Evolving ransomware: survival of the fittest

Stephen Robinson at WithSecure explores the Darwinian nature of new ransomware groups

 

Just as in the business world the ability to adapt is key to survival, in the underworld of cyber-criminal gangs, new groups and threats are constantly emerging, creating fresh challenges for security teams tasked with keeping pace. 

 

This ‘Darwinian’ evolution is perhaps most evident in ransomware ecosystems and, last year, WithSecure identified that a critical factor contributing to the endurance of ransomware was the rise of new cyber-crime groups.

 

The frequency of ransomware attacks has been driven by these ransomware ‘newbies’, who often have ties to more established and older ransomware operations. Research from WithSecure highlighted a significant increase in multi-point ransomware groups during the first three quarters of 2023.

 

This evolution demonstrates both the adaptability and resilience of cyber-criminal networks and highlights that many emerging ransomware groups have evolved from existing entities. So, what does this mean for businesses, and more importantly, how do they defend against it?

 

Resurging ransomware and the rise of new groups

The new multi-point ransomware groups employ a dual-threat approach, disrupting operations with encryption while also stealing and threatening to leak sensitive data on the dark web. In our analysis of last year there was almost a 50% increase in such incidents compared to the same timeframe in 2022, with more leaks occurring in the first nine months of 2023 than in the entire previous year.

 

A deeper analysis into the data breaches orchestrated by these groups paints a more alarming picture. Between January and September 2023, almost half (29), of the 60 identified ransomware gangs, were new entrants.

 

This significant influx of fresh players has been a key driver in more frequent and more complex attacks. It’s indicative of a rapidly evolving and expanding ransomware threat landscape, where new groups are contributing to the surge in cyber-crime activity, and complicating organisations’ and law enforcers’ efforts to counteract these threats.

 

Connecting new and old ransomware operations

Although numerous new ransomware groups have emerged, many maintain ties to more established criminal groups. A key factor behind the formation of these new groups is the release and subsequent reuse of malware code which is a double-edged sword for organisations.

 

The use of tried and tested methods is one of the key factors behind the ransomware groups’ success, but code reuse among the groups also serves as a critical tool for researchers, allowing them to track the origins and connections between different groups. The evolution of ransomware largely involves variations of the same tactics, enabling organisations to better anticipate and prepare for these threats.

 

Recognising that ransomware attacks often follow familiar patterns enables organisations to plan and defend more effectively against these cyber-threats when they inevitably target the company’s digital infrastructure.

 

The evolutionary path of ransomware

Progress is inevitable in the world of cyber-crime and, only the most adept groups endure in this competitive landscape. To bolster their chances of survival, new ransomware gangs might seek resources, guidance, and connections from established market leaders. 

 

A notable example is the disbandment of the notorious Conti group, which inadvertently aided the rise of new gangs. The resources left behind by Conti have provided the launchpad for several new operations, including groups like Royal, Akira, and Black Suit, all tracing their origins to Conti. 

 

This pattern extends beyond Conti; other emerging ransomware gangs have similarly adopted the leaked source codes of Lockbit and Babuk by dissatisfied members. Many new groups have displayed clear ties to older ransomware operations. Recycling code and resources are common among these new groups, as members often carry over these assets when transitioning between different operations.

 

However, it’s not just data leaks that facilitate the transfer of tactics and tools across different ransomware groups. These gangs operate much like conventional IT companies, with staff members who may move between groups, taking their skills and proprietary resources with them. In the cyber-crime domain, there are no barriers to prevent such transfers of knowledge and tools, underscoring that there is no honour among these digital thieves.

 

Despite an influx of new players in 2023, established groups maintain significant influence in several ways. Notably, the lifespan of most ransomware groups is short-lived; of the 60 groups analysed, only six were consistently active every month. These groups often go through a cycle of starting, pausing, disbanding, or rebranding their operations and only a select few manage to establish successful, enduring operations. 

 

Bolstering the cyber-security defence

The fact that new ransomware gangs often replicate their predecessors’ tactics can be advantageous for organisations, as they can anticipate potential attack strategies and ensure they have the necessary defences in place. The risk of ransomware continues to pose a huge challenge but there are strategies that every organisation can put in place to mitigate their impact. 

 

With an increasing number of criminal groups at large, more than 72% of global businesses experienced ransomware attacks in 2023. This marks a significant rise from the figures reported in the last five years and, as ransomware attacks surge, occasional vulnerability scans are insufficient.

 

Cyber-security must be a continuous process involving regularly discovering and monitoring assets. Implementing automated scanning and consistently addressing vulnerabilities is critical in minimising risks and pre-empting threats.

 

Moreover, in the event of a ransomware attack, early identification and swift remediation starting with solutions such as Endpoint Detection and Response (EDR) and Endpoint Protection Platforms (EPP) - are vital. EPP serves as the first line of defence, preventing attacks, while EDR plays a critical role in detecting successful breaches and guiding organisations towards an effective response. Together, these tools provide the necessary insights and capabilities to counter ransomware threats effectively.

 

As new gangs emerge and existing groups continually refine attack strategies in response to defensive measures, staying vigilant and adapting to change are the key to effectively defending against these persistent threats. 

 

Whilst ransomware continues to pose a serious threat, there is perhaps some consolation to be taken from the use of established ransomware methods and a lack of innovation. Understanding that ransomware evolves through variations of known tactics allows organisations to better anticipate and prepare for inevitable attacks.

 

---

 

Stephen Robinson is Senior Threat Intelligence Analyst at WithSecure

 

Main image courtesy of iStockPhoto.com