Trellix Report: Business Service Providers Heavily Targeted by Cybercriminals

A new Trellix threat report shows companies providing IT, finance and other types of consulting and contract services are increasingly targeted by cybercriminals.

The Trellix summer 2022 threat report analyzes cybersecurity trends and attack methods from the first quarter of 2022. It also features research from Trellix Threat Labs into connected health care and access control systems.

Key findings from the Trellix report include:

• Business services accounted for 64% of total U.S. ransomware detections and was the second most targeted sector behind telecom across global ransomware detections, malware detections and nation-state backed attacks in the first quarter.
• Following the January arrests of members of the REvil ransomware gang, payouts to attackers declined. Trellix also observed ransomware groups building lockers targeting virtualization services with varied success. Leaked chats from the quarter’s second most active ransomware gang, Conti, publicly expressed allegiance to the Russian administration. This seems to confirm the government is directing cybercriminal enterprises.
• Telemetry analysis revealed phishing URLs and malicious document trends in email security. Most malicious emails detected contained a phishing URL used to steal credentials or lure victims to download malware. Trellix also identified emails with malicious documents and executables like infostealers and trojans attached.

Surprising Findings

Christiaan Beek is Trellix‘s lead scientist and senior principal engineer.

Trellix’s Christiaan Beek

“The persisting success of living off the land (LotL) and email attacks that use vulnerabilities that have been known for years surprises me,” he said. “Many businesses ignore suggested expert guidance, opening the door to preventable attacks. The consequence of such outdated strategies is further reflected in our findings.”

Additionally, the aftermath of the Conti group’s internal communications leak provided surprising data, Beek said.

“While the group’s initial reaction was to doubledown, there was a notable overall drop in activity from the largest ransomware gangs in this latest report,” he said. “This decrease was contextualized by a new trend: ransomware gangs publicly aligning themselves with nation-states to target critical infrastructure. In tandem, we have seen increased activity from groups that make use of the focus on Ukraine to infiltrate Russian companies and governments, contributing to a shocking 490% increase in incidents targeting Russia.”

One of the biggest impacts criminals can have on a business services organization is shutting down their clients’ operations, Beek said.

“We saw this with the attack on Kaseya when a number of grocery stores had to shut down,” he said. “This causes loss of income for the business, but also has potential for resounding effects to the public’s daily lives. Another example is the increasing attacks on health care providers. Health care is a non-stop operation with a focus on patient health. Disrupting hospital systems impacts care, treatment and
scheduled surgeries, creating the potential for literal life-and-death situations.”

MSPs, MSSPs Need Cyber Incident Response Plans

MSPs and MSSPs can’t let the weight of their responsibility to keep their clients operational impact their ability to mitigate an attack quickly and strategically, Beek said. It’s table stakes to have a cyber incident response plan.

“Supply chain attacks have been a tremendous focus since some major attacks resulted in the breach of critical infrastructure,” he said. “MSPs should be aware that they are an interesting target through which threat actors can access multiple victims; similar to the movie Lord of the Rings, one ring rules them all.”

Although financial sanctions due to the Russia-Ukraine conflict slowed down some ransomware operations, several groups are ramping up their attacks and new groups are surfacing, Beek said. Additionally, with cryptocurrency prices on the low end, cryptocurrency mining and attacks related to gaining cryptocurrency are increasing.

“It’s like buying stock when prices are low and aiming for the near future to expect the value to go up — like a short-term investment,” he said.

It’s encouraging to see ransomware rates and payouts to gangs declining, Beek added.

“This signals a few things,” he said. “The public and businesses are getting more confident in reporting ransomware activity rather than paying out, and law enforcement actions against cybercriminals deters activity.”