CISA Observes Increased Critical Infrastructure Ransomware Threats

February 11, 2022 - A joint advisory by cybersecurity authorities in the US, Australia, and the United Kingdom underscored increasing critical infrastructure ransomware threats that will likely continue to grow in the coming months and years.

The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) observed ransomware attacks against 14 of the 16 US critical infrastructure sectors last year.

“Ransomware tactics and techniques continued to evolve in 2021, which demonstrates ransomware threat actors’ growing technological sophistication and an increased ransomware threat to organizations globally,” the advisory stated.

The advisory provided information on ransomware trends and prevention tactics for organizations across the world to mitigate threats and spread awareness. The healthcare and public health sector, one of the 16 US critical infrastructure sectors, was hit especially hard by ransomware in 2021. Most of the largest healthcare data breaches of the year (by the number of victims impacted) resulted from orchestrated cyberattacks.

The CISA advisory found that phishing, vulnerability exploitation, and stolen Remote Desktop Protocols (RDP) credentials were the most common attack methods used by ransomware actors in 2021. In addition, Ransomware-as-a-Service (RaaS) continued to grow in popularity.

“The market for ransomware became increasingly ‘professional’ in 2021, and the criminal business model of ransomware is now well established,” the advisory stated.

“In addition to their increased use of ransomware-as-a-service (RaaS), ransomware threat actors employed independent services to negotiate payments, assist victims with making payments, and arbitrate payment disputes between themselves and other [cybercriminals].”

Threat actors shifted away from high-profile targets in favor of mid-sized victims, creating less media and government backlash. This trend was especially true in healthcare, where threat actors targeted smaller outpatient facilities and business associates rather than major hospitals and health systems.

The advisory also noted that “if the ransomware criminal business model continues to yield financial returns for ransomware actors, ransomware incidents will become more frequent. Every time a ransom is paid, it confirms the viability and financial attractiveness of the ransomware criminal business model.”

While the FBI discourages giving in to ransom demands, it can be difficult for healthcare organizations to decide between giving threat actors what they want or potentially risking patient safety.

Experts observed ransomware groups targeting the cloud, managed service providers, and the software supply chain throughout 2021. In addition, holidays and weekends proved popular among threat actors who aimed to target organizations when they least expected it.

CISA and its partners provided dozens of mitigation recommendations to help organizations tackle ransomware threats. Organizations should regularly update operating systems and software, and those using RDP or other at-risk services should enable strict security controls.

Organizations across all sectors should require multifactor authentication (MFA), implement security training programs, and protect cloud storage by keeping reliable data backups.

It is crucial to reduce credential exposure, maintain a principle of least privilege, and implement endpoint security controls. While ransomware attacks may never be completely preventable, following industry standards and security best practices are essential to safeguarding data and protecting critical infrastructure from financially motivated threat actors.