cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

Sophos threat report: ‘normalisation’ of ransomware to continue in 2022

Cyber criminals are cooperating with one another to target large organisations, with each group using their competitive advantage to target different vectors, the Sophos 2022 Threat Report outlined.

user iconReporter
Wed, 10 Nov 2021
Sophos threat report: ‘normalisation’ of ransomware to continue in 2022
expand image

Sophos’ 2022 threat report has indicated that ransomware, though not a new phenomenon, has transformed into becoming a cooperative attack vector for cyber gangs – enabling them to tackle even larger and more resilient organisations.

“The biggest change Sophos observed is the shift from 'vertically oriented' threat actors, who make and then attack organisations using their own bespoke ransomware, to a model in which one group builds the ransomware and then leases the use of that ransomware out to specialists in the kind of virtual breaking and entering that requires a distinct skill set from that of ransomware creators,” the report stated.

According to Sophos, the emergence of RaaS offerings has made it more difficult for organisations to understand what groups are undertaking different portions of the attack.


“But under the RaaS model, all these distinctions in the finer details of how an attack takes place have become muddled and make it more difficult for incident responders to identify exactly who is behind an attack,” the report noted.

However, cyber security providers have been able to gain a great deal of intelligence on the operational capabilities of cyber gangs following the 2021 leaks of Conti RaaS documentation.

“In 2021, a disgruntled affiliate of the Conti RaaS service, unhappy with how they were treated by the ransomware creators, published an archive that included a rich trove of documentation and guidance (mostly written in Russian) designed to instruct an attacker 'affiliate' in the steps required to conduct a ransomware attack,” the report stated.

“These documents, and the tools they included, give detailed insight into the attack methods that most of these RaaS affiliates will employ. They also demonstrated why, in some cases, we saw what we expected were different attacker groups employing virtually identical tactics, techniques, and procedures (TTPs) during their ransomware attacks.”

The company explained that the leak of the documents has strengthened Sophos’ cyber security offerings, as it has been able to execute behavioural detection rules that identify when a breach is likely being undertaken by threat actors.

Nevertheless, the company suggests that it is likely the use of the RaaS model will increase over the coming year.

Simply, RaaS enables cyber criminal groups to specialise their skill sets on different parts of the attack vector, with some threat actors enhancing their break-in capabilities while other gangs improve the ransomware product.

[Related: Cyber attackers manipulating Google Forms: Sophos]

cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.