Threat actors to cause significantly more damage through malware and cloud computing
Threat actors will cause significantly more damage in 2022, according to new analysis from Appgate.
Felipe Duarte Domingues, security researcher at Appgate, says the rapid rise in cloud computing has seen threat actors increase their toolkit.
"Due to the work-from-anywhere era we now find ourselves in, most companies have had to accelerate their adoption of cloud computing in order to support employees working from multiple locations at different times," he says.
"This rapid rise of cloud computing has meant that we have seen an increase in the number of hosts on the cloud, as well as an increase in operational systems such as virtual machines, ESXI and Citrix.
"As a result, attackers have increased their toolkit to target different operational systems, allowing cyber-attacks to move laterally to attack more servers and inflict as much damage as possible," Domingues says.
Over the past year, there has been an increased number of malware attacks caused by bad actors encrypting virtual machine drives.
"Attackers have always tried to breach a network in order to encrypt files, however, now malware focuses on reaching VM Hypervisors servers and encrypting all the hosted machines," says Domingues.
With an increased toolkit and the ability to move laterally across the network, threat-actors can cause significantly more damage by encrypting databases, virtual machines and common servers, and Domingues says this is something we are going to continue to see going into 2022.
"Therefore, it is important that organisations implement solutions and Zero Trust principles such as segmentation, which prevents malware from moving laterally across an organisations network by literally segmenting areas of the network," he says.
Additionally, we have also seen an increase of new programming languages used to develop malware over the last year. Malware developers would usually use programming languages, such as C++ to create malware, however they are now using new programming languages like Golang to avoid detection.
"When a new language is used, a new binary is built, and it therefore executes differently," Domingues says.
"Anti-Virus solutions use static and behavioural signatures to detect malware execution, by using a new language to compile malicious code the old signatures can't recognise this new sample," he explains.
"From the attackers point of view, malware is less likely to be detected, and it takes time for AV solutions to adapt. Besides, Golang allows the same code to be cross compiled to other Operating Systems, so a same threat can now attack both Linux and Windows."
Paying the Ransom
The actions by the international cyber security community and law enforcement against ransomware gangs over the last six months have forced ransomware groups to be more careful with their operations. It's not uncommon nowadays for these groups to go dark after a major attack and change their servers in order to hide their footprint. Some ransomware gangs even rebrand after they're put under pressure by authorities.
"With ransomware groups continuing to rebrand and change their infrastructure, organisations face less pressure to pay ransom when they are breached," Domingues says.
"You can't pay a group that no longer exists, and you are less likely to pay the ransom if there is a possibility they will disappear with your money," he says.
Trust in law enforcement and government agencies to crack down on these attacks have also grown.
"Organisations are, therefore, less likely to give into the demands of ransomware groups if they know that government agencies are cracking down on the recovery of their data," Domingues says.
As a result, in the upcoming year, Domingues says ransomware groups will likely have a lower profit margin if they continue to target high profile organisations, where the government is likely to respond quickly to an attack.
"Ransomware groups will, therefore, focus to target more small companies, where there will be less media and government attention, in order to maintain their profit margin, or find ways to operate stealthier," he says.
"Organisations must be vigilant as ransomware groups will learn how to operate more cautiously without being detected. Ransomware attack swill not dramatically drop in the next year but, they may become less profitable as the pressure by law enforcement and government agencies to crack down on the people causing these attacks continues to grow."