How ransomware tactics are shifting, and what it means for your business
In this Help Net Security interview, Tim West, Director of Threat Intelligence and Outreach at WithSecure, discusses Ransomware-as-a-Service (RaaS) with a focus on how these cybercriminal operations are adapting to increased competition, shifting structures, and a fragmented ecosystem.
West talks about the implications of these changes for targeted industries, particularly engineering and manufacturing, and examines ransomware actors’ growing reliance on dual-use tools.
How has the ransomware-as-a-service (RaaS) landscape evolved? Are we seeing a shift in how these operations are structured or the types of affiliates they attract?
We’re seeing increased competition as established brands seek to attract affiliates. With the takedown of prominent groups like LockBit and ALPHV, many affiliates have become “nomadic,” seeking new RaaS collectives to align with. This has intensified competition within the ecosystem, as different RaaS brands strive to offer more appealing terms, better tooling, and reliable payouts to attract these experienced operators.
Smaller groups like Medusa and Cloak offer attractive incentives for the affiliates of the disbanded entities to join them. For instance, Medusa offers up to 90% profit-sharing to LockBit and ALPHV affiliates, and Cloak allows affiliates to join for free without any initial payment.
So, structurally, many ransomware operations have shifted towards a more modular and decentralized approach. Instead of a single, vertically integrated group handling the entire attack chain, many successful RaaS models can now be considered as loosely affiliated networks.
Different groups specialize in specific phases of an attack, such as initial access, lateral movement, or extortion. This separation of roles has made attribution more complex and increased the ecosystem’s resilience against disruptions like law enforcement actions.
The role of Initial Access Brokers (IABs) has also evolved within the RaaS ecosystem. These IABs can be well-funded and highly capable, supporting various malicious actors by providing reliable, scalable access.
Actors have industrialised the process of Internet-wide exploitation, lowering the barrier to entry for ransomware operators. IABs specialise in finding, weaponising, and selling access to vulnerable systems. They handle the complexity of exploiting vulnerabilities, bypassing filters, and managing large-scale scanning and exploitation operations. This service model now allows ransomware affiliates to purchase ready-made access without needing deep technical expertise.
Ransomware targeting specific sectors, such as engineering and manufacturing, seems to be on the rise. What are the implications for these industries, and why might they be particularly appealing targets?
Our latest research showed that engineering and manufacturing was the most impacted sector in the first half of 2024 with 20.59% of all victims observed. The high operational impact when disrupting these industries can make them appealing targets. Downtime in these sectors can result in significant financial losses, missed deadlines, and even contractual penalties. Time-sensitive production schedules increase the pressure to pay ransoms quickly to restore operations.
While most RaaS actors tend to target vulnerabilities and opportunities rather than specific sectors, complex supply chains can make cyber security operations difficult. Both industries are deeply interconnected with several suppliers, partners, and customers. A successful ransomware attack on a single entity can have cascading effects throughout the supply chain, amplifying the attack’s impact. This interconnectivity increases the leverage ransomware groups have during negotiations, as the consequences of prolonged downtime extend far beyond the immediate victim.
Proprietary data and intellectual property (IP), including designs, blueprints, and trade secrets are critical to maintaining a competitive edge, and therefore lucrative assets for theft or sale.
We also found that ransomware groups are abandoning earlier practices of avoiding critical sectors such as healthcare. In terms of impact to society, these attacks are often far more serious. Previously ransomware groups had largely refrained from targeting sectors that could trigger severe government or law enforcement responses. Although the number of overall healthcare attacks remain consistent as a proportion of overall victims in 2024.
Ransomware groups will indiscriminately target any organization perceived to have the resources to pay. Additionally, these sectors’ historical underinvestment in cybersecurity compared to financial or technology sectors makes them attractive targets.
Trust among ransomware actors appears to be eroding. How is this mistrust likely to impact the ransomware ecosystem, and could it lead to more fragmented or decentralised operations?
We always hear the term ‘no honour among thieves,’ and it’s really becoming evident in some of the recent ransomware incidents. We’ve recently seen the ALPHV exit scam, where affiliates were allegedly defrauded of their earnings. So, events like these and the crackdown on larger groups like LockBit are probably driving a sense of mistrust and heightened tensions in the cybercriminal communities.
As trust breaks down, we are likely to see a more fragmented ransomware ecosystem. The loyal affiliates may splinter off to form their own brands or shift allegiance to other groups they perceive as more reliable. This splintering could lead to the emergence of smaller, less predictable ransomware collectives.
We might see straightforward 1-to-1 rebrands, similar to when DarkSide rebranded to BlackMatter after the Colonial Pipeline attack in 2021. However, we’re also seeing 1-to-many rebrands become more prominent, where affiliates of a single variant spawns multiple new brands. For example, ransomware variants like 8base and Faust may both be derivatives of a single source.
Regardless of the type, this fragmentation and decentralisation makes it harder for law enforcement to target specific groups, as the traditional hierarchical models give way to more fluid and distributed networks of actors. At the same time, from a defender’s perspective, the mistrust among cybercriminals is beneficial, as it likely makes them less effective, less efficient, and easier to defend against.
The increasing use of dual-use tools by ransomware actors complicates detection and response. How should security teams adapt their strategies to better identify and mitigate threats from these tools?
The tools we found to be commonly used by RaaS actors included PDQ Connect, Action1, AnyDesk, and TeamViewer for remote access, as well as rclone, rsync, Megaupload, and FileZilla for data exfiltration. These are legitimate software tools commonly used in IT operations. So, this dual-purpose nature allows them to evade traditional anti-malware controls and blend seamlessly into normal network activity, making detection and response more challenging. Traditional signature-based detection methods are less effective against such dual-use tools.
Security teams should shift towards behavioural analysis, focusing on identifying unusual or suspicious patterns of behaviour rather than relying solely on known malware signatures. For instance, if a normally benign tool like TeamViewer is being used outside of regular business hours or from an unusual IP address, it could indicate malicious activity.
Establishing a baseline of normal activity for dual-use tools within the organization is critical. By understanding the typical usage patterns, security teams can more effectively spot deviations that may indicate misuse. For example, if a tool like rclone is suddenly used to transfer large volumes of data to an unfamiliar external server, this should trigger an alert, even if the tool itself is legitimate.
Exposure management solutions can also play a crucial role. These technologies provide security teams with comprehensive visibility across their extended network and identify vulnerable systems, misconfigurations, or high-risk assets that could be exploited through legitimate tools.
The trend towards ransomware actors prioritising data theft over traditional encryption attacks is becoming more pronounced. How does this change the risk landscape for organizations, and what should be the focus of their defensive measures?
The theft of high-value data like UP, financial records and customer information gives cybercriminals a powerful advantage in ransom negotiations. Organizations also face long-term damage from loss of customer trust, regulatory penalties, and reputational harm.
Cybercriminals find that focusing on data theft requires less time and fewer resources than deploying full-scale encryption across an entire organization. This ‘smash and grab’ approach allows attackers to quickly execute attacks and move on to the next target, increasing their overall efficiency.
Defending against these tactics requires an urgent focus on data protection. Critical priorities include identifying and securing sensitive data, implementing strict access controls, and continuously monitoring for suspicious data access and exfiltration activities.
Additionally, implementing encryption for data at rest and in transit can reduce the value of stolen data. If ransomware actors manage to exfiltrate data, the encrypted data remains unreadable and unusable without the corresponding decryption keys.
At the same time, traditional defences against ransomware encryption, such as backup strategies and network segmentation, remain important.
Businesses should also ensure their incident response plans address the unique challenges posed by data theft. This includes preparing for potential double extortion scenarios and being ready to manage the fallout with customers and other stakeholders.
Overall, organizations must enhance their focus on data security and prepare for more complex extortion scenarios. Those with strong exposure management and mature security tooling focused on breach containment are better positioned to mitigate these evolving threats.