Ransomware – what to expect

We are at the beginning of a new year, so now is a good opportunity to predict some of the challenges we are facing in the coming year. Ransomware continues to be the type of attack with the biggest impact on our customers and in 2022, we have seen lots of businesses affected by ransomware attacks. However, we have also seen a lot of changes in the threat landscape and handling of ransomware. In this article I will try to focus on some of the key trends, that we currently see in ransomware and I will try to predict what we expect to happen in the current year.

States gone rogue

The war in Ukraine has effectively destroyed the relations between Russia and most Western countries, and nothing indicates the relations gets better, even after the war ends. A humiliated and outcast Russia losing the war, will turn from a global player into the world’s most dangerous rogue state, posing a serious security threat to, especially, all Western countries.

A rogue Russia will increasingly act like a global version of its now closest remaining friends, Iran and North Korea. Before Russia’s fall from grace, Iran together with North Korea has been the world’s most powerful rogue states, effectively “decoupled” and excluded from the international community.

These countries have for a long time pursued a revisionist foreign policy via asymmetric means, including espionage, drone and missile strikes, nuclear and missile test, support for terrorism, proxy wars, cyberattacks and the like. Both North Korea and Iran has been involved in widespread cyberattacks and especially North Korea has been involved in many ransomware attacks trying to circumvent sanctions and finance their nuclear program. Russia will similary intensify its efforts to destabilize the Western world but with greater asymmetric security capabilities, and with the world’s biggest nuclear arsenal as the ultimate cover to deter Western retaliation. Russian affiliated hackers will ramp up cyberattacks on Western companies and governments.

Any collaboration between law enforcement in the Western countries and Russia—which was believed to have been instrumental in the January 2022 arrests of several members of the REvil organization—has also ceased. With many ransomware organisations members and hierarchy, likely based in Russia or other Common of Independent States (CIS) countries, the opportunities for targeting their members and infrastructure will most likely be limited. As a result, the ransomware groups are free to continue targeting western based companies; anything that damages Western interests is likely to look favourably by the Russian government and therefore left alone.

Small is beautiful

For the past 5 years the ransomware threat landscape has been dominated by large and professionalized ransomware groups, constantly making headlines due to well-known victims and even looking for media attention to build a “brand” and gain legitimacy with potential victims. Some ransomware groups even had spokespeople offering interviews to journalists and issuing “press releases” on Twitter pointing to their data leak websites in response to big breaches.

In the past years we have however seen the fall or breakup of several of the biggest ransomware-as-a-service groups, for instance the groups Darkside, BlackMatter, Conti and REvil. It seems, when these groups grows they also get more members, they get too ambitious and start attacking more, on larger scales and more visible targets. However, this also has the consequence that law enforcement in the Western countries notice them and start taking action. Especially after the Colonial Pipeline attack in 2021 the US intelligence services have actively been targeting the various ransomware groups, compromising their internal systems, taking down their infrastructure, identifying their members and seizing their cryptowallets. In the end of January 2023, law enforcement from several Western countries closed down the ransomware group Hive, seizing their websites and announcing that the group had been infiltrated by law enforcement for several months allowing them to intercept encryption keys and secretly providing them to the victims. Another success for law enforcement has been the arrest of several members of various groups when these have been traveling in Western countries.

As a result of this development, many of the affiliates using the ransomware-as-service groups find out that it has become too risky being associated with the large ransomware groups. Another development is a fragmentation of the ransomware groups, so instead of a few very large, long-lived ransomware groups, we are starting to see many smaller and short-lived groups instead. Being too big for a long time and having a name brings the attention of the US government and other international partners.

When the groups are getting smaller, the ransomware groups might no longer care as much about their “brand-name”, which can affect that attacks get more ruthless, and the attacker no longer has the same interest in actually proving working encryption keys and refrain from some targets, like hospitals. More short-lived groups also make it more difficult to be accurate and up to date with threat intelligence information on these groups.

Defunding the cybercriminals

As part of law enforcement becoming more focused on breaking down ransomware organisations, they have also started looking into methods of hitting the livelihood for the groups by going after their income. This strategy is seen in a number of initiatives, for instance trying to seize the criminal groups crypto currency wallets and using more efforts to advice victims on how to avoid paying.

Another initiative being discussed is simply that instead of a law that prohibit the payment of ransom, basically removing the foundation for their criminal business. Currently this kind of legislation are being discussed in Australia and the US. This kind of legislation can also have some serious side effects, for instance business going bankrupt due to losing all their data and not being able to recover.

Backup is king

More and more organisations are finally starting to take cybersecurity more seriously, investing substantially more in security and incident response planning. This results in organisations being much better protected and thus more difficult to compromise, and also having better incident response plans on how to react to a ransomware incident.

One of the key elements in being able to recover from a ransomware attack, is having a prober and tested backup as a last resort. Latest figures from US ransomware incident responder Coveware shows that in 2019, around 85% of all victims paid ransom and by the end of 2022 only 37% of all victims paid.

However, having fewer victims paying ransom is bad business for the ransomware groups and the way the groups are trying to keep their business going, is to attack even more companies and being more ruthless in their attacks, for instance using double extorsion tactics (that is for instance both having data encrypted and threatening with leak of data), using DDoS attacks to put extra pressure on the victim, and using re-extorsion tactics, that is basically demanding another ransom. Also, we see the ransomware groups trying to automate their attacks, making it more efficient and faster when they are compromising the victims network. Some groups are also working on only doing simple data exfiltration and using the threat to leak data as the main blackmail.

Wrap-up

Even though security in many businesses has improved significantly in recent years, the treat from ransomware a still very severe and present for all businesses. The ransomware criminals are constantly changing their tactics, techniques, and procedures (TTPs) in response to the security controls set in place and the actions taken from the authorities. This means that it is important to understand what is going on regarding ransomware. The forthcoming years will for sure expose us to new currently unknow threats – I’m sure it will not take long before cybercriminals find out how to use AI-technlogies in their ransomware attacks.

Questions?
Just reach out

Jacob Herbst
Chief Technical Officer

Danni Bach Pedersen
Head of Cyber Defence Center

dbp@dubex.dk
+45 32 83 04 30

Related