In early February, the Department of Homeland Security Cybersecurity & Infrastructure Security Agency (“CISA”) announced the publication of a joint cybersecurity advisory observing “an increase in sophisticated, high-impact ransomware incidents against critical infrastructure organizations globally” during 2021.  The report—which was coauthored by cybersecurity authorities in the United States (CISA, the Federal Bureau of Investigation, and the National Security Agency), Australia (the Australian Cyber Security Centre), and United Kingdom (the National Cyber Security Centre)—emphasizes that the continued evolution of ransomware tactics and techniques throughout the past year “demonstrates ransomware threat actors’ growing technological sophistication and an increased ransomware threat to organizations globally.”

The joint report provides technical details regarding the observed behaviors and trends of ransomware actors, mitigation recommendations for network defenders to reduce their risk of compromise by ransomware, and step-by-step advice for responding to ransomware attacks.

Ransomware Trends.  The report details a variety of behaviors and trends that cybersecurity authorities observed among cyber criminals over the past year.

  • Gaining Access to Networks: The top three “initial infection vectors” for ransomware incidents in 2021 remained phishing emails, remote desktop protocols (RDP) exploitation, and exploitation of software vulnerabilities.
  • Using Cyber Criminal Services-for-Hire: The market for ransomware grew in sophistication in 2021, as ransomware threat actors not only made increased use of ransomware-as-a-service, but also “employed independent services to negotiate payments, assist victims with making payments, and arbitrate payment disputes between themselves and other cyber criminals.” The advisory noted that this business model “often complicates attribution” of ransomware incidents to specific threat actor(s).
  • Sharing Victim Information: Ransomware groups in Eurasia have shared victim information with each other, including selling access to victims’ networks, which “diversif[ied] the threat to targeted organizations.”
  • Shifting Away from “Big-Game” Hunting in the United States: U.S. authorities observed that, over the course of 2021, some cybercriminals shifted their ransomware efforts from large organizations, including those that provide critical services, toward mid-sized victims after several high-profile incidents resulted in scrutiny and disruption from government authorities. Australian and U.K. authorities, however, observed that ransomware threat actors continued to target organizations of all sizes.
  • Diversifying Approaches to Extorting Money: Ransomware threat actors increasingly used “triple extortion” methods as part of ransomware incidents by “threatening to (1) publicly release stolen sensitive information, (2) disrupt the victim’s internet access, and/or (3) inform the victim’s partners, shareholders, or suppliers about the incident.”
  • Increasing Their Impact: Authorities observed that cybercriminals have increased the scale and disruptive nature of their attacks by targeting cloud infrastructures (including the cloud providers themselves), managed service providers (MSPs), industrial processes (including code designed to stop critical infrastructure or industrial processes), and the software supply chain, as well as by conducting attacks on holidays and weekends. The authorities authoring the alert assessed that “there will be an increase in ransomware incidents where threat actors target MSPs to reach their clients.”

Mitigation Recommendations.  CISA’s advisory identified five “immediate actions” that entities can “take now to protect against ransomware”:

  • Update your operating system and software.
  • Implement user training and phishing exercises to raise awareness about the risks of suspicious links and attachments.
  • If you use Remote Desktop Protocol (RDP), secure and monitor it.
  • Make an offline backup of your data.
  • Use multifactor authentication (MFA).

The report also advises that network defenders may “reduce the likelihood and impact of ransomware incident” by taking the following steps (some of which mirror CISA’s immediate actions listed above):

  • Keeping all operating systems and software up to date, including by prioritizing known exploited vulnerabilities and automating software security scanning and testing when possible;
  • Securing and closely monitoring RDP or other potentially risky services, including external connections to third party vendors;
  • Implementing a user training program and phishing exercises;
  • Requiring multi-factor authentication for as many services as possible, “particularly for webmail, VPNs, accounts that access critical systems, and privileged accounts that manage backups;”
  • Requiring all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to have strong, unique passwords;
  • If using Linux, using a Linux security module (such as SELinux, AppArmor, or SecComp) for defense in depth; and
  • Protecting cloud storage by backing up to multiple locations, requiring MFA for access, and encrypting data in the cloud.

The report further recommends that network defenders may “limit an adversary’s ability to learn an organization’s enterprise environment and to move laterally” through the following steps:

  • Segmenting networks;
  • Implementing end-to-end encryption;
  • Identifying, detecting, and investigating abnormal activity and potential traversal of the indicated ransomware with a network-monitoring tool;
  • Documenting external remote connections;
  • Implementing time-based access for privileged accounts;
  • Enforcing principle of least privilege through authorization policies;
  • Reducing credential exposure;
  • Disabling unneeded command-line utilities; constraining scripting activities and permissions, and monitoring their usage;
  • Maintaining offline (i.e., physically disconnected) backups of data, and regularly testing backup and restoration;
  • Ensuring that all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure; and
  • Collecting telemetry from cloud environments.

The advisory also recommended that critical infrastructure organizations with industrial control systems or operational technology (OT) networks should review the joint CISA-FBI Cybersecurity Advisory DarkSide Ransomware: Best Practices for Preventing Business Disruption from Ransomware Attacks for more recommendations.  CISA’s mitigation recommendations align with steps that cyber insurance policyholders can take to manage ransomware risk as insurers have scaled back coverage in response to the increase in global ransomware attacks.  For more information on recent trends in cyber insurance, see the recent Covington Alert, The “Ransomware Pandemic” – Is Your Business Insured?

Responding to Ransomware Attacks.  Finally, the report recommends that organizations take the following steps if involved in a ransomware attack:

The cybersecurity authorities in the United States, Australia, and the United Kingdom “strongly discourage paying a ransom to criminal actors,” because paying the ransom not only promotes the ransomware business model, but also does not guarantee recovery of the victim’s files.  In fact, the National Cyber and Security Centre has urged UK regulators to consider prohibiting insurance coverage for ransomware payments as a means of deterring ransomware attacks.  For more information on trends in cyber insurance in light of the increase in global ransomware attacks, see the recent Covington Alert, The “Ransomware Pandemic” – Is Your Business Insured?

Resources.  The joint cybersecurity advisory also includes a list of resources that organizations confronting cyber threats and evaluating cybersecurity best practices may find helpful, including StopRansomware.gov, CISA’s Ransomware Readiness Assessment, CISA’s cyber hygiene services, and information about the U.S. Department of State’s Reward for Justice Program

Photo of Micaela McMurrough Micaela McMurrough

Micaela McMurrough has represented clients in high-stakes antitrust, patent, trade secrets, contract, and securities litigation, and other complex commercial litigation matters, and serves as co-chair of Covington’s global and multi-disciplinary Internet of Things (IoT) group. She also represents and advises domestic and international…

Micaela McMurrough has represented clients in high-stakes antitrust, patent, trade secrets, contract, and securities litigation, and other complex commercial litigation matters, and serves as co-chair of Covington’s global and multi-disciplinary Internet of Things (IoT) group. She also represents and advises domestic and international clients on cybersecurity and data privacy issues, including cybersecurity investigations and cyber incident response. Micaela has advised clients on data breaches and other network intrusions, conducted cybersecurity investigations, and advised clients regarding evolving cybersecurity regulations and cybersecurity norms in the context of international law.

In 2016, Micaela was selected as one of thirteen Madison Policy Forum Military-Business Cybersecurity Fellows. She regularly engages with government, military, and business leaders in the cybersecurity industry in an effort to develop national strategies for complex cyber issues and policy challenges. Micaela previously served as a United States Presidential Leadership Scholar, principally responsible for launching a program to familiarize federal judges with various aspects of the U.S. national security structure and national intelligence community.

Prior to her legal career, Micaela served in the Military Intelligence Branch of the United States Army. She served as Intelligence Officer of a 1,200-member maneuver unit conducting combat operations in Afghanistan and was awarded the Bronze Star.

Photo of Ashden Fein Ashden Fein

Ashden Fein advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance.

For cybersecurity matters, Mr. Fein counsels clients on preparing for and responding to cyber-based attacks, assessing…

Ashden Fein advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance.

For cybersecurity matters, Mr. Fein counsels clients on preparing for and responding to cyber-based attacks, assessing security controls and practices for the protection of data and systems, developing and implementing cybersecurity risk management and governance programs, and complying with federal and state regulatory requirements. Mr. Fein frequently supports clients as the lead investigator and crisis manager for global cyber and data security incidents, including data breaches involving personal data, advanced persistent threats targeting intellectual property across industries, state-sponsored theft of sensitive U.S. government information, and destructive attacks.

Additionally, Mr. Fein assists clients from across industries with leading internal investigations and responding to government inquiries related to the U.S. national security. He also advises aerospace, defense, and intelligence contractors on security compliance under U.S. national security laws and regulations including, among others, the National Industrial Security Program (NISPOM), U.S. government cybersecurity regulations, and requirements related to supply chain security.

Before joining Covington, Mr. Fein served on active duty in the U.S. Army as a Military Intelligence officer and prosecutor specializing in cybercrime and national security investigations and prosecutions — to include serving as the lead trial lawyer in the prosecution of Private Chelsea (Bradley) Manning for the unlawful disclosure of classified information to Wikileaks.

Mr. Fein currently serves as a Judge Advocate in the U.S. Army Reserve.

Photo of Caleb Skeath Caleb Skeath

Caleb Skeath advises clients on a broad range of privacy and data security issues, including regulatory inquiries from the Federal Trade Commission, data breach notification obligations, compliance with consumer protection laws, and state and federal laws regarding educational and financial privacy.