A Deep Dive into the Evolution of Ransomware Part 2
This 3-part blog series takes an in-depth look at the evolution of ransomware business models, from the early stages to current trends.
Save to Folio
Ransomware has become an increasingly damaging presence, wreaking havoc on organizations of all sizes and across industries. Without understanding the traditions that underpin these malicious strategies, combatting them can feel like a daunting task.
In part one, we explore ransomware's evolution to gain perspective on how cybercriminals adapt their tactics in response to changing threats. This entry looks into factors that trigger changes in cyber criminals' business models.
Triggers for a paradigm shift
Cybercriminals are a savvy and adaptive bunch, capable of quickly changing their business model in response to changes within the information security landscape. These are several triggers that could prompt them to make subtle evolutions or major revolutions in ransomware operations:
Law enforcement and security researchers are in an ongoing battle against ransomware groups, with multi-jurisdictional takedowns of criminal organizations and computer experts' monitoring activities posing a major threat to the spread of this malicious software.
As these efforts aim to make it more difficult for hackers, paranoia is arising within their ranks that someone may be working undercover with law enforcement or other security professionals.
The advent of cryptocurrency has enabled cross-country monetary exchanges with a high degree of anonymity, greatly incentivizing cyber criminals to deploy ransomware. Consequently, appropriate regulations on the usage and circulation of digital currencies can help limit this activity by reducing its financial reward.
However, cryptocurrency regulations are expected to have an impact, potentially making money laundering a lot more difficult.
As a measure of foreign policy, countries worldwide have implemented economic sanctions aimed to hold individuals and organizations accountable for violations. The United Nations (UN) and the US Treasury Department's Office of Foreign Assets Control (OFAC) are two prominent entities that maintain sanction lists.
Some ransomware actors have been put on sanction lists. Some facilitating services like crypto exchanges have been designated too. However, the sanctions are expected to have a limited impact on ransomware.
With an increased number of companies transitioning to decentralized data centres and remote workforces, ransomware groups are expected to struggle with their operations. However, it is also predicted that these actors will also adapt and try to find ways to exploit cloud servers.
Ransomware as a Service (RaaS) groups are not immune to operational security mistakes. Our team recently identified numerous Tor-hidden websites of RaaS operations, whose clear web IP addresses were able to be determined due in part to common oversights such as exposing more services than necessary and lack of adequate access management on the hidden sites.
Several prominent RaaS groups have been hacked for months by either LE or security researchers. As a result, we expect that these actors will increase their OpSec.
What ransomware will look like in an evolution
In recent years, ransomware has become a pervasive threat that can lead to challenges. From government institutions and hospitals to enterprises and critical infrastructure - no organization was safe from the scourge of these cyber-attacks with increasing ransom demands leaving organizations vulnerable.
However, in 2022 there appears to be stabilization of this malicious activity though it does not mean the issue at hand will simply disappear into the night; rather ransomware will likely just evolve gradually over time potentially even developing its revolution culminating in something more sophisticated than what we have seen before. It could lead towards rationality among perpetrators as they hone their skills making them evermore professional operators within cyberspace. For instance, during attacks, while also implementing better operational security measures.
Recent reports indicate that nation-state actors are turning to ransomware for reasons beyond monetary gain. Nation-state actors have long utilized it as a smokescreen to mask their true intent of espionage or destruction, and this type of activity is anticipated to remain popular in the foreseeable future.
Furthermore, evolutions such as utilizing more zero-day exploits and targeting cloud infrastructure may make ransomware even harder to defend against--potentially having an immense effect on its success rate going forward.
As ransomware actors continue to shift their criminal business models, they look for ways to increase profits. Fortunately, we can anticipate and prepare ourselves against the revolutions that may occur in response to incentives like these. By understanding what forces drive them toward innovation, we can stay one step ahead of this ever-evolving threat landscape.
In the final part of this series, we’ll explore the near and far future of ransomware business models and what it means for organizations.