Future malware and ransomware infections will consist of “shotgun attacks with pinpoint targeting”, according to Sophos’ 2022 threat report.
As if that wasn’t enough, the British infosec biz reckons established commodity malware attacks will end up delivering ever more ransomware, while extortion tactics used by ransomware gangs will become more diverse and intense – with the aim of browbeating victims into handing over cash.
“Ransomware thrives because of its ability to adapt and innovate,” said Chester Wisniewski, principal research scientist at Sophos, in a canned statement. “For instance, while RaaS offerings are not new, in previous years their main contribution was to bring ransomware within the reach of lower-skilled or less well-funded attackers.”
The near-ubiquitous cyber threat has featured heavily in the news recently, following US rewards totalling millions of dollars for information leading to the arrests and convictions of certain high-profile ransomware gangs. On top of that, numerous countries’ police forces – most notably that of Ukraine – have arrested people alleged to be members of the gangs.
Aside from ransomware, Sophos said 2022 would see re-runs of the ProxyLogon and ProxyShell attacks where vulns in widely used IT services and products were instantly leapt upon by criminals and nation states alike. The firm expects to see “a growing [criminal] interest in Linux-based systems during 2022, both in the cloud and on web and virtual servers.”
Targeted shotgun attacks, as Sophos described them, may also increase. The company used the Gootloader attacks as an example, highlighting how malicious websites were pushed up Google search results rankings by crims. Filtering of marks who clicked these malicious links ruled out those who weren’t running certain combinations of operating systems and browsers.
“SophosLabs believes that this may represent a novel way for malware distributors to thwart malware researchers while giving themselves a greater degree of certainty that their malware is going to a subset of victims that may be more desirable than the general population,” concluded the company.
Anti-analysis techniques in themselves are nothing new: in September Kaspersky highlighted how the FinFisher spyware incorporated multiple techniques intended to frustrate researchers examining the malware’s workings. Sophos, however, pointed out that in some email spam campaigns it had observed, the only lure was a phone number; human telephone operators then “perform a kind of psychological profiling on the caller, to determine whether they’re likely to be a real victim.”
Linux and virtualized systems may also fall under greater threat in 2022, in Sophos’ view, with the firm warning: “One ransomware we encountered in 2021 targeted the VMware ESXi platform and came in the form of a Python script that, when run on a hypervisor, shuts down all the running virtual machines and then encrypts the datastore where the virtual hard drives, and other configuration files, are kept on the hypervisor.”
Hair-raising stuff – and the incident above occurred to a “logistics and shipping industry” company during this year. The RansomEXX trojan, which targets VMware ESXi hypervisors, was spotted by Sophos in June 2021 after an attack against a different ESXi hypervisor “run by a large commercial bakery”.