What’s Next in the Evolution of Complex RansomOps?

Ransomware gangs introduced lots of new tricks in 2021. Some attack groups went beyond double extortion to impose even more pressure on their victims. With triple extortion, attackers began offering to sell victims’ data to competitors or investors unless they paid the ransom. 

Quadruple extortion takes on a similar emphasis, with ransomware actors threatening to leak or destroy their victims’ data if those individuals notify law enforcement, data recovery experts, and/or professional negotiators to help them. 

Additional Ransomware Extortion Strategies

Other digital attackers introduced another layer of encryption into their arsenal. Otherwise known as double encryption, this technique involves malicious actors encrypting victim data with multiple ransomware strains. 

One version of this tactic uses layered encryption to encrypt a victim’s data with one ransomware strain before encrypting the result with another ransomware family, wrote WIRED. Another version, side-by-side encryption, involves encrypting some data with one ransomware family and the rest with another family.

These tactics are more examples of the evolution of complex RansomOps. The ransomware landscape is no longer characterized mainly by commodity ransomware attacks that use spray-and-pray techniques to target single victims with small ransom demands, or phishing expeditions that rely on “tricking” targets into clicking on a malicious link or opening a tainted document. 

RansomOps are highly targeted, complex attacks that are more akin to an APT operation where malicious actors want to obtain access to as much of the network as possible before detonating the ransomware payload for maximum effect and multimillion-dollar ransom demands.

The developments described above raise an important question. What’s next for ransomware? Here are a few things that could take shape in 2022:

Growing Costs

Ransomware costs will continue to grow, as evidenced by their rise over the past few years. Cybersecurity Ventures predicted that ransomware damages would grow 15 times from $325 million in 2015 to $5 billion in 2017. 

Two years later, the firm wrote that ransomware damages would grow to $11.5 billion by the end of the year—up from $8 billion in 2018. It then noted that this price tag would increase to $20 billion in 2021.

Looking ahead, Cybersecurity Ventures predicts that ransomware costs will increase to $265 billion by 2031, and attacks will occur every two seconds on average over that year. 

Diversification of Support Services

The ransomware landscape will continue to diversify with initial access brokers (IABs) and other types of actors. Not all this diversification will occur in the public eye. As an example, PRNewswire wrote that many IABs are now moving away from public forums to private channels with trusted clients. This tactic helps IABs evade law enforcement detection, all while serving the Ransomware-as-a-Service (RaaS) ecosystem with network access. 

Per Cybersecurity Dive, IABs aren’t the ones initiating a ransomware attack against an organization. Their private communications with ransomware actors also make it difficult for law enforcement to determine the nature of those relationships—including but not limited to whether a ransomware group has recruited a specific IAB.

Ransomware-Related Laws

More countries will likely adopt ransomware-related laws in 2022. In October 2021, Cybersecurity Dive cited Gartner’s prediction that one in three nations will adopt laws regulating ransomware payments, fines, and negotiations through 2025–currently, just 1% of countries have such legislation in place.

Those laws will help provide organizations with a standard blueprint that they can use to respond to a successful ransomware attack. Depending on the potential penalties involved, they could also motivate organizations to upgrade their ransomware defenses.

Ransomware Readiness in Security Audits

Finally, ransomware readiness will play a more significant role in security audits going forward. Organizations need to assume that ransomware actors will at some point attempt to target them regardless of their size or their revenue, noted Gartner. Acknowledging this reality, auditors will likely begin paying even more attention to the effort organizations devote to mitigate the risks associated with ransomware attacks. 

The technology research and consulting company specifically highlighted employee security awareness training programs, access to ransomware support services, incident response plans, data storage policies, and service provider ransomware attack communication protocols as areas of interest for auditors.

Defending Against RansomOps

Organizations can defend themselves at each stage of a RansomOps attack. For instance, in the delivery stage, they can monitor for malicious links or malicious macros attached documents to block suspicious emails. Execution of malicious code allows security teams the opportunity to detect files attempting to create new registry values and spot suspicious activity on endpoint devices. 

When the ransomware attempts to establish command and control, security teams can block outbound connection attempts to known malicious infrastructure. They can then use threat indicators to tie account compromise and credential access attempts to familiar attack campaigns, investigate network mapping, and discovery attempts launched from unexpected accounts and devices.

Defenders can flag resources attempting to gain access to other network resources with which they don’t normally interact and discover attempts to exfiltrate data or encrypt files. Remember, the actual ransomware payload is the tail end of a RansomOps attack. There are weeks or even months of detectable activity prior to that point that can help disrupt an attack before there is serious impact to the targeted organization.

But most organizations can’t do this on their own. They need the right solution to perform these threat hunting tasks for them. The Cybereason operation-centric approach is undefeated in the fight against ransomware because it detects RansomOps earlier in the attack sequence based on rare or advantageous chains of malicious behavior. 

Cybereason is dedicated to teaming with Defenders to end cyber attacks from endpoints to the enterprise to everywhere - including modern RansomOps attacks. Learn more about ransomware defense here or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.

Anthony M. Freed
About the Author

Anthony M. Freed

Anthony M. Freed is the Senior Director of Corporate Communications for Cybereason and was formerly a security journalist who authored feature articles, interviews and investigative reports which have been sourced and cited by dozens of major media outlets. Anthony also previously worked as a consultant to senior members of product development, secondary and capital markets from the largest financial institutions in the country, and he had a front row seat to the bursting of the credit bubble.

All Posts by Anthony M. Freed