Ransomware Tactics Evolve
The tide of ransomware ebbed recently, but the threat persists as attackers change their approaches. Learn how to defend against their newest tactics.
Key Points
- Ransomware incidents subsided last year, but attacks are growing more ruthless.
- To force payments, attackers are now plaguing organizations with harassment, crashing servers and destroying data.
- Planning, training, and automation offer the best tools available to keep up with the evolution of ransomware gangs.
Ransomware may have ceded the spotlight to identity-based attacks recently, but that’s no reason for defenders to let down their guards. Malicious actors are evolving their tactics to adapt to new tools and measures to block their exploits.
Bolstered defenses proved useful in protecting companies against the more common ransomware tactics. So the tide of ransomware impact has receded from the high-water mark set during the early days of remote work during the pandemic, when healthcare and research organizations were targeted by cybercriminals. Mimecast’s State of Email Security 2023 survey (SOES 2023) found the number of organizations worldwide reporting a significant impact to business operations by a ransomware attack declined to 29%, from 38% the year before. A number of factors, including stronger cybersecurity, data backups, and improved incident response, led to reductions in both ransomware attacks and payments in 2022.
But this doesn’t mean ransomware gangs are in retreat. Rather, they’re rewriting their playbooks. Some newer ploys include recruiting insiders for their attacks, using harassment and outright data theft or destruction to force victims’ hands, and doubling up on attack vectors during payout negotiations and beyond. As a result, companies also need to evolve their cyber defenses and fortify their incident response plans.
The Evolution Of Ransomware
Ransomware has made many evolutionary leaps since 1989, when a biologist infected attendees at an AIDS research conference with a Trojan horse virus via floppy disc and demanded a $189 check.[1] In recent years, ransomware has gone mainstream with cybercrime gangs taking advantage of increased connectivity and digitization.
As companies have built stronger cyber defenses and improved their response and recovery plans (urged on by stricter cyber insurance underwriting rules and stronger regulatory requirements), simply locking up a company’s data is no longer enough to guarantee a big payday. The bad guys have had to rethink their approaches. A few of the more recent trends in ransomware attacks include:
- Insider Trading: Now that organizations have stepped up their defenses, making it harder to break in, bad actors are recruiting insiders for their attacks. Rather than open a back door and infiltrate the network via a phishing attack or exploiting a known software vulnerability, they partner with someone with legitimate access to the network and valid credentials to hold a door open for them. One prominent cybergang even boldly advertised on the Dark Web, offering up to $1 million in for information on software vulnerabilities it could exploit.[2] Karmically, the gang itself became a victim of an insider of its own who leaked its profitable ransomware-as-a-service files to the public.[3]
- Scorched-Earth Tactics: As more organizations refuse to pay up — the rate of victims paying ransom dropped from 76% to 41% over the last three years[4] — attackers have upped the pressure. Rather than negotiate quietly, attackers are harassing not just their victims, but their victims’ customers to force payment. The use of harassment had jumped from 1% of attacks in 2021 to 20% by late 2022.[5] Destructive attacks, which flat-out delete the affected data instead of merely encrypting it until the victim pays for a decryption key, are becoming a more popular tactic to force payouts as well. One organization — an offshoot of the gang that carried out a ransomware attack which crippled a U.S. fuel pipeline in 2021 — is said to be testing ransomware that destroys data automatically.[6]
- Multiple Fronts: The bad guys have also evolved to use several different tactics to compel payments from reluctant targets, even those organizations that have set up data backups to resist extortion. More than three-quarters of companies affected last year suffered ransomware attacks using multiple threats.[7] Some fraudsters are backing up their threats with denial-of-service (DoS) attacks that crash networks to prevent organizations from operating double-, triple- and even quadruple-extortion schemes that threaten to sell or publish sensitive data also have become more common. Some cyber gangs are even breaking their ransom agreements and going back to the well for further payouts; they keep a copy of the data to pressure their victims to pay again to keep the information private. In the wake of a recent incident, one cybersecurity expert warned: "You can't really rely on the commitments being made by these attackers."[8]
How To Defend Against Today’s Ransomware Threats
Organizations have been protecting themselves better against ransomware, forcing the bad guys to resort to new tactics. However, cybercriminal gangs — and ransomware-as-a-service brokers on the Dark Web — are nothing if not adaptable.
To fight back, a few best practices can help. These include:
- Having a Plan: Considering it takes on average 49 days to detect and contain a ransomware attack, strategizing in the middle of an incident is not a good look.[9] Having a playbook that can be put in motion the moment an attack is detected can help contain the damage and stop the exploit in progress. Organizations can set up (and practice) a protocol that can be activated quickly covering mitigation steps, crisis communications, and ownership of each process. It should include a ransomware payment policy as well as steps to take after the attack to analyze why it happened and how to avoid a repeat incident.
- Training Continuously: Security awareness training remains one of the most effective first lines of defense, helping employees spot suspect emails and stop the phishing attempts that often enable a ransomware attack. Additionally, tabletop exercises are valuable as well — to drill into the incident response plan and update it to reflect new threats, find holes in the security net, spot which stakeholders still need to be included, and improve the overall response.
- Automating Defenses: Phishing attacks that plant malware in the system are still the most common vehicle for fraudsters. Automating email filters and scans can short-circuit attackers before they gain access, without burning out security staff. Anti-malware and anti-spam filters can block messages carrying ransomware, while mail scans and alerts stop users from clicking on suspect links or attachments that squeeze through. Additionally, automated solutions that back up critical data can minimize the impact of a ransomware attack on the organization.
- Increasing Identity Protection: Like phishing, credential abuse and theft are often useful tools for ransomware attacks. Enabling multifactor authentication (MFA) to verify users are not malicious actors can better lock down back doors, making it harder for attackers to use stolen credentials to get in and install ransomware. A strong access policy that prevents users from freely roaming the network can also help curb insider threats. Additionally, companies can consider passwordless authentication and biometric markers as an alternative to traditional logins. The bad guys may be experimenting with “deep fakes” to cheat those systems, but they haven’t perfected the tactic yet.
The Bottom Line
Ransomware attacks may have dipped, but as long as fraudsters can make money off an exploit, they will continue. The bad guys adapt their tactics, even as defenders boost their countermeasures, so it’s essential to remain alert and adapt as well. Ransomware attacks are costly and destructive, but not inevitable. Read more about how to protect your organization and fight back against ransomware with Mimecast.
[1] “The history and evolution of ransomware,” TechTarget
[2] “Ransomware Gang Offers Bug Bounty, Promises Payouts Up to $1 Million,” PC Magazine
[3] “Turnabout is Fair Play? LockBit Ransomware Builder Leaked to Public by ‘Disgruntled Developer,” CPO Magazine
[4] “Improved Security and Backups Result in Record Low Number of Ransomware Payments,” Coveware
[5] “2023 Unit 42 Ransomware and Extortion Report,” Palo Alto Networks
[6] “Hackers are testing a destructive new way to make ransomware attacks more effective,” ZDNet
[7] “Nearly 4 in 5 Ransomware Attacks Include Threats Beyond Data Encryption, Finds 2023 Cyberthreat Defense Report,” BusinessWire
[8] “What is LockBit, the malicious software used against Indigo, SickKids?” The Canadian Press
[9] “Cost of a Data Breach 2022,” Ponemon Institute
Subscribe to Cyber Resilience Insights for more articles like these
Get all the latest news and cybersecurity industry analysis delivered right to your inbox
Sign up successful
Thank you for signing up to receive updates from our blog
We will be in touch!