Industry executives and experts share their predictions for 2022. Read them in this 14th annual VMblog.com series exclusive.
By James Turgal, vice
risk, strategy and board relations, Optiv Security
As prevalent and damaging as ransomware was in
2021, we need to gear up in the New Year, because the threat is only going to
increase. In what I call
“crowd-sourced” hacking, 2022 and beyond will see more splintering of
ransomware groups and Ransomware-as-a-service (RaaS), as the splintered groups
modus operandi morphs to allow for individual ransomware designers,
infiltrators, payload deployers and payment collectors to continue to iterate
and improve the product and execution of the attack. This splintered threat
model allows cybercrime subject matter experts to emerge in all the areas
necessary for a successful attack.
Threat actors will compartmentalize
certain parts of the attack to key internal actors and pay for smaller, either
affiliated or unaffiliated groups to carry out initial aspects of the attack.
For example, threat actors will use affiliates to carry out certain stages of
the attack, such as the spearfishing campaigns, then employ other affiliates to
deploy tools, such as Cobalt Strike. Attackers are weaponizing red-team tools
to utilize in the later stages of their attack strategy. These types of tools
and their leaked source code and suite of tools, including Cobalt Strike and
Metasploit, are now being utilized by either threat actors or their affiliates
to laterally move across the ecosystem and even deploy the ransomware payload.
“crowd-sourced” hacking will increase in 2022 because the FBI and other law
enforcement organizations are increasing the pressure on ransomware groups, and
the use of affiliates and smaller groups to carry out certain aspects of the
attack help to increase the number of subjects and IP addresses to investigate.
However, in my opinion, this only creates a false sense of security for the
main threat actors.
as law enforcement actions by the FBI and their intelligence community partners
across the globe become more assertive with threat actors and increase the
depth and breadth of their investigation and arrest, and seize more ransomware
proceeds, I believe ransomware groups will become more aggressive with victims,
attempting to punish them even further for either contacting law enforcement or
employing the use of professional ransomware negotiators. I also think we’ll
see an increase in regulations of cryptocurrency clearinghouses and
marketplaces, as well as unique utilization of law enforcement tools, such as
the search warrants the FBI used in deleting Web-shells after the Nobelium
2022, the cybersecurity landscape will see more renaming and rebranding of
ransomware groups. For example, the perceived rise and fall and re-branding of
threat groups such as DarkSide and REvil into a newly minted group named Black
Matter. Further, in-fighting will occur as ransomware groups vie for power and
credit, which could affect corporations, not unlike the 2021 situation where
the Conti RaaS group published a Russian guide designed to instruct the
affiliates in how to conduct attacks.
The bottom line is that ransomware epidemic is only going to get worse,
and organizations should take care not to become complacent with their defense
against it. Rather, organizations must continually improve and optimize their
cybersecurity and cyber resilience plans, so as ransomware evolves, so does
their strategy to fight it.
is the former executive assistant director for the FBI Information and
Technology Branch (CIO). He now serves as Optiv Security’s vice president,
cyber risk, strategy and board relations. James has personally helped many
companies respond to and recover from ransomware attacks and is well-versed in
speaking with top-tier media.
on his two decades of experience in investigating and solving cybercrimes for
the FBI. He was instrumental in the creation of the FBI’s Terrorist Watch and