Threat intel company, LookingGlass Cyber, has released a report focused on ransomware attacks over the first six months of 2022, uncovering over 1,100 confirmed and attributed incidents in those six months alone. Researchers expect this number to continually increase.
Bryan Ware, Former CISA Assistant Director and current CEO of LookingGlass Cyber, shared his insights on the company's latest ransomware findings and how ransomware could evolve in 2023.
What was most surprising about these findings?
There were aspects of mirroring legitimate businesses, such as HR departments, customer service groups, or helpdesk teams, that were surprising. But maybe most surprising was that some ransomware groups were rolling their own crypto. In cyber speak, this is when an organization uses its proprietary encryption, instead of standard encryption algorithms, to protect their data, code, applications, and more. Lockbit’s bug bounty program paid out a “researcher” that found a bug in their proprietary encryption algorithm, so this is how we know they aren’t using standard algorithms. Most people in cyber know better than to try and roll their own crypto, because oftentimes proprietary algorithms cannot hold up against dedicated attacks.
Have new ransomware groups become more prevalent or is it the same groups causing the most damage?
It's actually a bit of both. We see key players in the ransomware game shifting between groups if one seems to be more successful than other, and we also see the same groups pop up again after they seem to dissolve, just under a new brand or name. The Conti ransomware group is a good example of this rebranding.
Any indication why US companies are targeted more?
It's the same reason Willie Sutton robbed banks: that is where the money is. U.S. companies are better targets for both ransoms and intellectual property. Just in the first half of 2022, LockBit, Conti, Alphv, Black Basta, and Vice Society were among the most prolific ransomware gangs, focusing their attacks on U.S.-based organizations, likely because as noted, that is where the most potential for financial gain lies.
How should organizations prepare themselves for ransomware threats in 2023?
Organizations should adopt solutions that enable them to truly manage their exposure and have full, real-time visibility into the threats that are relevant to them. On the market today, many of these are known as attack surface management tools, but organizations may have solutions already implemented that can help them do this. As threat actors become more and more sophisticated, malware is likely going to be better produced and maintained – and produced faster. This is because there are different team members who can focus on their strengths. Some can be working on development, while others are focusing on QA of malware, for example. Traditionally, ransomware operators used tried and true methods because many enterprises are behind in their risk reduction timelines, so as the threat actors become more sophisticated, organizations need to step up their security posture and ensure they are uncovering the risks that are relevant to them before the hackers can take hold.