Security leaders and CISOs have been protecting their organisations from ransomware for decades, adapting with changes in technology to defend against the costly risks of stolen data or interruptions to critical systems. But adversaries always have new tricks up their sleeves and now the global community of ransomware groups seems poised for a revolution that could make them more effective, versatile, and dangerous.
How will ransomware’s business model change?
The kill chain employed by ransomware groups can easily be adapted to suit a variety of criminal activities. These groups could branch out to commit extortion, business email compromise (BEC), cryptocurrency theft, and stock market manipulation—and in fact, there’s some evidence that these shifts have already begun.
To continue securing their organisations against the next generation of cyber risks, security leaders should consider these 4 possible outcomes of a ransomware revolution.
To learn more about 7 ways the ransomware business model could change, read The Near and Far Future of Ransomware Business Models.
Ransomware actors are already being recruited by governments to put the skills they honed infiltrating their victims to better use. For instance, the U.K.’s National Crime Agency has a programme to reform teenage hackers into ethical security experts. But other nation states are more interested in claiming the tools and talents of these bad actors than reforming them.
Adversaries who can breach and extort organisations for high payouts could easily accomplish the kinds of intrusions that nation states are interested in. The relationships between these states and hackers could even be described as quid pro quo—the groups recruited by the state get free licence to attack their targets, as long as it aligns with their state’s objectives. But given the criminal nature of ransomware groups, it’s just as likely that these states would hold leverage over their recruits in the form of reduced sentences.
Recent events prove that these scenarios are not just hypothetical. Following Russia’s invasion of Ukraine in 2022, the pro-Russian hacktivism group Killnet came under the leadership of BlackSide—a group experienced in ransomware, phishing, and cryptocurrency theft. Under BlackSide’s leadership, the group attacked high-profile targets like Lockheed Martin, and claimed to have stolen the defence contractor’s employee data.
Groups like BlackSide, with access to both highly effective infiltration techniques and government support, could soon grow to pose a serious risk.
The ransomware as a service (RaaS) group Darkside showed some nefarious creativity in 2021, when they went a step further than simply infiltrating their target to deploy a ransomware payload. Instead, Darkside aligned with stock traders to “short” their latest victim—selling off stocks in the target company before the breach was made public to profit from the dip in stock price.
Financial regulators are familiar with such schemes and can recognise suspicious stock trading patterns. But in related “short and distort” schemes, where traders help to further drive down the stock price, the profits can range into hundreds of millions of dollars and make the risk well worthwhile. Plus, cybercriminals engaged in stock market manipulation have other methods to maximise their payout.
If their breach goes undetected, ransomware groups could spend weeks harvesting sensitive data as they short the target company’s stocks. Then, by publicising their breach or deploying ransomware to disrupt the victim’s operations, the immediate price drop presents a huge windfall for these bad actors.
Although stock market manipulation schemes require capital, expert knowledge, and accomplices, these are well within the reach of the most successful ransomware groups. Cybersecurity leaders need to make their boards appreciate that just one breach could be devastating for their organisations, now that their data, stock prices, and public image could be jeopardised in one fell swoop.
Supply chain attacks have been increasing in recent years, but when cybersecurity experts discuss the threat posed by these infiltrations they are usually framed as a national security issue. Widespread ransomware deployments could be just as devastating, and in fact several ambitious ransomware groups have already proven how effective these tactics can be.
In 2021, REvil-affiliated attackers deployed ransomware through IT solutions company Kaseya’s managed software providers and tricked as many as 1,500 companies. Such an attack is highly effective because customers inherently trust their managed software, while the attackers only need a few payouts to make their infiltration worthwhile.
There are more worrying applications of this strategy that combine the effectiveness of ransomware, the wide reach of the supply chain, and the goals of nation state actors. The NotPetya attacks of 2017 infiltrated software company MeDoc, which almost 80% of companies in Ukraine relied on. Although the attackers deployed ransomware, NotPetya’s true goal seemed to be creating chaos as victims who agreed to pay the ransom did not recover their data or systems.
With the risks posed by these breaches—financial or otherwise—security leaders should take care to limit exposure by securing their organisation’s digital supply chain.
One simple yet highly concerning possibility for the future of ransomware is that instead of deploying a payload, adversaries with the skills to infiltrate an organisation’s computer systems will apply the data they find there to another type of attack: BEC.
BEC scams trick specifically targeted employees into wiring the attackers large sums of money. Usually, no credential phishing or malware is required to pull off this deception—just publicly available information and social engineering. And although social engineering is a skillset that most ransomware groups don’t require, it’s only a matter of time before the much greater profits to be made from BEC attacks tempt them to branch out.
The FBI reported that worldwide losses from BEC attacks between June 2016 and December 2021 totalled $43 billion, with the average losses in 2016 estimated to be $160,000. Those costly payouts are yet another reason for security leaders to treat every breach seriously.
Ransomware groups are constantly improving their methods to be more effective and profitable, not only to outsmart security leaders but also to compete with other cybercriminals.
Whether the next shift in the ransomware business model involves joining forces with governments and other skilled adversaries, or changing focus to maximise profitability, cybersecurity leaders should think proactively about how to lower their cyber risk. Solutions that detect ransomware may not be enough. A all-in-one platform with XDR, such as Trend One, allows for faster, more precise detection and response.
Check out these resources to learn more about lowering your organisation’s cyber risk: