How is ransomware developing?

Recent advances, such as effective law enforcement efforts to combat ransomware, government policy changes, global sanctions and the impending regulation of cryptocurrencies, are forcing attackers to adapt their tactics - both to overcome new obstacles and to capitalize on new opportunities.

1. Focus on Data Extortion and Monetization

According to Adam Meyers, the head of intelligence at CrowdStrike, cybercriminals have been shifting their tactics in 2022, as data extortion attacks have become a more appealing and lucrative option compared to ransomware. This change in behavior has been driven by the ease and profitability of data extortion, which poses fewer risks and attracts less attention than ransomware attacks. Meyers noted that ransomware is loud and can easily be detected, while data encryption is a much more complex process.

Although ransomware groups are not known for profiting from stolen data, they have established themselves as major players in the underground market. By acting as a conduit for other cybercriminals, these groups can maximize profits while minimizing their risk of vulnerability. However, a single security breach can have devastating consequences, with sensitive data falling into the hands of malicious individuals and potentially being shared online, causing even more damage to a business.

2. Targeting the Cloud

Although cloud resources are widely dispersed, making it difficult for attackers to target them, they are constantly developing new tactics to exploit unused resources. According to a study conducted by the Google Cybersecurity Action Team, a staggering 86% of compromised cloud instances were used for cryptocurrency mining. This poses a serious problem as attackers already involved in cryptojacking can easily move on to install ransomware on these vulnerable systems or even sell access to established ransomware groups.

3. Targeting Uncommon Platforms

Leading experts in the field of cyber security know that even the smallest attack can have catastrophic consequences. It is important not to overlook any potential vulnerability, as even unusual systems can pose a significant risk to an organization. Ransomware groups are aware of the importance of critical devices, especially when backups are not available.

These attackers do not limit themselves to traditional methods, as shown by the 2017 proof of concept created by researchers at the Georgia Institute of Technology. This demonstrated the ability to deploy ransomware on a programmable logic controller (PLC). Replacing or modifying such a device can be extremely expensive, making it an ideal target for ransomware groups seeking financial gain.

4. Using Zero-Day Vulnerabilities

Often, large ransomware groups such as LockBit and ALPHV (also known as BlackCat) caused chaos by exploiting newly discovered vulnerabilities before organizations could implement the necessary patches. This has been the case with recent "day one" exploits, including the PaperCut vulnerabilities (CVE-2023-27350 and CVE-2023-27351) discovered in April 2023 and the vulnerabilities in VMware's ESXi servers exploited by the ESXiArgs campaign.

5. Scaling Up with Automation

Ransomware gangs and security experts battle each other much like a pitcher and a hitter would duel in baseball. In this game, the criminal actors on the dark web focus on causing incidents, while security automation focuses on incident response. To increase the speed and volume of their attacks, ransomware gangs are leveraging automation throughout their attack cycle. To keep up with this evolution, security professionals have turned to detection-based automation, which allows organizations to defend at scale and with the speed needed to hit the ball on every pitch. Much like baseball, there can be no draws in the cyber world. Intelligence gives the upper hand.