Ransomware Business Models: Future Pivots and Trends
Ransomware groups and their business models are expected to change from what and how we know it to date. In this blog entry, we summarize from some of our insights the triggers that spark the small changes in the short term (“evolutions”) and the bigger deviations (“revolutions”) they can redirect their criminal enterprises to in the long run.
Save to Folio
As modern ransomware attacks became one of the most dangerous cybersecurity incidents that can happen to organizations in recent years, we explored its current state and the possible directions that ransomware groups can take it. Noting that there are other cybercriminal business models where more illicit money can be made, and the changing geopolitical and economic conditions affecting this illegal enterprise, we looked at the possible triggers that can lead to gradual alterations in how we have observed ransomware business models are designed and operated.
This blog post discusses some of the possible triggers, detailed in “The Near and Far Future of Ransomware Business Models,” that can push Ransomware-as-a-Service (RaaS) groups to make small changes in their current operations (in the section we call “Evolutions”). Looking further ahead and considering the aggregation of these triggers and small changes, we look at the potentially larger modifications these groups can make to further other possible objectives in the long run (in the section “Revolutions”). While we identify five key points for impact in our research, this entry focuses on three points for discussion:
- When compelled, ransomware actors will adapt and adopt other criminal business models — online or offline — that monetize initial access, such as short and distort scheme or other forms of stock fraud, business email compromise (BEC), and cryptocurrency theft, among others.
- Ransomware actors are expected to evolve and deploy routines with more automation, better operational security (OpSec), and adding new cloud targets and internet of things (IoT) platforms. Linux ransomware will likewise continue to grow.
- Cryptocurrency crime is expected to grow significantly, and ransomware actors are expected to be involved in crypto crime sooner or later.
Key Underground Services That Enable Ransomware
Over the years, ransomware evolved to become a fusion of previously deployed threats that extorted the public. From this angle, we see that ransomware groups and their business models have never remained static and have considered themselves as profitable business ventures that need to constantly adjust with the changing technology and environment. This begs the question, where can ransomware go next?
To answer this question, we should consider the building blocks of today’s ransomware models, varied and customized at each block and turn by ransomware groups to suit their needs in relation to their targets’ environments. Each block can be seen as separate entities contributing to a whole ecosystem functioning:
- Initial access: Attackers find an entry vector into the targeted victim’s network. Launching an email campaign with backdoor payloads, sending specifically crafted social engineering campaigns aimed at enterprises, exploiting vulnerabilities, and buying credentials from the underground are just some examples of ways to gain access to systems.
- Lateral movement and privilege escalation: Attackers navigate deeper and around the victim’s network with standard or customized hacking tools.
- Sensitive data exfiltration: Attackers find sensitive information in the machines and steal it. Sifting through the data can also occur while navigating the victim machines or after exfiltration, allowing the threat actors to determine the ransom amount or if the victim has cyber insurance.
- Backup systems’ disruption: Attackers disrupt and damage backup systems and processes in order to lower the victim’s chances of restoring machines and recovering data on their own.
- Ransomware payload deployment: Attackers encrypt files and IT systems, disrupting operations.
- Extortion methods: Attackers demand payment in exchange for the decryption keys to recover files and restore systems. Additional extortion methods are imposed on the victims if they choose not to pay the ransom.
- Money laundering: Attackers launder their money via cryptocurrency to mask the real identities of the ransom beneficiaries. These are often done via cryptocurrency exchanges, mixers, or combinations of other tricky means.
Triggers for change
Much like legitimate enterprises, ransomware groups see their deployment and attacks as businesses delve into business development. This coincides with internal and external changes that significantly mark and affect their operations. This section provides two examples of triggers that affect the key points for discussion. For the full list of triggers, download our research here.
Trigger 1: Governments implement regulations on cryptocurrencies
Cryptocurrency is one of the definitive causes for the growth and expansion of modern ransomware today. Its convenience for cross-border transfers and capability to hide the real identities of ransom recipients contribute as incentives for use to the growth of cybercrime, overshadowing its more positive uses. From this perspective, governments enacting stringent regulations on cryptocurrencies could potentially dampen ransomware actors’ criminal abuse of it.
One evolving example of this strict cryptocurrency regulation is the upcoming laws being proposed by the European parliament. Once it comes into effect, one of its most notable requirements involve the identification of the names of the payor and payment recipient for all cryptocurrency transactions. This notion of revealing the identities of cryptocurrency senders and receivers will significantly impact illicit users, but especially ransomware groups and actors. And while other regions are also implementing regulations on the use of cryptocurrencies, these appear to be milder in comparison and meant to protect investors and consumers in the long run.
Trigger 2: Changes in the IT security landscape and move to the cloud
More companies are decentralizing their datacenters to the cloud and welcoming a hybrid combination of remote work arrangements. As cloud infrastructures further develop and more components are left exposed to the internet, these factors are seen as potential openings that threat actors can use to find new ways into the networks and critical systems of organizations.
Security practitioners have been consistently trying to reduce the risks to the enterprise network. However, the increase in the number of devices connected to the network and the public-facing internet have prompted more vectors of entry, as shown by a Shodan scan of remote desktop protocols (RDP) exposed since 2018.
RDP port 3389 remains a popular service abused by ransomware actors to gain initial access to systems located and connected to on-premise infrastructure. However, as more organizations shift to the cloud services for file storage and active directory systems, ransomware groups will look for more opportunities to develop and/or exploit vulnerabilities not yet leveraged at scale.
Gradual evolutions in the current modern ransomware models as we know them are expected to be tweaked in order to adapt to the triggers that prompt them. From a business perspective, these are “naturally occurring” movements that prompt movement from their current state. In this section, we list two gradual evolutions that ransomware actors will likely be undergoing to adapt to the upcoming triggers in the short term. For the full list of evolutions and their respective discussions, you can download our paper here.
Evolution 1: Change of targeted endpoints – The internet of things (IoT)/Linux
The Mirai botnet, which emerged in 2016, was a decisive point that realized the possibility of expanding its reach to Linux devices and the cloud. While it’s not ransomware, the availability of the botnet’s source code allowed parties with the interest and skillset to simply download and recompile the code to infect Linux-based routers to create their own botnet. These address two points for this specific evolution:
- They have the code ready to target Linux-based devices and can simply recode for other similar devices.
- They are ready to use this capability as soon as there are visible targets with internet-facing security gaps.
From these two points, ransomware groups can find new Linux-based targets or tweak the threat they currently have at hand to target new platforms such as cloud infrastructures, prompting possible developments:
- Ransomware groups focus their sights on regular Linux servers
- Ransomware groups start targeting backup servers
- Ransomware groups start targeting other IoT Linux-based devices
With the increased use of Linux-based servers, the cloud, and — as another entry point — the internet of things (IoT), ransomware groups have realized an opportunity in attacks against these devices as endpoints. This is a potentially lucrative shift because:
- They are powerful enough to support highly functional capabilities.
- They are connected to the internet almost all the time.
- They host a plethora of valuable information, personal or otherwise.
- They are often vulnerable and unsupported.
In relation and as an example of this expansion, reports of attacks and abuse to network attached storage (NAS) devices are well-documented, but it would be underestimating threat groups to think they would stop there.
Evolution 2: Scale up through increased professionalism and automation
As RaaS groups gained more notoriety for the disruptions and losses they caused on organizations and users, some ransomware actors were giving interviews to the media. Unbeknownst to them, the interviewees’ RaaS infrastructure were already compromised and being monitored by security researchers as these ransomware actors talked to journalists.
While many RaaS groups have websites on Tor-hidden servers, security researchers and law enforcement found the clear web IP addresses of these attacks. This could imply that any unencrypted data stored on those backend servers will become easy targets for law enforcement.
Contrary to these notorious players, other ransomware actors have better OpSec, do not engage with the media, minimize their interactions with victims, and do not have documented intrusions of their network. If these notorious ransomware actors follow the examples of their lesser-known colleagues and remain under the radar while working with an increased level of professionalism, this can increase the longevity of their RaaS programs.
In the same vein, automating ransomware attacks will not only lessen the risks but also enable gangs’ scalability. While tailored, manual attacks have higher likelihoods of succeeding, more manual work means more risks because of the higher number of people required for tasks. Aside from the risks of human errors being made to the criminal operations, there have also been instances when disgruntled cybercriminals have doxed other cybercriminals or leaked information about them on the internet.
Automation, then, allows ransomware groups to calculate and weigh which channels will bring them more revenue: more automation might reduce revenue per ransomware victim, but it can also increase total revenue as far as targeted deployment quantities are concerned. There can also be lower costs and faster operations as affiliates responsible for initial access and lateral movement are subsequently cut out from the model because of automation, such as the use of mass exploitation or worm-like capabilities. Another avenue that can be replaced are ransom negotiators being replaced by automated chatbots, for instance, reducing communication between the perpetrators and the victims. Once big game hunters have realized the benefits of automation in terms of risks and profit, they could begin gravitating more to implementing it.
The stacking of small evolutions can lead to larger changes among ransomware groups. Security researchers have already documented some of these revolutions, such as the change from profit-oriented attacks to becoming a part of nation state actors’ objectives, benefitting countries or their leaders and using ransomware as a smokescreen for their real intent. Other RaaS groups may be driven by the evolution of cloud adoption or that of exploits and vulnerabilities. Still others will be driven to more changes to criminal business models with the promise of higher profits. In this section, we discuss two revolutions that ransomware actors will likely adopt in the long run. For a full list of the revolutions and their respective discussions, download our insights and research here.
Revolution 1: Hack into cryptocurrency exchanges/Steal cryptocurrencies
Fraudulent schemes using cryptocurrency and stealing cryptocurrencies are more profitable than ransomware payouts. In the current setting and environment, ransomware actors have no incentive to shift from ransomware business models to other tactics. However, a lot of the techniques used for initial access by RaaS groups can also be used to breach into cryptocurrency exchanges. Once inside, these cybercriminals can start stealing cryptocurrencies instead of having to deploy ransomware payloads.
A few groups, such as Lazarus, have already been documented exploring this business model. The group, which is known for compromising traditional and new financial services platforms for monetary goals, has already made a significant profit from these cryptocurrency and bank theft-related incidents.
Revolution 2: Replace ransomware payload with business email compromise (BEC)
Business email compromise (BEC) has been documented as a highly profitable cybercriminal scheme for scammers. By tricking companies’ employees in high positions into wiring large amounts of money to attackers using executives’ publicly available information, losses to BEC have been estimated to be in the billions from 2016 to 2021. Compared to ransomware, profit margins made in BEC scams resulted in higher yields compared to ransomware attacks.
Using the same initial access techniques in ransomware deployments used to compromise systems, attackers can abuse the stolen information to launch a BEC compromise instead of deploying a ransomware payload. Stolen insider information, combined with social engineering, can give an attacker more powerful tools in hand than relying on open-sourced data alone. While the learning curve for socially engineering an executive might entail additional resources from the attacker — compared to simply demanding a ransom — the payout easily surpasses the costs needed.
The evolving ransomware models as we know it to date are an accumulated blend of profitable extortion schemes that worked in favor of ransomware actors over the years. From this perspective, it makes business and logical sense that ransomware groups and their business models will continue to change in the short and long run.
Observing the triggers that prompt small evolutions, these are almost expected and naturally occurring based on the presence of competition among the illicit groups themselves. While sanctions momentarily work to deter groups and activities, these were made to address and respond to yesterday’s problems and not necessarily to current and future attacks. In the long run, by comparison, larger revolutions in ransomware groups’ attacks will be expected to change based on the benefits and disadvantages that a changing environment, their respective profitability, and the overall objectives these actors act on.
Regardless of the changes’ extent, security researchers and practitioners can keep these in mind as an exercise to prepare their strategies ahead of time. Pertinent decision-makers, such as CISOs, security operations centers (SOCs), and IT teams can collaborate to constantly adjust and mount their defenses and solutions for these intrusions as far left of the kill chain as possible.
To read our full analysis of the current and future direction of ransomware groups and businesses, download our research “The Near and Far Future of Ransomware Business Models.” Read about the other key points for discussion on the main page, “The Future of Ransomware.”