Organizations should assume that they and any of their employees can be a target for ransomware gangs as they hold the data the threat actors seek.
Most threat actors today are motivated by financial gain and will use various tactics in order to exploit organizations into big multi-million-dollar ransoms.
This year we have seen the Costa Rican government held to ransom by the Conti ransomware gang, an Illinois university close its doors because of a ransomware attack and the Lapsus$ hacker group target both Microsoft and Okta.
The ongoing threat from ransomware gangs is clear and in this article CS Hub will explore some of the biggest trends in ransomware cyber security practitioners are seeing today.
RaaS
Ransomware-as-a-Service (RaaS) may not be new, but it is continuing to mature and makes it easy for non-technically minded criminals to take advantage of organizations. RaaS allows threat actors to use already-developed ransomware tools and services to carry out attacks.
RaaS highlights how cyber crime is a fully fledged economy. There is the individual that develops and maintains the ransomware tools that power the attacks and then there is an affiliate that will invest in these tools in order to carry out attacks. There is no one ransomware family here and the profits of an attack are typically split between the RaaS developer and the attacker. An access broker may also be involved in the operation in order to secure the entry point to the network for the RaaS to be deployed.
Also referred to and the RaaS gig economy or human-operated ransomware (a term coined by Microsoft), attacks involving RaaS tend to evolve their attack patterns depending on what weaknesses they discover in security systems.
Double and triple extortion
In 2021, Darktrace said that more than 16 ransomware groups actively utilize the double extortion tactic. The reason for its popularity means that cyber criminals have leverage even if you have successfully and securely backed up your critical data.
Through this tactic, threat actors exfiltrate data, rather than simply encrypting it, meaning if an organization refuses to pay up sensitive data can be made public or sold on the dark web to the highest bidder.
The worrying thing now is that triple extortion is now a talking point among the cyber community where threat actors also threaten third-party victims, for example, in the case of healthcare, patients whose data has been stolen or business partners the organization works with.
Spear phishing
Phishing is one of the most well recognized forms of malicious activity and usually comes in the form of an email. Threat actors will send a fraudulent email which purports to be from a trusted organization, with the purpose of convincing victims to click links or send sensitive information.
This type of malicious activity is generally untargeted, with many thousands of victims being targeted with the hope that one of them will fall prey to the tactic. Spear phishing is a more targeted version of this and involves crafting an extremely targeted email or message which contains personal or relevant information and is intended for a single person.
For this reason, spear phishing threats are much harder to distinguish than general phishing threats as the actors will have taken every measure they can to ensure the message does not appear out of the ordinary.
Destructive ransomware
Destructive ransomware is family of malware which, as the name suggests, are designed to destroy data or to damage or otherwise restrict access to systems and services.
There are several methods through which this is done, some will simply destroy data while others will erase the master boot record or volume boot record, crashing or causing permanent damage to the machine’s operating system.
Destructive malware utilizes traditional and popular distribution vectors such as sending worms through emails and instant messages, Trojan horses dropped from websites or through infected files that have been downloaded.
The cost for victims of destructive malware is significant and, according to IBM, averages at around US$239mn for those businesses that are hit with more than 12,000 computer workstations and servers being destroyed on average.
Backdoor capabilities
A backdoor is a method that threat actors will use to gain access to a system by negating the traditional authentication procedures. In doing this, remote access to application resources can be gained, allowing threat actors full access to databases and file servers and giving them the ability to issue commands and update their malware.
Attaining backdoor access offers a significant amount of control and convenience to threat actors as they are able to hijack systems for their own purposes, including further upload or distribution of malware. Backdoor attacks are one of the more common types of attacks, with research from Malwarebytes revealing that backdoors were the fourth most common threat detection in 2018 for both consumers and businesses.