Threat actors have been driven to reduce their targeting scope and maximize the effectiveness of their operations due to multiple law enforcement actions leading to the arrests and shutdown of ransomware activities in 2021. Even after significant members of the infamous Ransomware-as-a-Service (RaaS) gangs have been imprisoned, most of the notorious RaaS gangs continue to operate, refining their strategies for maximum damage.
According to a Coveware analysis of ransomware negotiation data from Q4 2021, ransomware organizations are now requesting bigger ransom payments rather than increasing the volume of their operations. In terms of numbers, the average ransom payment in Q4 2021 was $322,168, up 130% from the previous quarter. The typical ransom payment was $117,116, up 63% of the prior quarter.
Because disturbing the operations of giant corporations leads to investigations and global political problems, criminals are increasingly attempting to strike a fine balance. They target companies that are large enough to get significant ransom demands but not so large or important that they will generate more geopolitical problems than gains. When looking at firm size in terms of employee count, companies with more than 50,000 workers had fewer incidences, as threat actors preferred to target mid-sized businesses.
“Although medium and large organizations continue to be impacted, ransomware remains a small business problem with 82% of attacks impacting organizations with less than one thousand employees,” explains Coveware.
Conti was the most often detected version in Q4 2021, accounting for 19.4% of all detections, LockBit 2.0 was second with 16.3%, and Hive was third with 9.2%. Given that the top three ransomware operations use double-extortion strategies, it’s no surprise that stolen data was involved in 84% of all attacks in Q4 2021. This proportion would be considerably greater if it were based just on the actors’ intentions because, in some circumstances, defensive systems identify and block attacks before they happen.
According to Coveware, the following techniques and processes (TTPs) are used:
- In 82% of the infections, persistence was established through scheduled activities and startup code execution.
- In 82% of ransomware attacks, the attackers attempted to pivot to other systems on the same network by moving laterally.
- 61% of the investigations involved gathering keyboard inputs, screenshots, emails, video, and other espionage-related material.
- In 63% of the events, a command-and-control center coordinated remote access activities.
- Credential access was found in 71% of the ransomware incidents examined.
Another significant shift in strategy involves the initial compromise vector. RDP access, which was once a hot commodity on the dark web, is rapidly dwindling as ransomware operators shift their focus to exploit vulnerabilities. CVE-2021-34473, CVE-2021-26855, and CVE-2018-13379 on Microsoft Exchange and Fortinet firewall appliances were the most exploited vulnerabilities for network access in Q4 2021.