The beginning of 2022 truly set the tone for the rest of the year; we’d summarize it as a wild ride. In just a few months' span:
Notable ransomware gang, REvil, was arrested (signifying a potential future of collaboration between the U.S. and Russia). Hindsight: That would not be the case.
Following the discovery of Log4j in December 2021, organizations remained on high alert into the new year for major exploits.
Simultaneously, Russia’s invasion of Ukraine was underway, criminal allegiances were splintering, and the threat ecosystem was facing unpredictable changes.
Now that 2022 is nearly in the rearview, we wanted to take a moment to reflect on the journey. Join us as we explore our successes combatting risk, the ongoing impact of Russia’s invasion of Ukraine, and our concerns for the future.
They say the brightest stars burn the fastest. By that, we don’t want to imply the end of ransomware — threat actors will reinvent the wheel a million times over if profit is involved — but tides turned this year, particularly in the U.S. Step on enough toes, like by shuttering one of the country’s largest oil pipelines for days or pledging allegiance to Russia at the beginning of their invasion of Ukraine, and you’ll make some enemies. Major ransomware groups (Conti, DarkSide, and REvil, to name a few) made enough missteps to get on the wrong side of the U.S. government.
A handful of players within the ransomware ecosystem are responsible for the majority of attacks that make headlines. Many of these groups function like traditional companies, with HR departments and financial incentives for “good work,” which helps achieve significant monetary gains. Success also puts a target on their backs.
Since last year, and more specifically, since the outbreak of the war in Ukraine, ransomware activity has shifted globally. After a brief dip in January and February this year (coinciding with the invasion of Ukraine) ransomware rates returned to historically high levels in the spring of 2022 . But that activity was gradually being pointed toward targets outside the U.S. By May 2022, U.S. targets made up just one third of all reported ransomware attacks, down more than 30% from a high in 2021, close to 50%.
Organizations in the United States were traditionally ideal victims. Threat actors needed businesses willing to pay up (and pay up a lot). But bold and public efforts by the U.S. government have effectively changed that — at least for now. In 2021, the Office of Foreign Assets Control (OFAC) announced sanctions that specifically target intermediary businesses that enable ransomware operations, like certain cryptocurrency exchanges. Plus, sanctions levied against Russia amidst their invasion of Ukraine are directly impacting prolific ransomware groups (many of which live and work in Russia).
In 2021, one of our greatest concerns was the future of zero-day vulnerabilities. We saw two major examples play out last year: Log4j and Microsoft Exchange. The threat of vulnerable, unpatched systems was overwhelmingly a top-of-mind concern. But in 2022, a catastrophic zero-day didn’t rock the industry, at least not in the way many of us were bracing for. While that’s not to say we’ve seen security flaws go extinct — we alerted our affected policyholders to 30 critical vulnerabilities this year alone — we want to highlight a proactive approach as part of the solution to avoiding nuclear, zero-day fallout.
For example, policyholders who receive Corvus Alerts patch their systems three times faster than organizations who don't receive a notification, an advantage that reduces the chances of an incident. Software has vulnerabilities, patches remain necessary, and threat actors stay hungry for a way to access your systems. We can’t easily change any of those things. We can, however, control how fast we react. And we react fast.
In October, we notified our policyholders of a VPN vulnerability that potentially allowed for authentication bypass in certain versions of the software. Our alert — which included guidance and next steps — reached hundreds of potential victims the same day as the initial customer announcement, and preceded the public advisory by more than two days.
In the first half of 2022, we saw a 66% increase in third-party breaches compared to the second half of 2021. And while we’ve noted that ransomware in the U.S. is trending down, that doesn’t seem to apply to third-party ransomware attacks — which are up by 20%. So, why are attacks on third-party vendors, like software providers, all the rage?
The short answer is leverage. For example, if threat actors infiltrate a software-as-a-service provider and halt business operations, it also halts business operations for hundreds (or thousands) of downstream customers. With this level of heat on your organization, the likelihood of paying the ransom increases. If vendors hold sensitive data on behalf of their customers and that data is stolen by threat actors, the price tag on a ransom demand is also likely to balloon.
In a headline-worthy example, ride-hailing giant, Uber, faced scrutiny again (unrelated to a security incident in September) after their internal data was found available for download on a hacking forum. In a non-surprising twist for 2022, a third-party software firm is responsible for the breach. This further highlights the necessity for proper third-party risk management at all organizations.
The traditional approach to ransomware is to access an organization’s systems and encrypt their files, rendering them useless. This business model hinges on the fact that victims will pay the ransom for a decryption key in return. But with resilient backup strategies proving effective, threat actors are looking to get more creative and diversify their approach. Data exfiltration — where cybercriminals simply steal the data, alert the victim, and demand a ransom — is not a new tactic, but it’s an increasingly popular one.
At nearly 50%, a historic high, rates of data exfiltration (theft), mean that many victims will have a more difficult time standing down their attackers. If data is stolen, the threat is not limited to the victim's IT system. It spreads to their brand reputation and liability for exposure of sensitive information.
Prolific ransomware gangs — including some that flew too close to the sun, like Conti — have been found testing out this approach in the wild. Lapsus$, Karakurt (a suspected Conti rebrand), and BlackCat/ALPHV are a few groups we plan to keep a close eye on.
The breakaway star of 2022? Fraudulent funds transfer (FFT, for short). These are incidents where threat actors use social engineering to trick employees into wiring money to a bank account they control. They made up 36% of claims at Corvus this last quarter, which is the most of any single category of cyber incident. These attacks don’t typically make big headlines like ransomware — they are less flashy and less costly — but are increasingly prevalent. In fact, we’ve noted that FFT generally gains steam when ransomware activity dips.
The sustained decline in ransomware activity has made this inverse relationship more overt. Our data shows ransomware and FFT to be the two most consistent tactics of choice for threat actors, together representing more than half of all Corvus claims. So, why are these two modes of attack constantly coming out on top? They are relatively simple to accomplish. FFT incidents in particular hinge on human error, and nearly all FFT claims are a result of business email compromise (which produced 4 out of 10 claims in the second half of 2021).
Business Email Compromise (BEC) is an attack that involves using the medium of email to trick an individual into giving up something of value. The key is individual: these are targeted, intentional attempts that leverage either social engineering tactics, like impersonating an executive, or stolen credentials — or both — to increase the chance of success.
Cybercriminals take note of what works. We urge organizations to continue to make it harder for them to succeed by protecting their email with security awareness training, phishing-resistant MFA, and the right email security tools.
For more fresh data insights, you can find our full Risk Insights Index here.
This article and its contents are intended for general guidance and informational purposes only. This article is under no circumstances intended to be used or considered as specific insurance or information security advice.