How Is Ransomware Developing?

Recent developments such as more effective law enforcement, shifts in government policy, global sanctions, and the growing regulation of cryptocurrencies are forcing attackers to adapt their tactics. They are working both to overcome new obstacles and to seize emerging opportunities.

1. Focus on Data Extortion and Monetization

According to Adam Meyers, Head of Intelligence at CrowdStrike, cybercriminals shifted their approach in 2022 as data extortion became a more appealing and lucrative alternative to traditional ransomware. This change was driven by the relative ease and profitability of data extortion, which carries fewer risks and attracts less attention. Meyers pointed out that ransomware attacks are noisy and easily detected, whereas stealing and leveraging data is a far more discreet operation.

While ransomware groups were not traditionally known for profiting directly from stolen data, they have since established themselves as significant players in the underground market. By acting as intermediaries for other cybercriminals, these groups maximize their profits while minimizing their own exposure. A single breach can have devastating consequences: sensitive data ends up in the hands of malicious actors and may be published online, compounding the damage to the affected organization.

2. Targeting the Cloud

Although cloud resources are widely distributed and harder to attack, threat actors are continually developing new methods to exploit unprotected instances. According to a study by the Google Cybersecurity Action Team, 86% of compromised cloud instances were used for cryptocurrency mining. This is particularly concerning because attackers already engaged in cryptojacking can easily pivot to deploying ransomware on these vulnerable systems or selling access to established ransomware groups.

3. Targeting Uncommon Platforms

Experienced security professionals understand that even seemingly minor attack vectors can have catastrophic consequences. No potential vulnerability should be underestimated, as even unusual systems can pose a significant risk to an organization. Ransomware groups have long recognized the value of targeting critical devices, especially when no backups are available.

These attackers are not limited to traditional methods, as a 2017 proof of concept from researchers at the Georgia Institute of Technology demonstrated: they successfully deployed ransomware on a programmable logic controller (PLC). Since replacing or reprogramming such devices is extremely costly, they make ideal targets for ransomware groups.

4. Exploiting Zero-Day Vulnerabilities

Major ransomware groups like LockBit and ALPHV (also known as BlackCat) have repeatedly caused significant damage by exploiting newly discovered vulnerabilities before organizations could deploy the necessary patches. Recent examples include the PaperCut vulnerabilities (CVE-2023-27350 and CVE-2023-27351) disclosed in April 2023 and the VMware ESXi server flaws exploited by the ESXiArgs campaign.

5. Scaling Up with Automation

Ransomware groups and security professionals are locked in a constant arms race. Criminal actors on the dark web focus on triggering security incidents, while defenders concentrate on rapid detection and response. To increase the speed and volume of their attacks, ransomware groups are automating their entire attack cycle. To keep pace, security teams have adopted detection-based automation that enables organizations to defend at the necessary speed and scale. In this contest, there is no standing still: whoever has the better threat intelligence holds the upper hand.