The changing face of ransomware

Ransomware is not a new type of attack. Despite the fact that it has only become headline news over the last few years, criminals have been using ransomware for decades. Over this period of time, criminals have systematically increased its scope, sophistication and potential impact. Here’s a timeline of ransomware’s evolution:

• 1989 – 2009: The first ransomware attack patterns were developed, but they remained low-impact. The first active ransomware was not discovered “in the wild” until 2005.
• 2010 – 2012: The first big ransomware attack, WinLock, occurred in 2010 and netted $16 million for its creators. Over the next few years, the availability of autonomous payment methods (like crypto) led criminals to demand ransom payments that could not be traced — increasing the safety and feasibility of attack.
• 2013 – 2019: The modern ransomware revolution began when CryptoLocker was released in 2013. Criminals evolved their attacks to publish stolen files and continued to demand larger ransoms – a whopping $18 million was paid out to the gang behind CryptoWall attack in 2015.
• 2019 – present day: Ransomware has become a major problem for everyone, since nation-states have begun to use it as a cyberweapon. A series of massive ransomware attacks have crippled national infrastructures and ransomware groups have launched attacks large enough to command ransoms of more than $100 million.

The evolution of ransomware continues to cause more significant problems for individuals and organizations. Let’s take a quick look at today’s most common ransomware trends and attack patterns — and how the threat is becoming more dangerous.

In the beginning, ransomware was simple. Criminals used a basic trojan to deploy simple symmetric cryptography with decryption codes in the malware . Today, ransomware is highly sophisticated and can cause more harm — and command a higher ransom — than ever before.

Here are the most prominent ransomware trends that you must know and defend against today:

1. Ransomware is getting good at evading detection

Criminals are deploying various techniques to make ransomware attacks difficult — or nearly impossible — to detect using conventional cybersecurity defenses. These evasion techniques include fileless ransomware which is immune to signature-based detection, sandboxing, ML-based analysis, intermittent encryption, hiding malware in graphics cards and even using old-school spycraft techniques like Morse code.

2. Criminals are making ransomware an internal threat

This involves two primary techniques. Some criminals actively recruit employees at their target companies to join in on their attacks. The employees are promised a share of the ransom payout if they provide the valid credentials required for an initial intrusion. In the other case, criminals contact and threaten clients, employees, business partners and journalists connected to their targets in order to pressure the target into paying the ransom.

3. Creative, multi-extortion ransomware attacks are emerging

Criminals are deploying techniques to expand their attacks and cause more damage. These techniques include running scripts to find legal and financial files to compromise, threatening DDoS attacks in addition to exfiltrating files, threatening to contact victims’ customers, running processes that actively search for and terminate backups, file copying and security solutions, and installing PowerShell scripts as services before launching their main attacks.

Organizations must adopt agile cyberdefense frameworks that anticipate threats and deploy multi-stage defenses to combat these innovative ransomware attacks. Evolving your defenses to counter emerging ransomware variations requires:

1. Identifying vulnerabilities in your digital infrastructure that attackers may exploit. This includes assessing risks, testing backups and recovery procedures, and shrinking your external attack surface.
2. Protecting your infrastructure by hardening it against network intrusion and lateral spread within your network. This includes a wide range of actions — from vulnerability and patch management to setting up EDR services.
3. Detecting in-progress incidents before they spread too far and create a large foothold by establishing comprehensive detection and response capabilities, such as MDR, EDR, SIEM and threat hunting.
4. Responding to incidents and remediating them as quickly as possible to minimize impact. This can be achieved through MDR, EDR and SIEM, and by establishing CSIRT and/or DFIR services.
5. Recovering data and returning impacted business operations to normal after an attack. CSIRT and DFIR services can play a role, as will establishing robust BCP and recovery/restore processes.

These basic capabilities and tools should be considered the table stakes for stopping ransomware at every step of an attack.

To learn how your organization can develop these capabilities, we have some resources that can help. Check out our Ransomware Defense e-book for in-depth insights on emerging trends and guidance on building effective ransomware defenses. You can also reach out to us for a personal consultation with one of our security experts to help define a ransomware defense strategy customized to your organization’s needs.