Ransomware continuously evolves, initially a basic denial of service via file encryption, now emphasizing data disclosure threats for persuasion. Extortion tactics diversify, alongside novel attacks and complex motives.
Despite defenders improving recovery methods, new ransomware variations continually surprise. Recent innovations include varied extortion methods and sophisticated attack strategies, perpetually challenging defenders’ understanding of the ransomware landscape.
Triple and quadruple extortion now commonplace
The shift from file encryption extortion to public data release (double extortion) is now well entrenched to the extent every victim must now assume that a ransomware attack signals a data breach. More recently, triple extortion has appeared whereby attackers attempt to coerce payments by threatening to contact the partners, customers, and shareholders directly. A further twist is the return of DDoS extortion, an older technique in which attackers threaten a disruptive DDoS attack on public-facing systems. The learning here is that if a combination of these techniques achieves a higher ransom payment rate it will become universal in time. Organisations urgently need to plan for this when revising incident response and disaster recovery.
Cross-platform ransomware is a new threat
A long-simmering ransomware issue for criminals is how to make malware development easier with the objective of targeting a wider range of computers using the same underlying code. This accounts for the increasing use of cross-platform programming languages such as Rust and Golang in ransomware samples, a good recent example of which is the use of the former in the Blackcat (ALPHV) ransomware attacks detected earlier this year. The technique also makes the rapid analysis of malware binaries harder for researchers.
Hacktivism has discovered ransomware
The high point for hacktivism happened more than a decade ago when Anonymous DDoS attacks and a small army of social media hijacks and website defacement attacks became commonplace. More recently, ransomware attacks with a claimed hacktivist theme have increased, almost all based on the controversial 2015 release of the HiddenTear open source code. Others such as the recent Belarusian Cyber Partisans attack on the railway service of Belarus have unknown origins. Around the same time, someone posted source code connected to the notorious Conti gang, a dangerous event which might eventually fuel a much bigger spike in DIY ransomware with a political angle.
MSP are being targeted to bypass security
The 2022 MSP Threat Report from remote management company ConnectWise reported a major increase in the targeting of service providers in the second half of 2021, possibly inspired by the Kaseya incident VSA supply chain attacks which compromised around 50 MSPs and 2,000 of their customers. This trend makes sense – compromise a single MSP and the attackers have an open gateway to that MSP’s customer base. It’s like attacking from within the city gates and few organisations have the tools needed to detect this type of attack before it does damage.
Ransomware is becoming more destructive
Conventional wisdom says that damaging files is anathema to ransomware because it would be self-defeating. If victims know their files are damaged, clearly there’s no point in paying to have them returned. Despite this, several examples of destructive ransomware have appeared in the last year, including Onyx which overwrites all files larger than 2MB by default, and LokiLocker, which uses data wiping as a threat to encourage cooperation from victims. The technique isn’t completely new, but its use could become a problem if attackers start using it to demonstrate the threat they pose early in negotiations.
Cyber-insurance is becoming a taskmaster
According to the Sophos State of Ransomware 2022 report, the majority of global organisations now have some form of cyber insurance that specifically covers ransomware attacks. However, it uncovered evidence that cyber insurance is not as easy to get as it once was, with 40% of respondents noting a decline in the number of providers. Just over a third of respondents said that the insurance checking process takes longer with 47% mentioning rising premiums. Overall, 54% said that the level of cyber security needed to qualify is now higher. Equally, these demands could also have the positive effect of driving up cyber security standards.
Conclusion
One of the most intriguing issues to watch for is whether countries such as the US might enact laws that make paying ransoms much harder or, in some cases, impossible. Already, a Ransomware and Financial Stability Act has been promoted in Congress while several states have or are considering banning payments by public bodies. Meanwhile, the fact that the most active ransomware groups have ties to the Russian state could put anyone paying a ransom in breach of sanctions advice from the US Financial Crimes Enforcement Network (FinCEN). None of this directly affects UK organisations but could still set precedents in ways that influence best practice.
