GUEST ESSAY: Why the arrests of cyber criminals in 2021 will incentize attackers in 2022

By Wade Lance

In 2021, law enforcement continued making a tremendous effort to track down, capture and arrest ransomware operators, to take down ransomware infrastructure, and to claw back ransomware payments.

Related: The targeting of supply chains

While some of these efforts have been successful, and may prevent more damage from being done, it is important to realize that headline news is a lightning rod for more attacks. Successful attacks breed copycats, and their arrests make room for replacements. Malicious actors are opportunistic.

Of course they don’t want to get busted and they don’t want authorities taking down their infrastructure, but these arrests are an incentive to get into the ransomware market and a learning experience on how to adapt their tactics.

I expect a new wave of ransomware operators that use cryptocurrency to avoid tracking, remotely-located operations to avoid extradition and arrest, and the hardening of operational security to avoid infrastructure take down.

Reconstituted hacker rings

Don’t believe the hype. REvil and BlackMatter are not “shutting down” due to external pressure from the government and law enforcement agencies. We’ve seen these groups disappear and then pop back up a few months later, sometimes with a new name.

Before BlackMatter it was DarkSide. It’s like Soundgarden breaking up, only to come back with some adjustments as Audioslave, then going solo as Chris Cornell. These transformations for ransomware groups will become the source of new attacks.


This isn’t just re-branding, it’s re-architecting. There will be new methods of initial attack and penetration, and enhanced approaches to move laterally in the network. There will be new methods of operation to avoid arrest and infrastructure takedown.

And there will be loosely affiliated networks of solo operators that pick and choose who they work with through a robust cybercrime underground, just like rotating new drummers through a band.  In 2022 we expect to see more aggressive and complex ransomware efforts.

Central importance of identity

If 2021 was the year that Zero Trust security reached mainstream IT — and it was — then 2022 will become the realization that it cannot be done without identity first. At its core, Zero Trust is all about authenticating and authorizing access policies that have been designed to provide the least privilege, for the least amount of time, to the least amount of assets.

After all, a malicious actor only needs a few minutes of time with a privileged account to take over the entire directory, and there are volumes of exploitable identity risks at every organization. The only companies that are going to successfully operate with a Zero Trust framework are those that start by sorting out their actual identity risks.

And it is going to take more than Active Directory (AD), privileged access management (PAM), multi-factor authentication (MFA) and single sign-on (SSO) solutions to manage the risk.

The ascendency of CISOs

Privileged access management (PAM), Active Directory (AD) and single sign-on (SSO) solutions have historically been the responsibility of the IT team. IT teams have a different perspective than security teams; they want to make sure that things go fast, so they try to remove any source of friction.

But when AD and PAM are all about making things go fast, then security takes a back seat — and identity has become too important to leave these risks up in the air. Organizations need to assign security teams to manage these identity solutions, and hire a director to manage the team (and they all report to the CISO), or there will never be a change in that high-risk mindset.

And there will never be Zero Trust because the identity is exploitable. In 2022 we expect to see organizations increasingly moving identity management systems into the CISO organization.

About the essayist: Wade Lance is Field CTO at Illusive Networks. He has diverse experience in solution design for global 1000 cybersecurity teams, an extensive background in advanced cyber-attack detection, and a specialty in cyber deception methods and platforms. Prior to his career in information technology, Lance was a professional mountain guide.

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone