Ransomware Has Evolved, Have You?

This blog series will focus on key areas highlighted in our recent report: “The Future of Digital Threats: 2020 Insights, 2021 Predictions” In this report, the ZeroFox threat research team reviews trends that defined 2020 as well as predictions for 2021 to help security teams prepare for another year of uncertainty in the digital-first world that now dominates modern life. In this series, a few of our senior analysts will review the acceleration of the top three trends we’ve come to know: starting with targeted ransomware, moving into phishing, and ending with the expanded use of malware as a service.

***

The rapid shift to a remote-first world resulted in significant opportunities for malicious actors to take advantage of the instability that defined 2020. Ransomware actors modified tools they already had, but the real differentiator was the expanded landscape they now had available to them. 

In this post, we’ll review the evolution of ransomware, how it was adapted to match defensive countermeasures in place in 2020, and steps security teams can take to effectively address ransomware attacks in 2021.

Defining Ransomware and Its Evolution

By definition, ransomware is a type of malicious software that opens the door for cyber criminals to access and control files or entire systems, blocking user access. This access is held hostage using encryption until the victim pays a ransom in exchange for a decryption key. 

As we move into 2021, ransomware artists are showing no signs of slowing and continually evolve their tactics. It would be more accurate to picture ransomware as maturing into a world-wide business, more closely aligned with organized groups and high-fidelity websites. Although the maturity of cyber criminal activity can vary greatly, it’s safer to assume you aren’t dealing with an amateur. 

There are always a few rules of thumb, the first being: don’t negotiate and don’t underestimate. Remind yourself, at every intersection during a ransomware attack, that you are dealing with a criminal. Trusting that the ransomware actor will neatly close out the threat if you follow through with their demands would be a mistake. Placing all trust in the wrong resource to fix the problem at hand rarely works out. There is no verifiable way to prove the information exfiltrated from the network is wholly erased; this creates even more risk for a victim who chooses to pay. Even after the threat is “resolved” by the criminal, who is to say data wasn’t stolen anyways for future malicious activity. 

Ransomware actors should be taken seriously regardless of any preconceived notions. Consider how much research they’ve done upfront, how intimately they know the victim, and just how targeted the ransom itself is crafted. It’s better to assume they are equipped, have done their research, and know precisely what resources you have in order to demand them.

The primary trend we observed in 2020 was how quickly malicious actors are adjusting their attacks to the new IT landscape. We've observed major tactics in adopting a new technique for many ransomware groups and collectives known as double extortion. This is an effort to pressure their victims to pay a ransom by encrypting the data and also exfiltrating the data, making it public. The tactics involve shaming and naming of the victims; we have even seen a continuation of such efforts through social media advertisements, the sale of stolen data to competitors or other criminals, cold calling victims, and pressuring victims by incrementally releasing sensitive data. These threats are not self-contained and can easily move to affect the victim’s family members as well.

“The Future of Digital Threats: 2020 Insights, 2021 Predictions” details these new ransomware tactics that involve both the name-and-shame approach as well as the selling of stolen data to other criminals. This new tactic's premise is: if the company doesn’t pay the ransom, they could lose essential data that affects finances, clients, employees, vendors, and more. This can directly affect their business and result in additional regulatory actions depending on the types of published data. The amount of activity surrounding the selling of this data is telling as well; any company that shows up on a shame site is a more likely target for other hackers hoping to run copycat operations. This also advertises potentially weak security practices. The more this stolen information circulates among threat actor groups, the higher the chance that each victim may be hit multiple times, whether it is a ransomware attack or a simple data breach. 

We're not seeing it just with corporate representatives either; ransomware actors are not picky and have infiltrated a larger landscape with a wide array of organizations that are being targeted. Ransomware will most certainly remain the most profitable line of business for the majority of cyber criminals in 2021. 

Where the Workforce Goes, Ransomware Will Follow

More organizations are beginning to contemplate a return to the office; this will likely bring a host of issues concerning unmaintained technology and technology remnants of 2020's chaos. Just as the move to remote working enabled us to adapt to new software and innovate on the spot, the new normal will continue to evolve and, as a result, potentially open a whole new set of vulnerabilities and exploitations. A primary concern is unmaintained and outdated software that was quickly put in place to meet the pandemic world's requirements.

The fact that, throughout 2020, 60% of reported breaches were linked to a vulnerability where patches were available but not applied speaks volumes as to the strain overworked security teams were already experiencing. Returning to the office will increase this workload, with the added layer of a hybrid workforce in-office and remote, requiring oversight of two complicated security architectures. 

Roughly 62% of cybersecurity teams are either somewhat or significantly understaffed, with minuscule trends showing an equal investment in security infrastructure or personnel. The increased demands on security teams, with little to no uplift in resources, will most certainly impact the ability to maintain effective oversight of security architecture, run an efficient patching program, plan the return to the office or implement a comprehensive plan to maintain or decommission remote infrastructure.

Dismantling Ransomware 

Regardless of the size of an organization, the industry, or the security measures already in place, ransomware will always pose a risk. The slew of ransomware articles and recent attacks reported weekly (from the Cuba ransomware gang, to Netwalker, to disguised ransomware apps, to the DoppelPaymer attack on Kia, to Maze shutdowns, to attacks on universities, and more) are a clear indication of where the future of ransomware is headed and just how much it continues to grow.

Preventative measures are still possible and of the utmost priority. Even organizations amidst an attack can leverage proven measures to avoid falling victim to a cyber criminal's demands. I’ll leave you with a few next steps to better prepare for, and begin mitigating, some of the ransomware trends we see forming in 2021:

• Perform backups of all business-critical information; this is still a valid and imperative approach, but it must be taken a step further. Security teams should ensure they (1) avoid doxing and data corruption by encrypting their data at rest; and (2) store backups on other networks to prevent corruption of the data.
• Employ security patches routinely to prevent ransomware actors from exposing vulnerabilities and gaining access to your network. 
• Implement multi-factor authentication across the enterprise to block attempts to gain additional controls to the network.
• Respond to potential attacks proactively by keeping security systems up to date with the latest detections. 
• Create a robust network segmentation to bolster the prevention of a cyber criminal’s movement between business systems. 
• Adopt a comprehensive Digital Risk Protection and Threat Intelligence platform to equip your security team with the resources required to remain vigilant in detection and mitigation efforts.