“Crowdsourced” Hacking

“Among other threats posed by both intentional and unintentional acts in the cyber world, ransomware will increase as a threat in 2022. Threat actors use affiliates to carry out certain stages of the attack, such as the spearfishing campaigns, then employing other affiliates to deploy tools such as Cobalt Strike (a favorite tool utilized by threat actors). Attackers are weaponizing red-team tools to utilize in the later stages of their attack strategy. These types of tools and their leaked source code and suite of tools, including Cobalt Strike and Metasploit, are now being utilized by either threat actors or their affiliates to laterally move across the ecosystem and even deploy the ransomware payload.

“In what I call “crowdsourced” hacking, 2022 and beyond will see more splintering of ransomware groups and ransomware as a service (RaaS), as the splintered groups’ modus operandi morphs to allow for individual ransomware designers, infiltrators, payload deployers and payment collectors to continue to iterate and improve the product and execution of the attack. This splintered threat model allows cybercrime subject matter experts to emerge in all the areas necessary for a successful attack.

“The 2022 cybersecurity landscape will see more renaming and rebranding of ransomware groups; for example, the perceived rise and fall and rebranding of threat groups such as DarkSide and ReVIL into a newly minted group named Black Matter. Further in-fighting will occur as ransomware groups vie for power and credit, which could affect corporations, not unlike the 2021 situation where the Conti RaaS group published a Russian guide designed to instruct the affiliates in how to conduct attacks.

“Additionally, as law enforcement actions by the FBI and their intelligence community partners across the globe become more assertive with threat actors and increase the depth and breadth of their investigation and arrest, pressure and seizure of ransomware proceeds, ransomware groups will become more aggressive with victims, attempting to punish victims even further for either contacting law enforcement or employing the use of professional ransomware negotiators. The 2022 trends will also include an increase in regulations of cryptocurrency clearinghouses and marketplaces and unique utilization of law enforcement tools, such as the search warrants the FBI used in deleting web-shells after the Nobelium attack.

“I have seen an increase in the use of need-to-know tactics and techniques used by threat actors, where we see them compartmentalizing certain parts of the attack to key internal actors and paying for smaller, either affiliated or unaffiliated groups to carry out initial aspects of the attack. These actions are in part because the FBI and other law enforcement organizations are increasing the pressure on these ransomware groups, and the use of affiliates and smaller groups to carry out certain aspects of the attack help to increase the number of subjects and IP addresses to investigate. In my opinion, this creates a false sense of security for the main threat actors that use of such affiliates allows for some level of shielding from law enforcement.

“In an effort to thwart the sinister actions of the cyber underworld, I see a trend in 2022 and beyond in the use of artificial intelligence and machine learning to make cyber defensive tools smarter and more intuitive.”

— James Turgal, Cyber Risk, Strategy & Board Relations, Optiv