• Home
  • /
  • Malware
  • /
  • Sophos 2022 Threat Report: Gravitational force of ransomware black hole pulls in other cyber threats to create one massive, interconnected ransomware delivery system

Sophos 2022 Threat Report: Gravitational force of ransomware black hole pulls in other cyber threats to create one massive, interconnected ransomware delivery system

The in-depth report identifies trends in ransomware services, commodity malware, attack tools, crypto-miners and more that are impacting IT security.

Oxford, U.K., 19 Nov 2021
Read time 5min 50sec

Sophos, a global leader in next-generation cyber security, today published the Sophos 2022 Threat Report, which shows how the gravitational force of ransomware’s black hole is pulling in other cyber threats to form one massive, interconnected ransomware delivery system – with significant implications for IT security. The report, written by SophosLabs security researchers, Sophos Managed Threat Response threat hunters and rapid responders, and the Sophos AI team, provides a unique multi-dimensional perspective on security threats and trends facing organisations in 2022.

The Sophos 2022 Threat Report analyses the following key trends:

1. Over the coming year, the ransomware landscape will become both more modular and more uniform, with attack “specialists” offering different elements of an attack “as a service” and providing playbooks with tools and techniques that enable different adversary groups to implement very similar attacks. According to Sophos researchers, attacks by single ransomware groups gave way to more ransomware as a service (RaaS) offerings during 2021, with specialist ransomware developers focused on hiring out malicious code and infrastructure to third-party affiliates. Some of the most high-profile ransomware attacks of the year involved RaaS, including an attack against Colonial Pipeline in the US by a DarkSide affiliate. An affiliate of Conti ransomware leaked the implementation guide provided by the operators, revealing the step-by-step tools and techniques that attackers could use to deploy the ransomware.

Once they have the malware they need, RaaS affiliates and other ransomware operators can turn to initial access brokers and malware delivery platforms to find and target potential victims. This is fuelling the second big trend anticipated by Sophos.

2. Established cyber threats will continue to adapt to distribute and deliver ransomware. These include loaders, droppers and other commodity malware; increasingly advanced, human-operated initial access brokers; spam; and adware. In 2021, Sophos reported on Gootloader operating novel hybrid attacks that combined mass campaigns with careful filtering to pinpoint targets for specific malware bundles.

3. The use of multiple forms of extortion by ransomware attackers to pressure victims into paying the ransom is expected to continue and increase in range and intensity. In 2021, Sophos incident responders catalogued 10 different types of pressure tactics, from data theft and exposure to threatening phone calls, distributed denial of service (DDOS) attacks and more.

4. Crypto-currency will continue to fuel cyber crimes such as ransomware and malicious crypto-mining, and Sophos expects the trend will continue until global crypto-currencies are better regulated. During 2021, Sophos researchers uncovered crypto-miners such as Lemon Duck and the less common MrbMiner, taking advantage of the access provided by newly reported vulnerabilities and targets already breached by ransomware operators to install crypto-miners on computers and servers.

“Ransomware thrives because of its ability to adapt and innovate,” said Chester Wisniewski, principal research scientist at Sophos. “For instance, while RaaS offerings are not new, in previous years their main contribution was to bring ransomware within the reach of lower-skilled or less well-funded attackers. This has changed and, in 2021, RaaS developers are investing their time and energy in creating sophisticated code and determining how best to extract the largest payments from victims, insurance companies and negotiators. They’re now offloading to others the tasks of finding victims, installing and executing the malware, and laundering the pilfered crypto-currencies. This is distorting the cyber threat landscape, and common threats, such as loaders, droppers, and initial access brokers that were around and causing disruption well before the ascendancy of ransomware, are being sucked into the seemingly all-consuming ‘black hole’ that is ransomware.

“It is no longer enough for organisations to assume they’re safe by simply monitoring security tools and ensuring they are detecting malicious code. Certain combinations of detections or even warnings are the modern equivalent of a burglar breaking a flower vase while climbing in through the back window. Defenders must investigate alerts, even ones which in the past may have been insignificant, as these common intrusions have blossomed into the foothold necessary to take control of entire networks."

Additional trends Sophos analysed include:

  • After the ProxyLogon and ProxyShell vulnerabilities were discovered (and patched) in 2021, the speed at which they were seized upon by attackers was such that Sophos expects to see continued attempts to mass-abuse IT administration tools and exploitable internet-facing services by both sophisticated attackers and run-of-the-mill cyber criminals.
  • Sophos also expects cyber criminals to increase their abuse of adversary simulation tools, such as Cobalt Strike Beacons, mimikatz and PowerSploit. Defenders should check every alert relating to abused legitimate tools or combination of tools, just as they would check a malicious detection, as it could indicate the presence of an intruder in the network.
  • In 2021, Sophos researchers detailed a number of new threats targeting Linux systems and expect to see a growing interest in Linux-based systems during 2022, both in the cloud and on web and virtual servers.
  • Mobile threats and social engineering scams, including Flubot and Joker, are expected to continue and diversify to target both individuals and organisations.
  • The application of artificial intelligence to cyber security will continue and accelerate, as powerful machine learning models prove their worth in threat detection and alert prioritisation. At the same time, however, adversaries are expected to make increasing use of AI, progressing over the next few years from AI-enabled disinformation campaigns and spoof social media profiles to watering-hole attack web content, phishing e-mails and more as advanced deepfake video and voice synthesis technologies become available.

To learn more about the threat landscape in 2021 and what this means for IT security in 2022, read the full Sophos 2022 Threat Report.

Additional content for the Sophos 2022 Threat Report:

  • Video of the headline findings, presented by Chester Wisniewski, principal research scientist, Sophos
  • An article on SophosLabs Uncut recapping the report sections
  • A Sophos News opinion piece by Wisniewski on the ransomware turf wars
  • A Naked Security article introducing the report

Additional resources

  • Tactics, techniques, and procedures (TTPs) and more for different types of threats are available on SophosLab Uncut, which provides Sophos’ latest threat intelligence
  • Information on attacker behaviors, incident reports and advice for security operations professionals is available on Sophos News SecOps
  • Learn more about Sophos’ Rapid Response service that contains, neutralizes and investigates attacks 24/7
  • The four top tips for responding to a security incident from Sophos Rapid Response and the Managed Threat Response Team

Read the latest security news and views on Sophos’ award-winning news website Naked Security and on Sophos News

See also