Ransomware is getting more sophisticated: 5 trends that will keep us busy for a long time to come
Malware and ransomware-as-a-service: This means you no longer need sophisticated hacker communities to successfully launch cyberattacks. Anyone can rent everything they need to launch an attack. And that’s not all that’s been happening in the ransomware segment lately.
A ransomware attack on bicycle manufacturer Prophete in late November 2022 brought operations to a standstill for several weeks. This resulted in heavy losses and the already struggling company had to file for bankruptcy. This recent example shows just how serious the impact of ransomware attacks can be. The scam is not new: cybercriminals have been sending encryption Trojans over the Internet since 2005, so you might think that corporate IT and the IT security industry would have gotten a handle on the problem by now. Far from it: In the IDC study “Cybersecurity in Germany 2022”, 70 percent of the 206 German companies with more than 100 employees surveyed stated that they had been affected by ransomware. About half were able to successfully block or isolate the attacks before any major damage was done.
The fact that more and more companies are suffering the same fate as Prophete is not only due to the increasing number of attacks: The extortionists are also getting better at undermining the security measures that companies have in place. The high number of attacks and the high success rate of cybercriminals can also be attributed to the ransomware-as-a-service business model, which makes attacks possible without much technical expertise.
According to experts, 5 trends have crystallized in recent years:
1. Diversification of the ransomware business model
In addition to the classic hacker groups specializing in ransomware that we read about in the media, two other groups have turned their attention to blackmailing companies and organizations. Highly professional criminal organizations are increasingly targeting large companies in the manufacturing or service sectors, bringing business to a standstill and demanding ransoms in the millions. Then there are state-sponsored actors, not least in the context of the war in Ukraine, who attack the infrastructure and authorities of enemy countries or even to finance their own state and disrupt operations. At the other end of the spectrum are individuals who rent ransomware tools and entire attack infrastructures to extort money from small and medium-sized businesses.
2. Double extortion
Cybercriminals who seize corporate data have begun blackmailing their victims in two ways. First, they demand a ransom to decrypt the data, and second, they threaten to publish sensitive data or give it to competitors if their demands are not met.
3. Attacking on multiple fronts
Company networks are exposed to a flood of malware every day, which is often “only” used to prepare for ransomware attacks. They load more malware, steal credentials, and open the door to sophisticated attacks by ransomware variants such as Ryuk or Netwalker. By the time IT discovers and removes a malware infection, the threat may not have been averted. The credentials may have already been compromised, and the backdoors opened by the malware are just waiting for the next wave of attacks.
4. Not just Windows
The vast majority of attack tools target Windows systems because it is by far the most widely used operating system. The Windows remote maintenance tool RDP (Remote Desktop Protocol) has probably become the most important attack vector. Especially because the home-office boom of recent years has increased the need for remote maintenance.
Increasingly, however, cybercriminals’ tools “support” multiple platforms and are developed using cross-platform development tools such as Go or Python, or frameworks such as Electron. Because of its widespread use in the server market, Linux has long been targeted by attackers who like to use server capacity for cryptomining or DDoS attacks using malware. The backdoors and exploits are also used as gateways for ransomware attacks.
Smartphones and tablets account for the majority of interactions with Internet applications. So it’s no surprise that iOS and especially Android devices are being targeted by cybercriminals. A growing number of fake apps are being developed for both platforms to steal login credentials (user accounts, online banking and shopping) and infiltrate malware or spyware.
5. The misuse of security and analysis tools as weapons of attack
An important part of security is the identification of vulnerabilities and security gaps, for example through penetration testing. As we have seen in recent years, cybercriminals are increasingly using security tools designed for this purpose to identify vulnerabilities and spy on credentials. For example, the open source tool Mimikatz has been misused to spy on credentials. Pirated copies of commercial penetration testing tools, such as Cobalt Strike, are also circulating in the digital underground and being used in ransomware attacks. Cobalt Strike was used in 47 percent of all attacks for which Sophos Rapid Response was called in the first three quarters of 2022.
Conclusion
With ransomware-as-a-service and the availability of sophisticated attack tools, the barriers to entry for cyber attackers are being lowered. Malware, hacking tools, and network credentials that potential attackers can rent or buy make ransomware attacks a lucrative business model for both individuals and organized crime. Widespread use of home offices and cloud applications increases the attack surface. Coordinated attacks using botnets and standard interfaces can quickly overwhelm IT departments that are already understaffed.