Micro Focus is now part of OpenText. Learn more >

You are here

You are here

Ransomware's evolution: 6 key trends to watch

John P. Mello Jr. Freelance writer

Ransomware has become a global menace, that costs organizations billions of dollars in extortion payments, and even more in downtime. The NCC Group reported a 288% increase in ransomware attacks from the first quarter to the second quarter of this year, due in part to the shift to remote work. 

As security teams start to fight back, attackers have only become more sophisticated.  Here are six key trends that your security team should be tracking to ensure that your organization remains cyber resilient.

1. Ransomware actors are specializing

The malicious actors who deploy ransomware are seeing increased specialization as their roles undergo innovation, said Trevin Edgeworth, red team practice director at Bishop Fox, a cybersecurity company. A diverse set of specialized groups work together, each focusing on a different piece of the ransomware attack lifecycle, he said.

"Today, there are groups that specialize in different aspects of the ransomware lifecycle, from selling initial access to corporate environments to building and hosting ransomware tools and infrastructure to be used in various stages of ransomware attacks."
Trevin Edgeworth

Specialization became necessary as ransomware developers began to understand that additional skills were needed to execute a successful attack, said Michael DeBolt, chief intelligence officer at Intel 471, a cybercrime intelligence provider. "Actors on the cybercrime underground understand that and sell various parts to the attack chain: network access, compromised credentials, cash-out services, and more," he said.

The ecosystem has become so sophisticated that mechanisms have even been set up to settle disputes between cybercriminals. Dark web arbitration services let the purchasers of ransomware tools or services file for compensation if, say, malware authors fail to meet SLAs on the number of zero-day exploits they include, said Gunter Ollmann, CISO of Devo Technology, a logging and security analytics company. 

Going hand in hand with specialization is ransomware as a service, said Joseph Carson, chief security scientist and advisory CISO at ThycoticCentrify, a provider of privileged account management solutions. 

"Creators of ransomware make it available to a network of cybercriminals. The criminals target victims and deploy the ransomware. They collect the ransom from their targets and then provide a percentage of the ransom back to the original ransomware creator."
Joseph Carson

They might even have "help desks" that negotiate the ransom demand and provide the victim with assistance in purchasing crypto currencies, he added.

2. Ransomware attackers are resorting to double extortion

According to the NCC Group, many ransomware gangs are threatening to leak stolen data to damage organizational reputations, an additional pressure to force a payout known as “double extortion.” Bishop Fox's Edgeworth explained that the gangs, including prominent ones such as Maze, Conti, and REvil, want to create a heightened sense of urgency.

"In the earlier days of ransomware, rendering a victim's data inaccessible via encryption was often enough to create adequate disruption and pain."
—Trevin Edgeworth

Exfiltrating compromised data is a response, he said, to organizations strengthening their resilience via stronger data backup processes and disaster recovery plans.

And encrypting your data doesn’t necessarily deter ransomware attacks, warned ThycoticCentrify's Carson: "Attackers may still threaten to publicly disclose that data, expecting that others are willing to pay for the opportunity to break the encryption."

3. Cloud deployments are increasingly a target

Most ransomware attacks this year have been on traditional on-premises networks, according to Oliver Tavakoli, CTO of Vectra, a provider of automated threat management solutions. But he expects ransomware focused on the cloud to emerge this year, including attacks on public cloud assets and data stored in business-critical SaaS applications.

A recent study of cloud environments by Ermetic found a high potential for ransomware. The findings included:

  • Every environment surveyed had identities with a risk factor as well as the ability to perform ransomware on at least 90% of the buckets in an AWS account.
  • More than 70% of the environments had machines publicly exposed to the
    Internet and identities whose permissions allowed the exposed machines to perform ransomware.
  • Over 45% of the environments had third-party identities with the ability to perform ransomware by elevating their privileges to an administrative level.
  • Almost 80% of the environments had IAM users with enabled access keys that had not been used for 180 days or more and that had the ability to perform ransomware.

4. Remote workforces are contributing to the rise in attacks

According to data compiled by data governance company Veronis, ransomware attacks have increased 148% in this year over last due to the rise in remote work.

In response to the long-term work-from-home strategies adopted by companies, ransomware groups began adapting their social engineering lures to include coronavirus-themed emails and phishing websites aimed at remote employees, Bishop Fox's Edgeworth explained.

The shift to remote work also introduced new opportunities for cybercriminals because home networks are outside the enterprise network perimeter and because corporate laptops have been turned to personal uses, he added.

But Intel 471's DeBolt sees the growth in ransomware attacks in a different light. "During this period, ransomware name-and-shame affiliate services flourished and provided low-level cybercriminals with an avenue to enter the underground market easily," he said. "It is likely the increased demand for compromised access or data, correlated with the well-known success of RaaS affiliate programs emerging pre-pandemic, influenced the appearance of new RaaS providers," he said.

Devo Technology's Ollmann added that increased attacks on out-of-office employees had more to do with spammers than ransomware actors themselves.

"The top ransomware operators tend to purchase phishing and spam delivery capabilities from other ecosystem providers. Growth and success in ransomware attacks ... is more about the sophistication and targeted campaign services run by the phishing service providers than it is about the ransomware operators themselves."
—Gunter Ollmann

5. Attackers are now targeting embedded devices (maybe)

The Internet of Things is another target. The embedded devices of the IoT handle a variety of tasks, from opening car doors to controlling industrial processes. "Malicious actors are moving away from holding data hostage and zeroing in on targeting critical infrastructure that can cause disruption to society," said Scott Devens, CEO of Untangle, a provider of comprehensive network security for SMBs. They realize they can get larger ransoms faster if their attack has the potential to cause severe consumer pain, he said.

IoT devices can be like a doorway into an organization's critical systems, said Adam Radicic, managing director for Asia operations for Casaba Security, a cybersecurity professional services firm.

"Threat actors use [IoT devices] as a door to get in, then they close it and no one knows they got in."
Adam Radicic

"It's hard to monitor thousands and thousands of devices without some kind of AI assistance," he noted.

Once such attacks become common, he said, threat actors will just tell an organization that they have access to its network and will demand to be paid for not attacking.

Intel 471's DeBolt maintains, however, that attacks on embedded systems are still a rarity. "There have been instances where attacks have found their way into systems through embedded devices, primarily POS systems, but the overwhelming majority of ransomware cases we observe are aimed at businesses or other organizations in the hopes they will pay a hefty ransom to unlock their systems," he said.

"Attackers want to disable entire systems, not just one portion."
—Michael DeBolt

Devo Technology's Ollmann is even more skeptical about attacks on embedded systems: "While the threat exists, I think that jackware is really vendor marketing FUD."

6. Attacks are now more focused, sophisticated, and stealthy

Bulk email phishing campaigns have largely been replaced with highly targeted spearphishing attacks, which are harder to detect and have a much higher success rate, said Rita Gurevich, founder and CEO of Sphere Technology Solutions, a data governance software and services company. And, she added, ransomware actors have altered their victim strategy. "

A few years ago, ransomware was primarily focused on targeting consumers, but recently we have seen a switch to the more lucrative corporate arena. Recent attacks against the US supply chain ... have shown the success of this new strategy."
Rita Gurevich

Even corporate targets are carefully scrutinized by ransomware actors. "Attackers research their targets’ financial situation," DeBolt said. "Knowing what sweet spot to hit with their demands" gives them a leg up in ransom negotiations.

The attack model has also evolved, from an automated "spray and pray" approach to a more methodical, distributed model, said Bishop Fox's Edgeworth.

"Human attackers take great efforts to remain undetected once an initial foothold to a network has been obtained," he explained. "From this foothold, an attacker is then able to patiently and quietly observe the victim's network, to identify where sensitive data stores reside, and to discern what security precautions exist on the victim's network."

That lets the attackers craft a plan of attack to cause the greatest amount of disruption within a short time window to motivate a victim to pay the ransom demand, Edgeworth said.

He also noted that sophisticated ransomware actors avoid using malicious software tools because they can trigger alerts that could give defenders an early warning. Instead, they "live off the land," he said, using tools, services, applications, and data already residing on compromised systems.

How to roll with ransomware's evolution

Security teams are beginning to address these evolving trends, and recent initiatives by the federal government and corporations have changed the narrative from one of responding to ransomware attacks to preventing them, Sphere Technology's Gurevich said. IT and security professionals are ensuring backups are in place, increasing training for users, and implementing an effective access governance model, she added.

"IT and security professionals also need to adapt to their new environment. The skillset they successfully employed a few years ago may not suffice against the sophisticated ransomware attacks of today."
—Rita Gurevich

Better risk management practices must also be adopted, including threat modeling and adversary emulation, said Chris Morales, CISO of Netenrich, a security operations center services provider.

"Today, risk management practices are qualitative and occur only a few times a year, if ever. Risk operationalization means continuous attack surface analysis to understand the current state of your environment and capabilities and to effectively understand the time-to-compromise before an attack happens."
Chris Morales

Keep learning

Read more articles about: SecurityInformation Security