As we wind down Q3, we see no letting up by threat actors with a series of high profile breaches dominating the headlines in September. Of concern is the increasing activity of Ransomware-as-Service (RaaS) offerings and threat actor activity. It’s little surprise that phishing and email remain significant threat vectors for ransomware actors, either to gain initial access, or to execute ransomware payloads.

Sign-up for our Threat Intel update to get this monthly update straight to your inbox. 

Key Takeaways

• Phishing attacks are in uncharted territory with over 1 million attacks reported for Q2 2022. Financial services and SaaS companies are among the most targeted.
• Phishing and email remain primary threat vectors for gaining initial access to carry out ransomware attacks.
• The Ransomware-as-a-Service (RaaS) gang activity continues its steady increase up by 63% in Q1 2022, as RaaS actors continue to diversify services and exploit kits, including mining exposed data to carry out second stage Business Email Compromise (BEC) campaigns.
• There is significant concern that corrupting of files will become a new modus operandi of Noberus aka BlackCat ransomware actors and affiliates over the usual encrypting of files.
• LockBit ransomware encryption code has been leaked, sparking concern for an increase in LockBit attacks.
• Ukraine has proven to be cyber resilient against Russian cyber attacks, largely as a result of recovering from previous significant breaches such as NotPetya, as a result of NATO support.
• Recent reports of an Iranian cyber campaign against Albania has resulted in the severing of diplomatic ties with Iran.
• The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a record number of advisories for the month, with ransomware and nation-state activity from Iran being front-and-center.

Trending Analysis

• Phishing attacks continue the upward trajectory according to the latest from APWG’s Q2 Phishing Activity Trends Report – with over 1 million phishing attacks recorded for the 2nd quarter of 2022 – the worst quarter on record.
• The most targeted industries according to APWG include financial services (28%), followed by webmail and Software-as-Service providers (19%) and retail (15%). Some of the key threat vectors identified by APWG are email delivered impersonation and ransomware attacks.
• New Zealand’s Computer Emergency Response Team (CERT NZ) agency reports that phishing campaigns are the primary method for threat actors to gain initial access to carry out ransomware attacks. Email according to CERT NZ, is the third most commonly used vector for malware delivery. 
• Trend Micro reports a 63% rise in Ransomware-as-a-Service (RaaS) groups in the first quarter of 2022. 
• Accenture reports on a growing trend of threat actors leveraging “sensitive corporate data exposed on the dark web” to carry out sophisticated Business Email Compromise (BEC) campaigns.
• Findings from a Stairwell study indicate that RaaS Affiliates of Noberus also known as BlackCat/ALPHV, the successor to DarkSide and BlackMatter ransomware gangs, is potentially resorting to corrupting files on local systems instead of encrypting them with the release of a new “Exmatter” tool.
• BleepingComputer citing research from Symantec on the “Exmatter” tool, shows that the new data extraction tool has been reengineered to more stealthy gain a foothold and exfiltrate data from compromised systems – an essential complement for carrying out double-extortion attacks. Symantec researchers also confirm the ability of Exmatter to “corrupt processed files.”
• The Record reports that leaked LockBit ransomware code has the ability to enable more widespread use of the ransomware file encryptor. 
• The U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI) and Multi-State Information Sharing and Analysis Center (MS-ISAC) issued a joint advisory on Vice Society ransomware actors that are targeting the education sector. 
• The Los Angeles Unified School District, the second largest school district in the country,  was the latest victim to suffer a Vice Society ransomware attack that resulted in the loss of access to 500GB of data.
• CISA and MS-ISAC also released a ransomware guide, and CISA issued a RFI for new cybersecurity incident reporting for the proposed Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). The proposed cyber compliance requirements will compel companies to report significant cybersecurity incidents within 72 hours, and 24 hours after a ransomware payment has been made. 
• Turning attention to nation-states, Ukraine has proven to be relatively cyber resilient in the ongoing conflict with Russia in a large part due to recovery from previous cyber attacks such as the infamous NotPetay attack in 2017. The significant support received from NATO is also another decisive factor.
• It is suspected that Ukranian affiliated cyber actors hacked Russia’s Wagner Group, responsible for mercenary recruitment for the Russian armed forces – compromising the personal data of mercenaries.
• CISA shows that Iranian nation-state actors gained access to the Government of Albania’s network 14 months prior to launching a devastating ransomware and wiper malware attack on that country in July. Albania has since severed diplomatic relations with Iran as it tries to recover data and restore public service operations.

Concluding Thoughts & Recommended Actions

The data point to an increasing threat of ransomware-related breaches in the short-to-medium term. Key industry verticals receive a disproportionate amount of attacks including financial services, technology, and more recently the education sector. The threat of nation-state-sponsored attacks as witnessed recently in Albania is of growing concern. Increasing geopolitical tension and instability are likely to exacerbate the probability of state-sponsored ransomware campaigns disrupting key public services.

As the ransomware threat grows, adopting a defense-in-depth strategy is essential. One key attribute of hardening your information system against ransomware attacks is leveraging a machine learning, behavioral-based cybersecurity solution like Tessian that can detect anomalous behavior on email as it arises. 

To see how Tessian prevents ransomware attacks, and protects against DLP, watch a product overview video or book a demo.

For the latest cybersecurity news and articles, sign up for our newsletter, and follow us on Twitter and LinkedIn