What does ransomware look like in 2024?

Chris Rogers at Zerto gets into the mindset of today’s ransomware hackers

 

The ever-evolving nature of ransomware attacks poses a dynamic challenge for today’s organisations, so much so that 65% of companies now view ransomware as one of the top three most serious threats to the viability of their organisation.

 

In recent years, the extortion of data has become an established, lucrative, and highly professionalised industry, with attackers utilising ransomware-as-a-service models to extend and monetise their activities.

 

They are also adopting new tactics and techniques to circumvent the security and recovery measures organisations implement to prevent ransomware extortion. This is why last year nearly 73% of companies worldwide found they had no option but to pay a ransom to recover their data.

 

To stay one step ahead of ransomware and bolster their organisation’s defences, security teams will need to adopt an attacker’s mindset and understand the attack vectors and mechanisms these threat actors currently favour.

 

Think like an attacker

Last year’s high-profile attack on a children’s hospital in Toronto revealed that, contrary to common belief, it is possible for cyber-criminals to cross an ethical line. When an affiliate of the LockBit ransomware gang launched an attack on the hospital that locked its critical operational systems, the LockBit gang issued an apology and released a free decryptor, stating that it had banned the affiliate from its programme for violating its rules.

 

However, earlier this year, LockBit’s stance on these rules appeared to have changed when it defended a ransomware attack undertaken on a not-for-profit children’s hospital in Chicago, stating that it viewed the institution as fair game.

 

In February, US and UK authorities took joint action to take down the LockBit website and disrupt the activities of its affiliates. However, the morally questionable conduct of LockBit highlights that no organisation should consider itself safe from the attention of ransomware gangs who set out to monetise cyber-security vulnerabilities, erode trust, and damage organisational reputations.

 

Over the years, ransomware has evolved a number of nuances. In addition to deploying ransomware to prevent access to systems and data and demanding a ransom in exchange for decryption, criminal gangs now frequently engage in double-extortion attacks. Here, criminal groups may conduct leak-only attacks and threaten to sell or expose the data they have stolen unless they receive an additional payment. This potentially exposes victim organisations to significant reputational damage and means they will also face stiff fines from regulatory bodies as a result of failing to protect this data.

 

In response, cyber-security strategies will require a more nuanced approach to counter the technical sophistication of today’s attacks and the psychological and strategic aspects driving these threats.

 

New methods and attack strategies

Contemporary ransomware attacks differ from the ‘smash and grab’ mass encryption-based attacks of the past. Today, attackers will spend more time researching targets to ensure they can extract ‘valuable’ highly sensitive data. Post-compromise, attackers will threaten to leak this data unless they receive payment.

 

Similarly, today’s ransomware attacks increasingly target an organisation’s backup systems and repositories. The aim of the game here being to delete, destroy or lock stored data in order to undermine a victim’s ability to recover from ransomware events. Something that enables attackers to undertake double extortion and force organisations to pay to recover their data.

 

Meanwhile, new AI tools like WormGPT, a ChatGPT-style tool that enables cyber-criminals to develop sophisticated attacks at scale, are now openly available on the dark web. Developed primarily to develop targeted phishing emails and business email compromise attacks, WormGPT’s ability to write and format code means it’s also able to write malware attacks. It also lowers the technical entry bar for actors looking to enter the world of cyber-crime.

 

Maximising protection in 2024

The increasing prevalence of double-extortion ransomware, where attackers both encrypt and steal data, combined with the rise of AI tools, marks a significant escalation in the threat landscape.

 

To counter this threat, organisations will need to implement detection strategies that allow for the early identification of threats. This should include deploying advanced real-time scanning for malicious software together with analytics that make it possible to trace an attack’s origin, method and precise nature. This will enable organisations to mitigate risks before they escalate into a full-blown crisis.

 

Detection is just one aspect of the ransomware attack mitigation toolset. To maintain a truly robust defence against cyber-threats, organisations will need to invest in a comprehensive security stack and ensure that no component becomes outdated. This is particularly key for backup and recovery systems, which ideally should feature fully separated data vaults that cannot be infected by ransomware.

 

Getting ahead, and staying ahead, of today’s ransomware threats depends on understanding every facet of the ransomware landscape: the attackers, the attack vectors they favour, the mindset, and the motivations that direct what is targeted and why. 

 

Armed with these insights, security teams can evolve their end-to-end security strategies and regularly review their cyber-security infrastructure to ensure they close down any vulnerabilities that could be exploited.

 

---

 

Chris Rogers is Senior Technology Evangelist at Zerto, a Hewlett-Packard Enterprise company

 

Main image courtesy of iStockPhoto.com and Jacob Wackerhausen