Decrease in ransomware? SonicWall issues its 2022 Cyber Threat Report
SonicWall’s 2022 Cyber Threat report was published this week. It claims that ransomware attacks shrunk by 23 per cent on a year-to-date worldwide basis over 2021. That’s good news, perhaps, but to put it in perspective, there were still over 236 million attacks so far in 2022. Moreover, the reduced 2022 number is still larger than the full year totals of 2017, 2018 and 2019.
While attacks worldwide decreased by 23 per cent, ransomware attacks in Europe increased by 63 per cent.
What’s responsible for these decreases? The report notes that some experts think that it could be the result of increased awareness, and preventive strategies and hardening of defences in response to the large number of high profile attacks last year, particularly in the US. As well, cyber insurers have forced higher standards to get coverage. The plummeting value and volatility of cryptocurrency may also be a factor.
Or potentially, with many ransomware gangs having ties to Russia, the war in Ukraine might be diverting some players, and the cyber war between Ukraine and Russia is being fought alongside the actual war or physical combat.
Another interesting idea in the report is that some ransomware gangs might moving to cryptojacking which, despite the plummeting value of cryptocurrencies, increased by 30 per cent in the first half of 2022 versus the same period in 2021. Cryptojacking, where cybercriminals steal processing cycles to mine cryptocurrency, may be an easier and less risky exploit, since a great deal of it still goes undetected.
The report is taken from data from 1.1 million global sensors in over 200 countries. It can be downloaded at this link (registration required).
The ghost of ransomware past
The same SonicWall report noted that the three top groups it recorded in terms of attacks in the first half of 2022 were Cerber (43 million), Ryuk (34 million) and GandCrab (16 million). While Cerber and Ryuk have competed for the top spot, GandCrab moved from fourth place to third place in SonicWall’s standings.
What is interesting is that GandCrab reportedly shut down in 2019, when it accounted for roughly half of the global ransomware attacks. SonicWall notes that GandCrab was a ransomware as a service operation (RaaS) ,and that the shut down of GandCrab had “no effect on automatic campaigns, many of which were never turned off.” So rather than a rebirth of this past threat, we may be seeing old campaigns that keep on running to this very day.
Raspberry Robin: the worm turns and spreads rapidly
Microsoft has reported that a group they have identified as DEV-0950 is using the Raspberry Robin worm as a delivery mechanism for the Clop ransomware package.
Raspberry Robin is a fairly new worm, first detected in 2021 by analysts at Red Canary. It leverages USB devices as its means of spreading, and has been used in the past to deliver other “second stage payloads.”
Earlier in 2022, Microsoft had also reported associating Raspberry Robin with Cobalt Strike based attacks. These also led to a subsequent attack leveraging the Clop ransomware.
What is remarkable about this deployment is how rapidly it has spread. “Microsoft Defender for Endpoint data indicates that nearly 3,000 devices in almost 1,000 organizations have seen at least one Raspberry Robin payload-related alert in the last 30 days,” Microsoft sources noted.
Hive Ransomware gang targets infrastructure run by Tata group
In yet another large infrastructure attack, the Hive ransomware group is reported to have claimed responsibility for an attack on India’s largest power company, Tata Power.
Cybersecurity analyst Dominic Alvieri posted news of the attack, noting that Tata Power provides close to 14,000 megawatts of power generation, 35 per cent of which comes from renewable sources.
According to reports in security blog BleepingComputer, Hive operators have posted data that they stole from Tata Power, indicating that rather than interfering with infrastructure, their attack may be focused on exfiltration and ransom of data. It would also indicate that ransom negotiations may have broken down or that Tata may have elected not to pay.