Today’s columnist, Shmuel Gihon of Cyberint, points out that LockBit and Conti have become the most prolific ransomware gangs this year. These threat groups go for cash-rich organizations, primarily in the United States. (Image provided by Recorded Future)

The last 12 months have seen a consistent rise in “Big Game” ransomware attacks targeting cash-rich organizations in the United States, with the industrial and energy, retail and finance sectors being the hardest hit and Conti and LockBit emerging as the main cybercrime gangs.

The ransomware industry has effectively consolidated into a small number of large organized and highly- professional organizations. In 2021, the Conti ransomware gang was responsible for 505 major ransomware cases and LockBit was responsible for 465, each dwarfing the other gangs combined. Conti and LockBit are not interested in hunting small game and go for cash-rich organizations, mainly in the United States.

In 2021, the U.S. suffered by far the largest number of ransomware breaches with 1,352 “Big Game” attacks observed in 2021, followed by France (146), Canada (140) and the UK (139). These attacks only concentrate on organizations in industries with significant financial resources. During 2021, the industrial and energy sector were the most affected, suffering 599 significant attacks, closely followed by the retail sector with 545 significant attacks and finance with 355.

Ransomware attacks are becoming more ambitious and increasingly frequent with all geographies seeing a consistent increase in “Big Game” attacks throughout 2021. This has meant that gangs such as Conti and LockBit, between them responsible for the lion’s share of successful attacks, have had to become increasingly professional and streamlined in their approach, which is reflected in their new tactics, techniques and procedures (TTPs). Organizations can protect themselves only by ensuring that they have wide-ranging and up-to-date threat intelligence to ensure they stay informed of the constantly evolving TTPs of the ransomware gangs.

These now include increased use of the “steal, encrypt and leak” tactic, which occurred throughout 2021 and involves releasing the stolen confidential data piecemeal, thereby applying continual pressure on the victim organization. New and highly-targeted spear-phishing campaigns created by Conti have also recently become increasingly ruthless in their targeting of key staff members. Customers, partners and vendors of large organizations within the U.S. are being sent malicious email lures, sometimes from the original victim’s email server.

Targeted recipients typically include staff working within business administration, finance and sales. Once one organization becomes compromised, legitimate email accounts are now increasingly used to send highly-effective lures to other organizations. Based on analysis of recent campaigns, these emails are now also generally backed up by the apparent use of prior legitimate email threads including contact details mimicking those of an unwitting third party and can appear utterly convincing in their content and tone. The poor English or other giveaway gaffes of the previous generation of lures are being replaced by highly professional and personalized communications.

Because of the post-pandemic growth in remote work, it’s now doubly important that such staff are regularly reminded to treat all unsolicited emails with a degree of caution. The consistent use of virtual private networks (VPNs) for work purposes has also been shown to help keep employees alert and aware of the threats of working at home.

The implementation of effective multi-factor authentication (MFA) has become more important than ever, preventing threat actors from abusing stolen credentials and identities without the token, whether it’s in hardware or software form. MFA can also block socially-engineered attempts to gain access to high-privilege user accounts. Organizations that make use of corporate social media accounts and similar shared services should enable MFA.

Ransomware attacks increasingly target the most sensitive data at many large organizations. It’s absolutely essential that security teams encrypt all sensitive data and store it securely to prevent unauthorized access and render the data inaccessible to the threat actor in the event of data theft.

Ironically, the increasingly sleek professionalism of the big gangs has also been reflected in their increased efficiency in fulfilling their end of the bargain. In 2020, victim organizations recovered an average of roughly 60% of their stolen and encrypted data, while in 2021 the figure was around 90%. The increasing confidence of the big gangs has been caused because they are extremely careful to locate themselves far outside the reach of U.S. law enforcement. The Conti ransomware gang, for example, has been linked to Wizard Spider, a cybercrime group based in Russia, suggesting that Conti probably operates out of the same region.

So, although U.S. law enforcement agencies may continue to insist that victim organizations should refuse to cooperate or negotiate with the ransomware, many companies only have two alternatives: take precautions today or pay-up tomorrow.

Shmuel Gihon, threat intelligence researcher, Cyberint