Ransomware: How bad is it going to get?

Ransomware started out with attackers encrypting individual users’ files, demanding a few hundred dollars, and giving the victim a key to unlock their files once they paid up. Very quickly, though, ransomware attacks transformed into a much more costly and deadly threat leveraged mostly against organizations and businesses.

Ransomware gangs are becoming more brazen. In 2021, they hit high-profile targets like Kaseya and Colonial Pipeline. The question now is: how worse is the situation going to get?

Why ransomware, why now?

Like most businesses, ransomware gangs appreciate efficiency. Ransomware attacks are often low in complexity and highly lucrative. Attackers can put in relatively little effort (as compared to other kinds of cyberattacks) and get a huge payoff. As a result, ransomware gangs are becoming increasingly bold as they go all-in.

The masterminds behind ransomware campaigns are also tenacious. Just because a gang is taken down does not mean that the people behind it are out of the ransomware game.

Ransomware actors can assess what they have done, become more familiar with the landscape, and try new tactics next time. They can re-form under new names and attack new companies.

What’s next?

What does the future of ransomware hold? Here are some of the tactics and motivations that are driving ransomware trends.

From double to triple extortion

For years, ransomware actors only performed one level of extortion: they encrypted files and then demanded a ransom to deliver the decryption key. As companies improved their backup processes, gangs adapted and turned to double extortion.

Now, before encrypting data, gangs like REvil exfiltrate sensitive information from the network before encrypting files or announcing their presence. That way, in addition to holding encrypted data for ransom, they can incentivize their targets to pay the ransom to avoid public exposure of the exfiltrated data.

But why stop there? The next move for cybercriminals is adding in a third layer of extortion, with third parties in the crosshairs. It will no longer be only businesses that are at risk, but customers as well. Criminals will use data stolen in an attack to extort the actual owners of sensitive information.

Novel ransomware attack vectors

In addition to shifting from encryption to data exfiltration, ransomware gangs are trying new attack vectors.

Phishing has been the classic way to gain a foothold into company systems and network. Spear phishing, typically targeting company leaders with sophisticated messages using details found on social media and through other open-source intelligence (OSINT) methods, is also a preferred tactic. The risk of being spear phished is increasing as more organizations adopt cloud applications like SaaS platforms.

But as two-factor authentication and phishing awareness grows, cybercriminals are moving beyond it and are focusing on remote access technology to gain access. They are using new methods to determine weak spots and gain access to networks. Older technologies are easy to compromise, and more businesses are using remote access technologies thanks to the increase in working from home since the beginning of the COVID-19 pandemic.

Critical infrastructure at risk

Ransomware attackers are turning their focus on critical infrastructure. Since an interruption of critical infrastructure can disrupt many people and businesses and cause significant reputational damage for the target, these attacks are often lucrative for criminals. The gangs know that and are careful to cherry-pick ideal victims.

Critical infrastructure companies that have fallen target to cybercriminals in recent years include petroleum and fossil fuel firms Colonial Pipeline and Pemex. Going forward, attacks will likely spread to other critical infrastructure sectors and target new technologies, like decentralized finance (DeFi).

Scrutiny from global governments

The rise in ransomware, and its focus on critical infrastructure, is drawing the attention of governments around the world.

Under US President Biden, the Treasury Department is beginning to threaten sanctions on businesses that help cybercriminals launder money. This is becoming increasingly important given the increased usage of digital currencies and the increased infrastructure blooming around decentralized finance.

Nation-state actors

Many of these ransomware actors are private gangs with financial motivations. But as the focus shifts to critical infrastructure, a more sobering thought arises. Right now, the reward for these private gangs is the money, but what if state-sponsored actors began to follow these trends? They would be the actors with the motivation, scale, and know-how to launch high-complexity, high-reward attacks against critical public and private targets. The goal of these attacks would extend beyond financial gain to serve a more sinister purpose, such as intelligence missions or to cripple another country by destroying critical infrastructure.

The bottom line is that, currently, ransomware attacks are often low complexity, but highly lucrative. Criminals put in relatively little effort and get a big payoff. While this remains the case, ransomware gangs will continue to be a menace, demanding more, fine-tuning their methods, and stealing the show as some of the most terrifying cybercriminals out there.