Ransomware incidents increase after Colonial Pipeline attack, while cloud threats continue to rise

The second quarter of the year turned out to be a ‘vibrant quarter’ for ransomware incidents, starting with the high-profile cybersecurity attack on fuel pipeline company Colonial Pipeline. The pipeline incident spurred concern about cybersecurity threats in the critical infrastructure sector, even in the U.S. administration, according to a report released by McAfee Enterprise.

Apart from dealing with ransomware, of which 73 percent of detections in the second quarter related to the REvil/Sodinokibi ransomware family, the quarter also faced the challenges of shifting cloud security to accommodate a more flexible pandemic workforce and an increased workload, which presented cybercriminals with more potential exploits and targets.

In its report named ‘Advanced Threat Research Report: October 2021,’ McAfee analyzed cybercriminal activity related to ransomware and cloud threats in the second quarter. “With the shift to a more flexible pandemic workforce and the highly publicized Colonial Pipeline attack, cybercriminals introduced new – and updated – threats and tactics in campaigns targeting prominent sectors, such as Government, Financial Services and Entertainment,” the report added.

McAfee observed in its analysis that the political response to the impact of the Colonial Pipeline attack caused the DarkSide ransomware group to abruptly halt its operation. Several additional threat groups announced they would vet future targets and exclude certain sectors. Ransomware has evolved far beyond its origins, and cybercriminals have become smarter and quicker to pivot their tactics alongside a whole host of new bad-actor schemes, it added.

Ransomware campaigns maintained their prevalence while evolving their business models to extract valuable data and millions in ransoms from enterprises big and small. DarkSide’s attack on Colonial Pipeline’s gas distribution dominated cybersecurity headlines in May, the McAfee report said. Shutting down a major U.S. gas supply chain definitely grabbed the attention of public officials and security operations centers (SOCs), but equally concerning were other ransomware groups operating similar affiliate models, it added.

The Ryuk, REvil, Babuk, and Cuba ransomware incidents have actively deployed business models supporting others’ involvement to exploit common entry vectors and similar tools, McAfee said. These, and other groups and their affiliates, exploit common entry vectors and, in many cases, the tools we see being used to move within an environment are the same. Not long after DarkSide’s attack, the REvil gang stole the spotlight using a Sodinokibi payload in its ransomware attack on Kaseya, a global IT infrastructure provider. REvil/ Sodinokibi ransomware incidents topped McAfee’s list of ransomware detections in the second quarter.

As DarkSide and REvil ransomware incidents stepped back into the shadows after their high-profile attacks, the heir to DarkSide emerged in July with the BlackMatter ransomware that surfaced primarily in Italy, India, Luxembourg, Belgium, the U.S., Brazil, Thailand, the U.K., Finland, and Ireland as a ransomware-as-a-service (RaaS) affiliate program incorporating elements from DarkSide, REvil, and Lockbit ransomware, McAfee said.

Based on the code similarity of the binary and the resemblance of their public page to DarkSide, McAfee Enterprise strongly believes its silence, at the same time the BlackMatter group appeared, is more than coincidental, especially as it mirrors the same move made before and after REvil’s period of silence. “Despite these notable shifts in behavior, McAfee Enterprise’s global threat network identified a surge in DarkSide attacks from the group upon legal services, wholesale, and manufacturing targets in the United States,” McAfee said.

Last month, Fort Dodge, Iowa-based NEW Cooperative was targeted by the BlackMatter ransomware group. The attack led to the cooperative proactively taking “our systems offline to contain the threat, and we can confirm it has been successfully contained. We also quickly notified law enforcement and are working closely with data security experts to investigate and remediate the situation,” according to a company statement, at that time.

McAfee also pointed out that another ‘old’ ransomware that was noticed in mid-2021 was the LockBit 2.0 ransomware, which is an updated version of 2020’s LockBit with new features that automatically encrypt devices across the domain, exfiltrate data, and access systems over RDP, as well as the ability to recruit new affiliates from inside a target enterprise. Remote Desktop Protocol (RDP) is Microsoft’s proprietary network communications protocol that extends the International Telecommunication Union-Telecommunication (ITU-T) T.128 application sharing protocol, and allows PCs and devices running any operating system to connect to each other.

Ransomware developers introduced new campaigns as well. The Hive ransomware family was first observed in June of 2021 with prevalence in India, Belgium, Italy, the United States, Turkey, Thailand, Mexico, Germany, Colombia, and Ukraine, operating as a RaaS written in the Go language, and compromising healthcare and critical infrastructure organizations, McAfee pointed out.

The data released by McAfee Enterprise Advanced Threat research for the second quarter showed that various cloud threat incidents and targets ranked high among the top 10 reporting countries of the U.S., India, Australia, Canada, Brazil, Japan, Mexico, Great Britain, Singapore, and Germany.

Financial services were targeted among the most reported cloud incidents, followed by healthcare, manufacturing, retail, and professional services. Additionally, financial services were targeted in 50 percent of the top 10 cloud incidents, including incidents in the U.S., Singapore, China, France, Canada, and Australia.

Cloud incidents targeting verticals in the U.S. accounted for 34 percent of incidents recorded, with a 19 percent decrease in Great Britain, while most cloud incidents targeting countries were reported in the U.S. followed by India, Australia, Canada, and Brazil. McAfee also revealed that cloud incidents targeting the U.S. accounted for 52 percent of incidents recorded.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.