Forescout Technologies, recently analysed and chronicled various the evolving complexity of the ransomware landscape – with threat actors combining known tactics, techniques, and procedures (TTPs) with a growing IoT/OT attack surface. In June, Forescout also released R4IoT, a proof-of-concept for a full attack leveraging IT, IoT, and OT, along with mitigation steps for each TTP. Due to the widespread presence of IoT and OT devices, almost all sorts of organisations are susceptible to such attacks.
The report covers the following aspects in depth:
· State-sponsored ransomware: Ransomware is being used by an increasing number of state-sponsored actors, either for financial gain or as a cover for espionage operations.
· New mainstream targets: ESXi virtualization servers and network-attached storage (NAS) devices have advanced from being secondary to primary targets of ransomware actors due to the valuable data they store and their frequently lax security posture.
· Evolving extortion techniques: Several of the most prominent ransomware threat actors are testing novel extortion strategies alongside the tried-and-tested data exfiltration and encryption.
It also highlighted three state-sponsored ransomware groups from two countries, China and North Korea, namely, Bronze Starlight (China), Maui & H0lyGh0st (North Korea). Such state-sponsored threat actors frequently possess the resources and finances to damage society more broadly than by stealing or encrypting material.
Similarly, ESXi virtualization servers and NAS devices have emerged as a new target because of their internet accessibility, the critical data they store, the increasing amount of exploited security flaws, and their frequent laxer security posture—since businesses typically concentrate on safeguarding managed endpoints.
The report significantly identifies the change in extortion techniques too. Double extortion (data exfiltration before encryption) gained popularity in 2021, but by 2022, several groups had already implemented improvements in their extortion agenda. Some unusual innovations in extortion techniques included a “bug bounty” program that would pay up to $1 million for bugs in the LockBit software, a “brilliant ideas” program to improve their site and software, set of “affiliate rules” mentioning that critical infrastructure targets should not have their data encrypted but only leaked, etc.
Reports conclude with some suggested mitigation efforts such as asset inventory, patching, credential management, and network segmentation to encompass the entire digital terrain. Organisations can start with ESXi servers and NAS devices and extend it to other classes of targeted devices, such as VoIP, IP cameras, and other vulnerable IoT devices.
