The Ransomware Threat Landscape: What to Expect in 2022
Targeted ransomware continues to grow as TTPs evolve and new threat actors emerge
Ransomware continued to be the most significant cyber threat facing enterprises during 2021. While ransomware gangs are currently experiencing a period of turmoil and disruption, there is no guarantee that the threat posed by ransomware will abate in 2022, since similar disruptions in the past were usually followed by the emergence of new threats.
According to a new whitepaper published by the Symantec Threat Hunter team, part of Broadcom Software, targeted ransomware attacks continued to trend upwards in 2021, almost trebling between the first and final quarters of the year.
New Threats
One of the main developments during 2021 was the disappearance of established threat actors and the emergence of new groups to take their place. Of the major ransomware threats operating at the beginning of 2021, only Conti continued to remain active at year end.
During 2021, a number of high-profile ransomware operations disappeared. These included Leafroller (aka Sodinokibi, REvil), Coreid (Darkside and Blackmatter), and Avaddon.
However, a number of new actors have emerged to take their place. LockBit expanded rapidly following the departure of some of its rivals, while several new threats such as Pinion (Hive) and Sirex (AvosLocker) became quite active.
Symantec Enterprise Blogs
Evolving TTPs
One of the key trends noted in this research is the constantly evolving set of tools, tactics, and procedures (TTPS) employed by ransomware attackers. New TTPs emerge regularly as attackers bid to stay one step ahead of network defenders.
Ransomware groups these days now employ quite a diverse toolset, making use of a mixture custom malware, legitimate software, and operating system features (also known as living off the land).
| TTP | Percentage |
|---|---|
| PsExec | 34% |
| Cobalt Strike | 18% |
| Mimikatz | 11% |
| VssAdmin | 10% |
| NetScan | 7% |
| BITSAdmin | 4% |
| AdFind | 5% |
| Nsudo | 5% |
| PowerShell | 5% |
| MSIExec | 4% |
| WEIRDLOOP | 3% |
This diverse toolset is evident in the ten most frequently employed TTPs Symantec’s Threat Hunter Team found in ransomware investigations. The most frequently used tool, PsExec, is a Windows operating system feature that is often abused by attackers for executing processes on other systems. The next most frequently used tool was Cobalt Strike, which is off-the-shelf malware ostensibly sold as a penetration testing tool but is most frequently seen being used for malicious purposes.
New TTPs seen during the latter half of 2021 include abuse of VssAdmin, a legitimate Windows process that can be used to manage or delete shadow copies on Windows machines; along with abuse of MSIExec, a legitimate Windows installer that can be used by attackers to load malicious payloads onto targeted machines.
This was just a sample of the content in our latest whitepaper. Read the full paper for more insights into the ransomware threat landscape.
Protection/Mitigation
For the latest protection updates, please visit the Symantec Protection Bulletin.
Symantec Enterprise Blogs
Daxin: Stealthy Backdoor Designed for Attacks Against Hardened Networks
Espionage tool is the most advanced piece of malware Symantec researchers have seen from China-linked actors.
Symantec Enterprise Blogs
Ukraine: Disk-wiping Attacks Precede Russian Invasion
Destructive malware deployed against targets in Ukraine and other countries in the region in the hours prior to invasion.
We encourage you to share your thoughts on your favorite social platform.