Keeping pace with rapid change in the cybersecurity field, the evolution of ransomware has been swift and complex since the malware’s inception. The scattergun approach to ransomware distribution that used to be popular with criminals (peaking in 2017 with the WannaCry attack) has now fallen to the wayside in favour of more targeted attacks on individual businesses.

The driver behind this change is simple: businesses are more likely to submit to the demands of the ransomware. They’re scared of the regulatory fines that they will be subject to if any data gets exposed (particularly since the advent of GDPR and other similar regulatory measures recently introduced across all 50 US states) so criminals know that they are more likely to pay, and pay big, if they fall prey to an attack.

>> Listen to the podcast: Skybox Security on toughening up IT defences in a pandemic

Attackers have been emboldened in this approach due, in no small part, to ransomware growing in sophistication. Look at Sodin (okibi) ransomware as one example. Released in 2019, it can burrow deep into a system to elevate privileges by planting itself in CPU architecture. This makes it much harder to detect and, therefore, less likely to be removed.

Evolution of ransomware is driven by profitability

Attackers don’t want to waste their time on ransomware that isn’t delivering on profitability. As ransomware becomes more sophisticated, the chances of its success increases. When criminals are confident that they can profit from organisations with deeper pockets than your average PC user, you can bet they’re going to give it a shot. And that’s exactly what’s happening now.

This doesn’t mean that attackers have a lot of easy wins under their belts. Targeting specific businesses may require a lot of “dwell time” on a victim network, spending anywhere from days to months trying to identify a chink in the armour that they can exploit. Because of this, companies have time to detect and remediate any malicious presence. If they’re quick to act, they emerge unscathed and the only loss will be felt by the attacker. But if the attacker’s patience pays off, they’re likely to hit the jackpot.

How doxware is changing the game

There are new malware tactics being deployed by attackers that are helping them seal the deal during a successful ransomware attack. Look at doxware, for example, heralded by some as the next step in the evolution of ransomware. It may be new on the block – it was only in November 2019 that Maze ransomware became the first to offer attackers the ability to upload stolen data to a public site if they don’t receive payment – but it adds a new threat level that wasn’t there before. And it’s gaining in popularity. Since November, we’ve seen several new doxware products come onto the market.

While the profits associated with successfully attacking a large organisation were compelling enough for most malicious actors, the ability to threaten the exposure of sensitive data makes attacking large organisations irresistible. The leverage that they gain through doxware is worth the additional time and effort expended during these targeted attacks. The more fear they can incite, the higher the payout.

OT environments are under increasing threat from ransomware

Another way that use of ransomware is developing can be found in the network areas in which it is, and will be, deployed. Specifically, criminals are honing their focus on operational technology (OT) environments. These are areas that are incredibly difficult to protect – they run on outdated technology that cannot be scanned or patched, many machines and devices are critical to operations so cannot be turned off and, although a lot of these machines pre-date the Internet, they are now being forced to connect with Web-connected devices – and are important at a nation-state level (particularly thinking about utilities like oil, gas, water, electricity, etc).

New viable ransomware attacks on OT-adjacent systems have been demonstrated; this is something that’s only going to increase. As seen in the Vulnerability and Threats Report 2020, the number of new advisories issued by ICS-CERT between 2019 and 2020 increased by 53%. Attackers are coming after OT; ransomware is a very valuable tool and it’s doubtless that they are going to use it to its full potential.

We’re going to hear about more ransomware attacks this year

We can also expect to hear about more incidents as a result of companies now being forced to disclose data breaches. This is important to consider when you hear stories about a rise in ransomware attacks over the next year – the actual number of ransomware attacks may not dramatically increase, but the number of public disclosures will. Companies now have nowhere to hide.

Finally, it’s important to talk about the current sophistication level of ransomware. Although attackers have made a lot of progress in terms of the malware’s sophistication, as an industry it is still fairly rudimentary from an economic perspective. There is a lot of room for growth, both in terms of malware sophistication and financial potential. The market is far from being saturated and the tools that are currently being deployed are not yet operating at maximum efficiency. Like any professional in any other industry, we can expect to see ransomware developers and deployers work to improve efficiency. This means that there will be greater depth to the business models used by deployers, including the intelligence on which their deployments are based.

Really, we are in the early stages of ransomware’s potential. The need for security leaders to understand how criminals are able to implant this malware within their networks is great now and will get greater still as time moves on. The time to act to protect businesses from the real and present threat of ransomware is yesterday; if businesses fail to contain their network perimeter, they will likely be forced to pay out a lot of money – both to criminals and to relevant regulatory authorities.

About Skybox Security
At Skybox Security, we provide you with cybersecurity management solutions to help your organization innovate rapidly and with confidence. We get to the root of cybersecurity issues, giving you better visibility, context and automation across a variety of use cases. By integrating data, delivering new insights and unifying processes, you’re able to control security without restricting operational agility. Skybox’s comprehensive solution unites different security perspectives into the big picture, minimises risk and empowers security programmes to move to the next level. With obstacles and complexities removed, you can stay informed, work smarter and drive your organisation forward, faster.

To learn more about Skybox Security, join one of our FREE technical workshops or contact us [email protected].