More than any other industry, cybersecurity is constantly changing. But the number of major paradigm shifts that transformed the world of cybersecurity in the past few years has been unprecedented, especially when it comes to combating ransomware.
The costly and global threat of ransomware has evolved alongside changing technology in the past two decades. Just as threat researchers and engineers rethink their solutions when the currents of cybersecurity shift, their adversaries are always following the latest trends to successfully target their victims.
How is ransomware evolving?
New developments like the success of law enforcement crackdowns on ransomware, changing government regulations, international sanctions, and the looming regulation of cryptocurrency will force adversaries to adapt—both to overcome new challenges and take advantage of new opportunities. For cybersecurity leaders, keeping ahead of these 6 changes will be crucial in defending against new exploits and attack vectors.
To learn more about 10 key ransomware evolutions, read The Near and Far Future of Ransomware Business Models.
Traditionally, ransomware groups targeting businesses have preyed on industries where uptime is crucial and even an hour lost to a payload that encrypts files or halts production can be prohibitively expensive. But some adversary groups are finding success without ever deploying a payload.
LAPSU$, a group believed to have targeted such heavyweights as Microsoft, Nvidia, Uber, and Rockstar Games, gained prominence by extorting their victims and posting stolen data online when they failed to meet the group’s demands. As adversaries find more avenues to profit from their targets, cybersecurity leaders will need to carefully consider where all of their organisation’s vulnerabilities lie.
Today, stealing or encrypting data to extort victims is the norm for ransomware groups. But stolen data is not just valuable to its rightful owners. One compromised machine can provide adversaries with a wealth of company secrets and sensitive documents ready for sale to the highest bidder.
While ransomware groups are not known for widespread data monetisation, it’s an established underground industry which these groups are primed to enter as brokers for other cybercriminals—maximising profit while minimising exposure. On the other hand, even a single breach could be catastrophic now that sensitive data might find its way into the hands of bad actors, or else end up posted on the internet to create additional blowback for your organisation.
As more organisations move to the cloud, the landscape of endpoint vulnerabilities is shifting along with them. Cybersecurity teams have already adapted to the decentralised nature of the cloud, but misconfigurations and unpatched vulnerabilities are still prime targets for ransomware groups seeking a foothold.
While the diffuse nature of cloud resources poses a challenge for adversaries, they’re developing new strategies that leverage idle resources in response. A study by Google’s Cybersecurity Action Team found that 86% of compromised cloud instances are used to mine cryptocurrency. Adversaries already engaged in “cryptojacking” can easily deploy ransomware on the compromised systems, or sell access to more established ransomware groups.
As cryptomining group TeamTNT proved, just one compromised endpoint can offer adversaries access to sensitive data in the cloud for all kinds of criminal ends.
Cybersecurity leaders know that no attack vector is small enough to overlook when any breach could prove devastating. Uncommon platforms might actually pose the greatest risk to your organisation, because ransomware groups appreciate the value of business-critical devices without ready backups.
Adversaries don’t just stick to tried-and-true exploits, either. Researchers from the Georgia Institute of Technology created a proof of concept for deploying ransomware to a programme logic controller (PLC) in 2017. Rebuilding or replacing such a device could be prohibitively expensive, which is exactly what ransomware groups seeking a payout look for in their targets.
Such devastating vulnerabilities are more common than you might expect. In 2017, Trend Micro researchers found that the older mainframes essential to many business-critical systems can be held hostage by adversaries if they’re connected to the internet. The range of malicious actions available to ransomware groups includes changing administrative passwords and making it harder to reboot the network or equipment.
These days even adversaries are taking advantage of time- and cost-saving automation. Just like professional organisations, ransomware groups are scaling to maximise revenue by automating tasks and limiting human error.
Penetrating a system, the most costly stage of a ransomware attack in terms of both time and effort, can now be streamlined—emboldening adversary groups with fewer members or resources. For cybersecurity leaders, this will mean more attacks to fend off while they’re already moving laterally through the affected environments, which is ironically when deterring threats is the most costly.
Ransomware actors that traffic in a high volume of breaches, like Cerber, are already making use of blockchain technology to carry out their attacks more efficiently. Successful teams will fight fire with fire by harnessing solutions that use AI and machine learning to pinpoint and respond to attacks faster.
There’s no shortage of ways for crafty adversaries to breach their target networks. User credentials—stolen, leaked, or purchased from online markets—are the most direct route, while software is also vulnerable to exploits. But for the evolving, professional ransomware group, taking advantage of zero-day vulnerabilities is not out of the question.
With an exploit developer hired to find vulnerabilities for them, ransomware groups could exploit the same unknown fault several times before the weakness is discovered and patched. No groups have been identified taking this approach so far, but it’s not out of the question considering how valuable such an exploit could be for a team of malicious actors. The LockBit ransomware group has even posted a $50,000 bounty for weaknesses in their encryption algorithm.
There’s no field of cybersecurity free from the threat of ransomware. The most determined ransomware groups will target businesses, hospitals, and critical infrastructure alike. And while 2022 saw a lull in ransomware cases, the success rate for ransomware attacks could be due for a rebound as adversaries change their tactics.
Whether independent actors or nation states are behind the attacks, ransomware remains a threat that won’t be easily overcome. A platform like Trend One, powered by industry-leading global threat research, accelerates detection and response to help defend against evolving threats.
Check out these resources to learn more about defending your organisation from threats: