases will increase the likelihood of identifying ransomware precursors before the intrusion gets to exfiltration or encryption. We encourage you to check out the following other TDR pages for detection opportunities along multiple precursor phases prior to exfiltration or encryption:
- Initial Access: Qbot, SocGholish, Raspberry Robin
- Reconnaissance: BloodHound
- Credential Dumping: Mimikatz, LSASS Memory
- Lateral Movement: Cobalt Strike, Impacket, Ingress Tool Transfer
As adversaries conduct discovery about the environment, we’ve found they regularly perform similar commands. The following detection analytic can help identify nltest behavior that helps an adversary learn more about domain trusts. Of course, if this is a command that is commonly run in your environment, you’ll need to tune it, but in our experience nltest is fairly uncommon.
command == ('nltest /domain_trusts')If the activity makes it all the way to ransomware, the following detection analytic reliably identifies adversaries deleting volume shadow copies. This is something we see the majority of ransomware groups do if they encrypt data and cause impact. While this is a detection of “last resort,” if you detect at this point and act quickly, you may be able to prevent further lateral movement and encryption.
command == ('vssadmin.exe delete shadows')Testing
The best strategy for testing your defenses against ransomware is actually to emulate and test your ability to detect the precursors that commonly deliver ransomware as a later stage payload. Likewise, consider exploring the testing sections in this report for:
In addition to that, T1490: Inhibit System Recovery includes relevant tests for deletion of volume shadow copies and T1482: Domain Trust Discovery includes tests that leverage the nltest command to discover information about domain trust relationships.