Critical Infrastructure

Chris Swagler | February 22nd, 2022


Cybersecurity authorities from around the world have observed a surge of sophisticated, high-impact ransomware attacks, which prompted a joint warning for critical infrastructure providers. The Federal Bureau of Investigation (FBI), the National Security Agency (NSA), the United States Cybersecurity and Infrastructure Security Agency (CISA), the United Kingdom’s National Cyber Security Centre (NCSC), and the Australian Cyber Security Centre (ACSC) issued a Joint Cybersecurity Advisory claiming that 14 of the 16 U.S. critical infrastructure sectors, including Defense, Emergency Services, Food and Agriculture, Government, and Information Technology (IT) sectors, were hit by ransomware. Similar findings with acknowledged by the ACSC and NCSC.

Warning Critical Infrastructure Providers About Surge in Ransomware

All of these government agencies view ransomware as the biggest cyber threat against critical infrastructure institutions, with education being the top target of threat actors, followed by businesses, charities, law firms, and public services in the local government and health sectors. Ransomware tactics, techniques, and procedures continue to evolve demonstrating ransomware operators’ growing technological sophistication and an increased ransomware threat to organizations worldwide.

The aforementioned cybersecurity authorities provided a list of troubling behaviors and trends among cybercriminals:

  • Accessing networks through phishing, stolen Remote Desktop Protocols (RDP) credentials, brute force, and exploiting vulnerabilities. Once ransomware threat actors gain code execution on devices or network access, they can deploy ransomware.
  • Cybercriminal services-for-hire. The ransomware market is increasingly more professional as the criminal business model is well established. With the increasing use of Ransomware-as-a-Service (RaaS), threat actors employ independent services to negotiate payments, assist victims with making payments, and arbitrate payment disputes between themselves and other cybercriminals. Authorities have seen ransomware threat actors offering victims 24/7 help center services to expedite ransom payment and restore encrypted systems or data.
  • Sharing victim information. Ransomware groups frequently share victim information with each other in an effort to diversify threats to target organizations. BlackMatter ransomware group transferred its existing victims to infrastructure owned by LockBit 2.0 and Conti ransomware actors sold access to victim’s networks allowing follow-on attacks by other cyber threat actors.
  • Shifting away from “big-game” hunting in the United States. Cybersecurity authorities from the United States and Australia have seen ransomware threat actors targeting “big game” organizations in several high-profile incidents. However, U.S. authorities disrupted ransomware groups, thus forcing threat actors to redirect their efforts away from “big-game” and toward mid-sized victims to reduce scrutiny. ACSC and NCSC-UK have seen ransomware groups continuously targeting Australian and UK organizations.
  • Diversifying approaches to extorting money. After encrypting the networks, ransomware threat actors are using triple extortion tactics threatening victims that they will publicly release stolen sensitive information, disrupt the victim’s internet access, and/or inform victims’ partners, shareholders, or suppliers about the incident. The ACSC is continuously observing “double extortion” incidents by threat actors using a combination of encryption and data theft to pressure victims into paying ransom demands.

Ransomware groups are increasing their impact by:

  • Targeting the cloud. Ransomware developers are targeting cloud infrastructure exploiting known vulnerabilities in cloud applications, virtual machine software, and virtual machine orchestration software. Additionally, ransomware threat actors are targeting cloud accounts, cloud application programming interfaces (APIs), and data backup and storage systems denying access to cloud resources and encrypting data. Threat actors are not exploiting weaknesses to gain direct access, they’re compromising local (on-premises) devices to reach cloud storage systems, moving laterally to the cloud systems, and targeting cloud service providers to encrypt large amounts of customer data.
  • Targeting managed service providers (MSPs). Ransomware threat actors are targeting MSPs because they have widespread and trusted access to client organizations. Ransomware threat actors can have access to multiple victims through one initial compromise by compromising an MSP. Cybersecurity authorities in the US, Australia, and the UK are assessing that there will be an increase in ransomware incidents where threat actors are targeting MSPs to reach their clients.
  • Attacking the software supply chain. Ransomware threat actors are targeting global software supply chain entities to compromise and extort their customers. By accessing multiple victims through a single initial compromise, ransomware threat actors can increase their attack scale when targeting software supply chains.
  • Targeting organizations on holidays and weekends. The FBI and CISA have seen cybercriminals launching impactful attacks against U.S. companies on holidays and weekends. When offices are closed, ransomware threat actors see holidays and weekends as attractive timeframes as victim organizations have fewer network defenders and IT support personnel.

The advisory confirms that companies are facing an increased level of risk associated with ransomware threats. The cybersecurity authorities can expect the highly sophisticated industry will continue to grow if victims continue to make ransom payments. With highly professional ransomware-as-a-service operators emerging, the barrier to networks for cybercriminals has never been lower. That’s why it’s important for companies in the critical infrastructure sector to remain vigilant in the current threat landscape and always keep their network security updated. At SpearTip, our certified engineers are working in a continuous investigative cycle monitoring companies’ networks for potential ransomware threats and are ready to respond to incidents at a moment’s notice. SpearTip’s ShadowSpear, our endpoint detection and response tool, can integrate with even the most complex networks and works with IT and OT technology to ensure critical infrastructure supplies and processes remain operable.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.


Connect With Us

Featured Articles

Cybersecurity Health Checks
Cybersecurity Health Checks: Why Companies Need Them
22 April 2024
New Loop DoS Attack
New Loop DoS Attack Affecting Linux Systems
19 April 2024
Possible Cyberattack
Possible Cyberattack During 2024 Summer Olympics
15 April 2024
Tabletop Exercises
Tabletop Exercises: Transformative Impact on Companies
12 April 2024

See ShadowSpear in Action

Identify, neutralize, and counter cyberattacks - provide confidence in your security posture

Stay Connected With SpearTip

Inside the SOC Newsletter

View our articles that cover trending topics in cybersecurity with insights from our 24/7/365 Security Operations Center.

ShadowSpear Platform

Cybersecurity actors are working around the clock, shouldn’t your security team be too? Technology solutions and security controls fail for a number of reasons, poor deployment, improper implementation, or just no one monitoring the alerts.

ShadowSpear Demo

Experience ShadowSpear for yourself. Our lightweight, integrated solution will help you sleep easier at night and provide immediate confidence in your security posture.