Trellix: Business Services Top Target of Ransomware Attacks

Trellix has released The Threat Report: Summer 2022, analysing cybersecurity trends and attack methods from the first quarter of 2022.

The report also features research from Trellix Threat Labs into connected healthcare and access control systems. It also includes analysis of email security trends and details the evolution of Russian cybercrime related to the conflict in Ukraine where new malware or methods have yet to be observed. Findings from the research point to:

• Increased Threats to Business Services: Companies providing IT, finance and other types of consulting and contract services were targeted by adversarial actors more often, demonstrating cybercriminals desire to disrupt multiple companies with one attack.
• Ransomware Evolution: Following the January arrests of members of the REvil ransomware gang, payouts to attackers declined. Trellix also observed ransomware groups building lockers targeting virtualisation services with varied success. Leaked chats from the quarter’s second most active ransomware gang, Conti, which publicly expressed allegiance to the Russian administration, seem to confirm the government is directing cybercriminal enterprises.
• Email Security Trends: Telemetry analysis revealed phishing URLs and malicious document trends in email security. Most malicious emails detected contained a phishing URL used to steal credentials or lure victims to download malware. Trellix also identified emails with malicious documents and executables like infostealers and trojans attached.

Key statistics from the report include:

• Globally, the telecoms sector led the customer sector ransomware category with 53% of detection among top-10 sectors for the second consecutive quarter. The sector was followed by Business Services, Media & Communications, Finance and Transportation & Shipping.
• The most active nation-state actor in the quarter was APT36, an advanced persistent threat actor expected to be backed by the Pakistani government and primarily targeting defense organizations in India, followed by China’s APT27 and Russia’s APT28 and APT29.
• Cobalt Strike was the malware tool used most broadly, accounting for 32% of U.S. and 30% of global ransomware detections, and 22% of APT detections.
• Ransomware Family detections were down in Q1 of 2022. Lockbit accounted for 20% of top-10 ransomware tool queries, followed by Conti (17%), and Cuba (14%) in Q4 of 2021. However, queries of all three Q4 category prevalence leaders – Lockbit (-44%), Conti (-37%), and Cuba (-55%) – decreased in Q1 of 2022 when compared to Q4 of 2021.
• Living off the Land continues to grow with Windows Command Shell/CMD leveraged in 41% of LotL attacks.
• Turkey is most targeted by nation-state actors (31%)
• Russia recorded a 490% highest increase of incidents from Q4 2021 to Q1 2022.

“With the merging of our digital and physical worlds, cyberattacks cause more chaos in our daily lives,” said Christiaan Beek, Lead Scientist and Senior Principal Engineer, Trellix. “Adversaries know they are being watched closely; the absence of new tactics observed in the wild during the war in Ukraine tells us tools are being held back. Global threat actors have novel cyber artillery ready to deploy in case of escalation and organisations need to remain vigilant.”

“Looking at the findings and data from the latest Trellix report, it is clear that the first quarter of 2022 was more about evolution than revolution. With business services becoming a key focus for criminals, and tried and tested social engineering attacks like phishing continuing to be criminals’ attack vector of choice, it is imperative for businesses to deploy an XDR architecture that is always learning and adapting, so they can remain resilient with advanced detection, response, and remediation capabilities,” added Vibin Shaju, General Manager – UAE, Trellix.

The Threat Report: Summer 2022 leverages proprietary data from Trellix’s network of over one billion sensors, open-source intelligence and Trellix Threat Labs investigations into prevalent threats like ransomware and nation-state activity. Telemetry related to detection of threats is used for the purposes of this report. A detection is when a file, URL, IP-address, suspicious email, network behavior or other indicator is detected and reported via the Trellix XDR ecosystem.