2022 Cyber Security Trends: Ransomware, Extortion, and State Espionage

By Jamie Collier, Senior Threat Intelligence Consultant at Mandiant

2021 will be remembered as a significant year for the cyber security industry. With the pandemic accelerating digital transformation, the threat landscape was in constant flux. Major ransomware attacks demonstrated not just their impact on businesses, but wider society too. As we look ahead to 2022, the only constant in our industry is uncertainty in the cyber realm, but here are a few of our predictions for next year, based on trends we’re already seeing emerge.

Ransomware 

The threat of ransomware has increased substantially over the last ten years and intelligence suggests it will continue its upward trend. Given the ever-increasing threat of ransomware and the limited ability of current legislation to hold attackers accountable, the business of ransomware will remain extremely lucrative for the foreseeable future.

Many ransomware actors operate from locations outside the jurisdiction of international cyber security or extradition treaties from the countries they attack and thus face little or no repercussions for their actions. As such, we expect to see more attacks coming from these groups targeting critical industries, such as law enforcement agencies and healthcare, where the urgency to pay is pitted against the well-being of civilian populations.

Over the next twelve months it is expected that ransomware victims will continue to pay out millions in attempts to keep their stolen data from being published or rendered unusable. However, as these operations are often carried out by multiple actors, each one performing a specific element of the attack for a fee or a cut of the proceeds, it is becoming more common that some or all of that data gets shared during the operation due to conflict between these actors. The more this occurs, the more organisations will have to rethink the way they deal with ransomware attacks.

Multifaceted extortion

Multifaceted extortion is just another tactic employed by cyber criminals to extort payments from victims, which we expect more of in 2022. Traditional ransomware attacks are regularly being combined with data theft operations (where ransomware operators will threaten to leak sensitive data unless a ransom is paid). However, a wide variety of additional extortionary tactics are now increasingly being used. This includes denial of service attacks, ransomware groups contacting media organisations to drum up press coverage of victims, or even directly calling and harassing employees. Our research suggests that attacks such as this are likely to increase, especially as threat actors find new ways to extort victims, such as trying to recruit insiders within their victims or targets.

With a variety of these extortionary tactics often deployed simultaneously, organisations will need to adopt more holistic strategies in responding to ransomware. In addition to the technical challenges of remediating a network, organisations will also need a communications strategy, covering both external and internal audiences, and a legal plan to deal with data leakage. Crucially, ransomware will increasingly test organisations’ ability to confront multiple challenges in tandem.

Victims that hire professional negotiation firms during a cyber-attack to help reduce the final amount of the extortion payment, are also expected to suffer greater consequences. Tactics such as this have already been seen in 2021 and they are expected to evolve as threat actors become more business aware as they improve their strategies and learn of the kind of situations their victims most want to avoid.

Outlook on major state espionage actors: The Big Four

Russia is expected to maintain an aggressive position as we move into the new year with a  persistent emphasis on targeting NATO, Eastern Europe, Ukraine, Afghanistan and the energy sector. The U.S. government attributed the SolarWinds supply chain compromise incident to Russia, reaffirming the country’s ability to achieve widespread impact and that the level of sophistication and scope of Russian operations will continue to expand. It is also anticipated that supply chain and software supply chain environments will continue to be targets for Russia in 2022.

Iran will utilise its extensive cyber tools to aggressively promote its regional interests. Information operations attributed by the U.S. to Iran in 2020 and 2021, revealed more forceful and destructive tactics than seen in previous years. Targets will likely continue to be Israel and others in the Middle East. Despite having seen Iran attack victims abroad, we expect it to engage in more internal operations to smother political dissent and  bolster its own interests throughout 2022.

China looks set to continue to be extremely aggressive, supporting the Belt and Road Initiative using cyber espionage. As the Ministry of State Security (MSS) and the People’s Liberation Army (PLA) have completed much of their restructuring, we will see Chinese operations narrow their focus. As geopolitical tensions continue to rise and attacks become increasingly advanced, it’s likely   we are going to see China flex some of their known but as-yet-unused destructive capabilities.

North Korea will remain a major player in state cyber operations as despite its geographical, international and financial challenges, it wields significant cyber tools. In the coming year we expect North Korea to flaunt their cyber capabilities to compensate for its lack of other instruments of national power. In 2021, The North Korean cyber structure will continue to promote the Kim regime by funding nuclear ambitions and assembling strategic intelligence.

Information operations

Information operations from a host of threat actors taking place within Europe will increasingly overlap with cyber security. Specific concerns related to these campaigns include website compromise, social media compromise, and data theft.

For example, the Ghostwriter information operations campaign, which has focused on sowing discord within Eastern Europe, has expanded its modus operandi to spread narratives via compromised social media accounts. The security of social media accounts is more important than ever, especially for prominent government officials and journalists. We have also observed at least some components of Ghostwriter influence activity conducted by UNC1151.

At Mandiant, we feel with a high degree of confidence that UNC1151 has links to Belarus. This is a group that has targeted a wide variety of governmental and private sector entities, with a focus in Ukraine, Lithuania, Latvia, Poland, and Germany. UNC1151 therefore highlights the growing threat of emerging states. This will make it increasingly important to think beyond the usual suspects of Russia, China, North Korea, and Iran. We will also likely see the role of contractors grow as emerging states turn to third parties to ramp up their cyber capabilities as quickly as possible.

This highlights that the threat landscape is growing in complexity and 2022 could see additional states ramp up their appetite to conduct both cyber espionage and information operations. It is therefore vital that sectors facing an elevated threat from information operations, such as government and the media, implement a security strategy that offers a joined up approach between disinformation threats and cyber security.

Conclusion 

Attackers are constantly evolving: they are becoming more sophisticated and changing their approach. Ransomware and espionage activities will continue to pose a major threat and we will continue to see regional and international operations conducted by the Big Four states.

Despite these nascent trends, it is also worth remembering that much of the security landscape will remain constant. Good execution of the basics, keeping systems up-to-date, and looking out for misconfigurations in cloud and third party infrastructure will all go a long way to keeping organisations secure.

Organisations have a lot to keep in mind for next year, but staying vigilant will allow them to defend themselves against future threats – and respond to those that inevitably pass.

By Jamie Collier, Senior Threat Intelligence Consultant at Mandiant

2021 will be remembered as a significant year for the cyber security industry. With the pandemic accelerating digital transformation, the threat landscape was in constant flux. Major ransomware attacks demonstrated not just their impact on businesses, but wider society too. As we look ahead to 2022, the only constant in our industry is uncertainty in the cyber realm, but here are a few of our predictions for next year, based on trends we’re already seeing emerge.

Ransomware 

The threat of ransomware has increased substantially over the last ten years and intelligence suggests it will continue its upward trend. Given the ever-increasing threat of ransomware and the limited ability of current legislation to hold attackers accountable, the business of ransomware will remain extremely lucrative for the foreseeable future.

Many ransomware actors operate from locations outside the jurisdiction of international cyber security or extradition treaties from the countries they attack and thus face little or no repercussions for their actions. As such, we expect to see more attacks coming from these groups targeting critical industries, such as law enforcement agencies and healthcare, where the urgency to pay is pitted against the well-being of civilian populations.

Over the next twelve months it is expected that ransomware victims will continue to pay out millions in attempts to keep their stolen data from being published or rendered unusable. However, as these operations are often carried out by multiple actors, each one performing a specific element of the attack for a fee or a cut of the proceeds, it is becoming more common that some or all of that data gets shared during the operation due to conflict between these actors. The more this occurs, the more organisations will have to rethink the way they deal with ransomware attacks.

Multifaceted extortion

Multifaceted extortion is just another tactic employed by cyber criminals to extort payments from victims, which we expect more of in 2022. Traditional ransomware attacks are regularly being combined with data theft operations (where ransomware operators will threaten to leak sensitive data unless a ransom is paid). However, a wide variety of additional extortionary tactics are now increasingly being used. This includes denial of service attacks, ransomware groups contacting media organisations to drum up press coverage of victims, or even directly calling and harassing employees. Our research suggests that attacks such as this are likely to increase, especially as threat actors find new ways to extort victims, such as trying to recruit insiders within their victims or targets.

With a variety of these extortionary tactics often deployed simultaneously, organisations will need to adopt more holistic strategies in responding to ransomware. In addition to the technical challenges of remediating a network, organisations will also need a communications strategy, covering both external and internal audiences, and a legal plan to deal with data leakage. Crucially, ransomware will increasingly test organisations’ ability to confront multiple challenges in tandem.

Victims that hire professional negotiation firms during a cyber-attack to help reduce the final amount of the extortion payment, are also expected to suffer greater consequences. Tactics such as this have already been seen in 2021 and they are expected to evolve as threat actors become more business aware as they improve their strategies and learn of the kind of situations their victims most want to avoid.

Outlook on major state espionage actors: The Big Four

Russia is expected to maintain an aggressive position as we move into the new year with a  persistent emphasis on targeting NATO, Eastern Europe, Ukraine, Afghanistan and the energy sector. The U.S. government attributed the SolarWinds supply chain compromise incident to Russia, reaffirming the country’s ability to achieve widespread impact and that the level of sophistication and scope of Russian operations will continue to expand. It is also anticipated that supply chain and software supply chain environments will continue to be targets for Russia in 2022.

Iran will utilise its extensive cyber tools to aggressively promote its regional interests. Information operations attributed by the U.S. to Iran in 2020 and 2021, revealed more forceful and destructive tactics than seen in previous years. Targets will likely continue to be Israel and others in the Middle East. Despite having seen Iran attack victims abroad, we expect it to engage in more internal operations to smother political dissent and  bolster its own interests throughout 2022.

China looks set to continue to be extremely aggressive, supporting the Belt and Road Initiative using cyber espionage. As the Ministry of State Security (MSS) and the People’s Liberation Army (PLA) have completed much of their restructuring, we will see Chinese operations narrow their focus. As geopolitical tensions continue to rise and attacks become increasingly advanced, it’s likely   we are going to see China flex some of their known but as-yet-unused destructive capabilities.

North Korea will remain a major player in state cyber operations as despite its geographical, international and financial challenges, it wields significant cyber tools. In the coming year we expect North Korea to flaunt their cyber capabilities to compensate for its lack of other instruments of national power. In 2021, The North Korean cyber structure will continue to promote the Kim regime by funding nuclear ambitions and assembling strategic intelligence.

Information operations

Information operations from a host of threat actors taking place within Europe will increasingly overlap with cyber security. Specific concerns related to these campaigns include website compromise, social media compromise, and data theft.

For example, the Ghostwriter information operations campaign, which has focused on sowing discord within Eastern Europe, has expanded its modus operandi to spread narratives via compromised social media accounts. The security of social media accounts is more important than ever, especially for prominent government officials and journalists. We have also observed at least some components of Ghostwriter influence activity conducted by UNC1151.

At Mandiant, we feel with a high degree of confidence that UNC1151 has links to Belarus. This is a group that has targeted a wide variety of governmental and private sector entities, with a focus in Ukraine, Lithuania, Latvia, Poland, and Germany. UNC1151 therefore highlights the growing threat of emerging states. This will make it increasingly important to think beyond the usual suspects of Russia, China, North Korea, and Iran. We will also likely see the role of contractors grow as emerging states turn to third parties to ramp up their cyber capabilities as quickly as possible.

This highlights that the threat landscape is growing in complexity and 2022 could see additional states ramp up their appetite to conduct both cyber espionage and information operations. It is therefore vital that sectors facing an elevated threat from information operations, such as government and the media, implement a security strategy that offers a joined up approach between disinformation threats and cyber security.

Conclusion 

Attackers are constantly evolving: they are becoming more sophisticated and changing their approach. Ransomware and espionage activities will continue to pose a major threat and we will continue to see regional and international operations conducted by the Big Four states.

Despite these nascent trends, it is also worth remembering that much of the security landscape will remain constant. Good execution of the basics, keeping systems up-to-date, and looking out for misconfigurations in cloud and third party infrastructure will all go a long way to keeping organisations secure.

Organisations have a lot to keep in mind for next year, but staying vigilant will allow them to defend themselves against future threats – and respond to those that inevitably pass.