Ransomware Trends to Watch

June 15, 2021
Data Protection, IT Security

It happened again – this time to the US’s top beef producer and its second-largest producer of pork. A ransomware attack prompted shutdowns at the company’s domestic and international plants. While the incident is still under investigation, the disruption will likely impact the beef market and wholesale beef prices.

How and why do these cyberattacks keep happening? For one thing, the criminals perpetrating them are successful – if not in getting the ransoms they demand at least in causing significant damage.

It’s also difficult for many organizations to prevent them – or at least mitigate the damage – because the rules and players keep changing. The fact is that cyberthieves are always looking for new ways to make money and wreak havoc. While it’s difficult to predict what they’ll do next, there are a few trending tactics to watch ─ and to ensure your IT security and vulnerability management strategies are ready to defend against. The following are some of the trends featured in US Signal’s eBook – Ransomware: Enemy at the Gate. (It also contains useful tips for defending against ransomware.)

Double Hits

Never trust a cyberthief. They’re not content to just hijack data and hold it for ransom. Increasingly, they’re employing ways to inflict more pain on their victims in their efforts to force them to pay up. That includes double extortion, a tactic that involves stealing data from organizations, as well as encrypting their files. In addition to demanding a ransom to decrypt data, attackers can later threaten to leak the stolen information unless additional payments are made. Nearly 40% of ransomware families discovered last year utilized this ransomware method.

Other cybercriminals are using distributed denial of service (DDoS) attacks to force their victims to pay a ransom. With a DDoS attack, the cybercriminal floods a website or a network connection with more requests than it can handle, making the service inaccessible. If the ransomware victim doesn’t respond the ransom demand, the cybercriminals use the DDoS attacks to take down a victim’s site or network until the victim contacts them and begins negotiating a payment.

Still others are using the data they steal to mount attacks on the initial victim’s partners or suppliers, as seen in the attack on Blackbaud, a cloud software supplier.

Cloud Infrastructure Attacks

One of the benefits of moving to the cloud is accelerating time to market. That works for cybercriminals too, which is why they’re using cloud-based services and technologies to accelerate their ransomware attacks. The move to the cloud significantly decreases the time between when data is stolen to when its used against victims. It’s also opening new opportunities to cyberthieves.

That includes cybercriminals selling access to “clouds of logs,” which are caches of stolen credentials and other data hosted in the cloud. Credentials for accessing cloud platform portals are also sold to criminals who specialize in selling bulletproof-dedicated services. The information can be used to spawn instances of virtual machines that are then sold in underground markets.

Expect to see more attacks targeting the cloud native infrastructure, including serverless platforms and containers, too. It’s also likely that cybercriminals will start developing tools powered by machine learning (ML) to speed up data extraction and analysis processes that enable them to make categorization of the large amounts of stolen data easier.

Remote Work

With the pandemic forcing many organizations to implement work-from-home options, the potential attack surface for ransomware expanded. As IT teams quickly implemented remote desktop environments, cybercriminals looked for holes in Remote desktop protocol (RDP), Microsoft’s proprietary network communications protocol, and unpatched vulnerabilities in VPNs.

Cybercriminals also see organizations’ whose staff are working from home as easy targets. Their rationale: remote workers are less likely to be able to defend themselves from ransomware attacks, and provide potential access into high-value corporate networks. Cyberthieves also know that remote employees’ data may be covered by cyber-insurance, making some organizations less resistant to paying ransoms.

Ransomware as a Service (RaaS)

Cybercriminals no longer must create their own ransomware thanks to RaaS. RaaS works much like Software as a Service (SaaS). Ransomware developers selling or leasing ransomware to users on dark web forums. These users can then use them to launch their own ransomware attacks.

RaaS offers relatively cheap and easy access to ransomware programs for less than the cost of cybercriminals creating them on their own. RaaS providers generally take a 20% – 30% cut of the ransom profit generated.

It’s been estimated that almost two-thirds of ransomware attacks during 2020 came from cyber criminals operating on a RaaS model.

Protect Your Business From the Latest Ransomware Trends

Ransomware is an ever-evolving criminal enterprise. Staying on top of the latest threats and trends is a must. One way to do that is to take advantage of the multitude of free resources available from security experts, law enforcement and cloud service providers that can help you implement the latest best practices and security measures.

US Signal’s security experts can also help you assess your organization’s ability to defend against ransomware and other security threats. Contact us today to get started.

Additional Ransomware Resources

To learn more about ransomware, check out these articles below from our blog or visit our resource center for whitepapers, e-books and more!