Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Subscribe
Security Research

The 2022 ThreatLabz State of Ransomware Report

Ransomware attacks increased by yet another 80% between February 2021 and March 2022, based on an analysis of ransomware payloads seen across the Zscaler cloud. Double-extortion attacks, which include data exfiltration in addition to encryption, are rising even faster at 117% year-over-year.

The 2022 ThreatLabz State of Ransomware report breaks down a year’s worth of intelligence from a variety of sources, including over 200B daily transactions and 150M daily blocked threats across the Zscaler Zero Trust Exchange, and shows that ransomware is becoming even more attractive to criminals. Attackers are able to wage increasingly profitable campaigns based on three major trends: 

  • Supply chain attacks that exploit trusted vendor relationships to breach organizations and multiply the damage of attacks by enabling threat actors to hit multiple (sometimes hundreds or thousands) of victims at the same time.
  • Ransomware-as-a-service that uses affiliate networks to distribute ransomware on a wide scale, allowing hackers who are experts in breaching networks to share profits with the most advanced ransomware groups.
  • Multiple-extortion attacks that utilize data theft, distributed denial of service (DDoS) attacks, customer communications, and more as layered extortion tactics to increase ransom payouts. Supply chain attacks, ransomware-as-a-service ecosystems, and multi-extortion tactics have all increased the volume and success rates of attacks. 

In this report, ThreatLabz provides a comprehensive look at the ransomware threat landscape to provide trending data, predictions, and defense guidance. Our report includes a deep dive into the attack sequences, victim profiles, and business impact of the top 11 ransomware families, including:

  • Conti   
  • LockBit   
  • PYSA/Mespinoza   
  • REvil/Sodinokibi   
  • Avaddon   
  • Clop   
  • Grief   
  • Hive   
  • BlackByte   
  • AvosLocker   
  • BlackCat/ALPHV

Image

Percentage change in double-extortion attacks by industry

 

 Key Findings

 

  • Ransomware attacks increased by 80% year-over-year, accounting for all ransomware payloads observed in the Zscaler cloud.
     
  • Double extortion ransomware increased by 117%. Some industries saw particularly high growth of double-extortion attacks, including healthcare (643%), food service (460%), mining (229%), education (225%), media (200%), and manufacturing (190%).
  • Manufacturing was the most targeted industry for the second straight year, making up almost 20% of double-extortion ransomware attacks.
     
  • Supply chain ransomware attacks are on the rise. Exploiting trusted suppliers lets attackers breach a large number of organizations all at once, including organizations that otherwise have strong protections against external attacks. Supply chain ransomware attacks of the past year include damaging campaigns against Kaseya and Quanta as well as a number of attacks exploiting the Log4j vulnerability.
     
  • Ransomware as a service is driving more attacks. Ransomware groups continue to recruit affiliates through underground criminal forums. These affiliates compromise large organizations and deploy the group’s ransomware, typically in exchange for about 80% of the ransom payments received from victims. Most (8 out of 11) of the top ransomware families of the past year have commonly proliferated via ransomware-as-a-service models.
     
  • Law enforcement is cracking down. A number of last year’s top ransomware families—particularly those targeting critical services—attracted attention from law enforcement agencies around the world. Three of the most infamous ransomware families of the past two years had assets seized by law enforcement in 2021.
  • Ransomware families aren’t going away—they’re just rebranding. Feeling increased heat from law enforcement, many ransomware groups have disbanded and reformed under new banners, where they use the same (or very similar) tactics. 
     
  • The Russia-Ukraine conflict has the world on high alert. There have been several attacks associated with the Russia-Ukraine conflict, with some combining multiple tactics, such as HermeticWiper and PartyTicket ransomware. So far, most of this activity has targeted Ukraine. However, government agencies have warned organizations to be prepared for more widespread attacks as the conflict persists.
     
  • Zero trust remains the best defense. To minimize the chance of a breach and the damage a successful attack can cause, your organization must use defense-in-depth strategies that include reducing your attack surface, enforcing least-privilege access control, and continuously monitoring and inspecting data across your environment.

 

 

How to protect yourself against ransomware

Whether a simple ransomware attack, a double- or triple-extortion attack, a self-contained threat family, or a RaaS attack executed by an affiliate network, the defense strategy is the same: employ the principles of zero trust to limit vulnerabilities, prevent and detect attacks, and limit the blast radius of successful breaches. Here are some best practices recommendations to safeguard your organization against ransomware:

  1. Get your applications off of the internet. Ransomware actors start their attacks by performing reconnaissance on your environment, looking for vulnerabilities to exploit, and calibrating their approach. The more applications you have published to the internet, the easier you are to attack. Use a zero trust architecture to secure internal applications, making them invisible to attackers.
  2. Enforce a consistent security policy to prevent initial compromise. With a distributed workforce, it is important to implement a security services edge (SSE) architecture that can enforce consistent security policy no matter where your users are working (in office or remotely). 
  3. Use sandboxing to detect unknown payloads. Signature-based detection is not enough in the face of rapidly changing ransomware variants and payloads. Protect against unknown and evasive attacks with an inline, AI-powered sandbox that analyzes the behavior rather than the packaging of a file.
  4. Implement a zero trust network access (ZTNA) architecture. Implement granular user-to-application and application-to-application segmentation, brokering access using dynamic least-privileged access controls to eliminate lateral movement. This allows you to minimize the data that can be encrypted or stolen, reducing the blast radius of an attack. 
  5. Deploy inline data loss prevention. Prevent exfiltration of sensitive information with trust-based data loss prevention tools and policies to thwart double-extortion techniques.
  6. Keep software and training up to date. Apply software security patches and conduct regular security awareness employee training to reduce vulnerabilities that can be exploited by cybercriminals.
  7. Have a response plan. Prepare for the worst with cyber insurance, a data backup plan, and a response plan as part of your overall business continuity and disaster recovery program.

To maximize your chances of defending against ransomware, you must embrace layered defenses that can disrupt the attack at each stage—from reconnaissance to initial compromise, lateral movement, data theft, and ransomware execution.

Image

The Zscaler Zero Trust Exchange is a leading security service edge (SSE) platform, delivering unmatched ransomware protection across every stage of the attack chain to dramatically reduce your chance of being attacked and mitigate potential damages.

Zscaler natively integrates industry-leading zero trust capabilities that:

  • Minimize the attack surface: Zscaler’s cloud native proxy-based architecture reduces the attack surface by making internal apps invisible to the internet, thus eliminating potential attack vectors. 
  • Prevent compromise: Zscaler delivers full inspection and authentication of all traffic, including encrypted traffic, to keep malicious actors out, leveraging tools such as browser isolation and inline sandboxing to protect users from unknown and evasive threats.
  • Eliminate lateral movement: Zscaler safely connects users and entities directly to applications—not networks—to eliminate the possibility of lateral movement, and surrounds your crown jewel applications with realistic decoys for good measure.
    Stop data loss: Zscaler inspects all traffic outbound to cloud applications to prevent data theft, and uses cloud access security broker (CASB) capabilities to identify and remediate vulnerabilities in data at rest.

To learn more about today’s top ransomware threats and how to protect your organization against them, download a free copy of “The 2022 ThreatLabz State of Ransomware Report.”

 

About ThreatLabz

ThreatLabz is the security research arm of Zscaler. This world-class team is responsible for hunting new threats and ensuring that the thousands of organizations using the global Zscaler platform are always protected. In addition to malware research and behavioral analysis, team members are involved in the research and development of new prototype modules for advanced threat protection on the Zscaler platform, and regularly conduct internal security audits to ensure that Zscaler products and infrastructure meet security compliance standards. ThreatLabz regularly publishes in-depth analyses of new and emerging threats on its portal, research.zscaler.com.

 

Stay updated on ThreatLabz research by subscribing to our Trust Issues newsletter today.

form submtited
Thank you for reading

Was this post useful?

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.