Musings on Threat Intel: The Summer of Ransomware

It seems like every week there is a major breaking story related to ransomware. Two major storylines have emerged as notable. First, we have now seen ransomware impact critical infrastructure in the United States. In the Colonial Pipeline attack, we saw how ransomware can impact our ability to move people as well as goods and services. We also observed the psychological impact that cyber can have as we saw people hoarding gas and the social unrest it caused. Not long after JBS, a large meat processing company, also experienced partial shutdowns due to a ransomware attack from the REvil group. Both were indirect attacks against the national security of the U.S.

The dust had not had a chance to settle on these two attacks when we learned that REvil was not sitting back on its heels. The group was busy instituting what may be the first multi-tiered supply chain ransomware attack – the Kaseya ransomware incident. Here we witnessed an attack that used a zero-day in the Kaseya VSA application to target the MSPs that used Kaseya’s product with the ultimate end goal to infect MSPs’ customer base. As of last check, REvil claimed to have impacted more than one million endpoints. It was reported that approximately 40 MSPs were impacted with a total client impact of up to 1500 firms worldwide.

These three incidents are just the most publicized, at the moment. There have been many more that have been reported and even more that have not made the news. iboss has blogged about these and the overall perspective shift on what we will need to do to help eliminate the threat of ransomware. If you have not already read these blog entries, including an article on the recent EA attack, please check them out via the above links.

And Now for the Rest of the Story

While everyone’s attention has been on these ransomware incidents, APT groups from China, Russia, and other nations have continued to conduct cyber espionage and influence campaigns. There has been reports of Russia’s APT28 and APT29 conduction of cyber espionage operations as well as ongoing Chinese APT campaigns. President Biden has been vocal about holding Russia accountable for any cyber operations that impact critical infrastructure. We have also seen increasing rhetoric from China pushing for greater world power and influence. History has shown us that China is masterful at using both cyber operations and human assets (both professional and not) to gain intelligence to further their efforts in commercial, military, and geopolitical endeavors.

What does this mean for the world of cybersecurity? It means that not much has really changed. Cybercriminals and APT actors will continue to modify their TTPs to get the job done.  We need to be on the lookout for cyber as well as insider threats. We cannot let headlines dictate where we focus security efforts; rather, we need to understand what we have to lose and thus what we must protect. Only then can we figure out who will target us and what protections to put in place to thwart those efforts. While we continue to improve our security posture, we need to streamline and consolidate technology stacks to make it more efficient for our security teams to do their jobs. This means not only keeping attackers out of our networks but also quickly finding them if they do get in, and having the data to support – and a tested plan to deal with – any remediation efforts.


Blog post authored by Jim Gogolinski, VP of Research and Threat Intelligence at iboss.