New year, new tactics: Ransomware groups refine strategies in 2022


Ransomware attacks reared their ugly head in 2021 and got the attention of both the public and private sectors across many nations. We also saw the emergence of ransomware-as-a-service (RaaS) offerings and a swarm of affiliates take off, allowing cybercriminals who lack the technical skills to commoditize ransomware. The Indian Computer Emergency Response Team (CERT-IN) reported over 11.5 lakh cyberattacks in 2021 with ransomware attacks up by 120%. Power, oil and gas, telecom and healthcare sectors were the most targeted in the country.

The steady rise in cryptocurrency, an intricate chain of RaaS affiliates and the business model of double extortion contributed to the increase in cyber extortion. However, one of the most important drivers of ransomware is the vulnerabilities and misconfigurations threat actors leveraged to gain a foothold into organizations to propagate their attacks. Ransomware attacks against critical infrastructure can disrupt daily life, especially if petroleum pipelines or food processing plants shut down. RaaS operators rely on these disruptions and the threat to publish stolen files from their networks as leverage to ensure organizations pay up.


The attacks on Colonial Pipeline and JBS Foods amongst others are still seared into the minds of CEOs, driving a renewed push for better security standards and incident preparedness. Furthermore, dramatic law enforcement seizures like the FSB’s arrest of alleged members of notorious RaaS group REvil has led threat actors to be more selective about their targets, aiming to strike a balance between making money and dodging a target on their back from law enforcement. This tactical shift involves a deliberate attempt to extort companies that have the capacity to pay large amounts of money but are small enough to keep the attack on the down-low due to the subsequent media and law enforcement attention.


Make ransomware less worthwhile by strengthening cyber hygiene

Prominent ransomware groups come and go, but it’s the RaaS affiliates, who are the engine driving most ransomware attacks today. Affiliates are the ones responsible for finding their way into targeted networks. They leverage myriad tactics to breach organizations, including phishing, malware, password reuse and brute-forcing RDP connections. Vulnerabilities may not be the only path towards cyberattacks but they are certainly the easiest discrepancies threat actors exploit to break into targeted networks, especially with the availability of proof-of-concept exploit code shared across public source code repositories and social networks. So how can organizations establish deterrence against ransomware operators?


  • Patching: A robust patch management process can ensure that organizations are continuously identifying unpatched vulnerabilities and mitigating them. But the buck doesn’t stop here.
  • Active Directory security: There must be a renewed focus on restricting access to critical systems and sensitive internal data by addressing misconfigurations in Active Directory (AD). With a zero-trust approach, organizations can inventory users and privileges while granting access on a need-to-know basis. AD is at the center of any organization’s zero-trust journey as it is the primary mechanism used for identity and access management in most organizations worldwide. Continuously monitoring AD for misconfigurations and mitigating them can stop lateral movement of threat actors and stop privilege escalation before it is too late.
  • Security as a Code: As organizations increasingly adopt cloud-native technologies to support remote and hybrid work models, security needs to evolve at the speed of the cloud. Legacy vulnerability management tools cannot mitigate vulnerabilities and misconfigurations in the cloud as they are identified at runtime, which would be too late to fix the problem. With Security-as-Code, organizations have the tools to identify and mitigate vulnerabilities during the process of writing the code itself. This shift-left approach can add an additional layer of security.
  • Employee awareness: Phishing emails are the most common method used by ransomware operators. Therefore, ensuring that a secure email gateway is in place, endpoint security is up-to-date along with employee security awareness training could potentially thwart the next ransomware attack.
  • Plan for the worst: As we do with natural disasters, organizations should prepare playbooks that allow them to respond to security incidents like ransomware attacks. Simulating a ransomware attack against your organization can help to reveal gaps in an organization’s ability to quickly understand, identify and respond to such an attack in a real-world scenario, aiding in your preparedness.

While you can’t prevent every single attack, organizations must strive to cover as many tracks as possible in order to make these attacks more challenging for a threat actor while also adequately preparing to respond to such an attack in the future.

(The author Satnam Narang, Staff Research Engineer, Tenable and the views expressed in this article are his own)

Leave a Response