| SecurityWeek’s Cyber Insights is an annual series discussing the major pain points for cybersecurity practitioners. These pain points differ year by year in line with the evolving cyber ecosphere: this year we include discussion on current pressures on the role of CISO, including the new SEC liability rules. Overall, Cyber Insights 2024 talks to hundreds of industry experts from dozens of companies covering seven primary topics. The purpose is to evaluate what is happening now, and to prepare for what is coming in 2024 and beyond. |
Ransomware Insights and Trends | 2024
Ransomware is a species of the genus Extortion. Extortion has always been a favored method of gaining funds, and always will be. Today it is probably more prevalent in the cyber world than in the physical world.
We can learn from its history. It has always existed at the national level (Danegeld), at the gang level (protection rackets) and at the personal level (bullying). This practice is now part of the cyber world, and it still involves nation states, criminal gangs, and individual hackers. Extortion will never go away, only the methods will change. Criminals will fine-tune existing profitable methods for greater profit or adapt them to accommodate new conditions.
The same applies to cyber ransomware, which is fundamentally the theft of victim data through either encryption or exfiltration, or both. The encrypted and/or stolen data is the lever for cyber extortion.
Ransomware is sufficiently effective and profitable to continue and increase. But it will be fine-tuned to expand the profit element, and new methods of extortion will be explored. Already, some companies are using the more general term of Cy-X (cyber extortion) to cover the developing range of threats that have coalesced around the term ransomware. Extortion is the threat; ransomware is just one (albeit currently the primary) method.
“Gangs will continue to up the ante and apply greater pressure on victims – this includes more actions along the lines of ‘information operations’ – more public shaming on social media and open websites, contacting executives, employees, and customers directly to pressure payments, threats of violence – including family members,” warns Keith Mularski, MD at EY Consulting Cybersecurity.
Matt Waxman, SVP and GM for data protection at Veritas Technologies has one specific example of the potential continued evolution of ransomware extortion. “In 2024, we expect hackers to turn to targeted cell-level data corruption attacks—code secretly implanted deep within a victim’s database that lies in wait to covertly alter or corrupt specific but undisclosed data if the target refuses to pay a ransom.”
Waxman continues, “The real threat is that victims will not know what data, if any – the hackers could be bluffing—has been altered or corrupted until after the repercussions set in, thus effectively rendering all their data untrustworthy. The only solution for victims is to ensure they have secure copies of their data they are 100% certain are uncorrupted and can be rapidly restored.”
Developments in 2024
Encryption-free extortion
Encryption-free extortion is not new but will continue to expand. It is a development from the earlier concept of double-extortion – combining data exfiltration first and data encryption second. If the encryption doesn’t elicit the extortion fee, then subsequent disclosure of sensitive data causing brand damage and potential compliance fines, might succeed.
With fewer companies paying an encryption ransom (through government pressure, better decryption possibilities, and cyberinsurance restrictions), criminals are sometimes dropping that side of the extortion.
“Due to the time-consuming and pointless overhead nature of traditional ransomware operations, threat actors will prefer ‘denial of confidentiality’ through leak sites over ‘denial of access’ through encryption,” says Rik Ferguson, VP of security intelligence at Forescout. “Data theft and extortion are just as efficient for them, but with no major management overhead, no frustrating recovery from backup and no coding of cryptographic modules.”
It also allows the attackers to better hide the attack. “Ransomware attacks will go dark as they evolve from ‘encryption by malware’ toward ‘malware-less data theft’,” explains Mark Stockley, cybersecurity evangelist at Malwarebytes. “Stealing rather than encrypting data allows criminals to hide in plain sight by ‘living off the land’ – using legitimate administration tools they find on the networks they’re attacking that won’t trigger a malware detection by security software. Attacking without malware shifts the burden of detection from malware-spotting software to anomaly-spotting humans.”
A new variation on extortion – that can be used with either encryption or data exfiltration – emerged in late 2023: ALPHV/BlackCat reported MeridianLink to the SEC. “As the new SEC disclosure ruling comes into effect [December 15, 2023], requiring that companies report ‘material’ cybersecurity incidents within four days,” comments Sean Deuby, principal technologist North America at Semperis, “expect this tactic to become the norm in ransomware attacks. The SEC will have an army of not-so-altruistic helpers.”
Turbo-powered by AI
The initial danger for extortion from AI is less in the malware (although it will eventually be used to find exploitable vulnerabilities), but more so in laying the groundwork for delivering the malware. “Generative AI will definitely become a factor in ransomware. The principles are fairly simple: given a target, you scrape the employee list from LinkedIn, you crawl their profiles and posts, and search social networks for the same person as well as publicly available data through a search engine,” explains Philippe Humeau, CEO and co-founder of CrowdSec.
“Once you have all networks from most employees, along with a sample of their voice (podcasts), pictures (X, Instagram, LinkedIn, Meta) and video (YouTube, TikTok), you have all you need to generate extremely convincing phishing emails. Next thing you know, the victim gets a perfectly crafted drip-phishing-campaign.” In short, AI is likely to turbocharge phishing, and this increased and improved phishing will likely turbocharge ransomware.
It’s not a certainty. Others believe that criminals’ existing methods are sufficiently successful not to require the additional cost of AI development. But there may come a future inflection point where decreasing AI costs will be passed by increasing failure of the existing methods.
The route to ransomware’s direct use of AI may be slow and incremental – perhaps via the concept of MPV (most promising victim). The theory is that organizations that must have uninterrupted operation, and have money to pay for that uninterrupted operation, will become most promising victims.
“I predict that ransomware authors will find ways to automate this ‘MPV’ determination by making the ransomware able to autonomously determine whether MPV criteria is met; for example, ‘did I land at a hospital’, ‘can I get access to the electronic medical records?’”, suggests Robert Leong, senior director and head of product management at HCL BigFix.
“The reason is that sending messages to command and control is one of the main ways that ransomware is detected. As such, if the ransomware can determine autonomously where it is, what kind of organization it is at, and what to encrypt, the more successful the ransomware will be,” he continues. AI could be introduced to provide and improve that silent automation.
Geopolitics and hactivism
Historically, hacktivism has been associated with home-grown ideologists protesting about moral issues. Amir Hirsh, head of Tenable OT Security, believes this will continue in 2024, with hacktivists using ransomware to increase the publicity effect. “Hacktivist groups in particular will target factory farming and energy producers in line with their ideology, for maximum exposure and notoriety for their causes,” he comments.
At the same time, extreme geopolitical tensions resulting from wars in Ukraine and Gaza will increase the inter- rather than intra-national element to hacktivism. “Next year,” suggests Ilia Kolochenko, chief architect at ImmuniWeb, “we should expect massive and unpredictable attacks from politically motivated hacktivists against innocent companies and organizations in specific countries or regions.”
These attacks will likely be highly destructive, aiming at paralyzing the operation of businesses that have little or no connection with the political process of their countries of incorporation. “The cyber infrastructure of hospitals, schools and even CNI, such as water supply facilities, may suffer long-lasting and irreparable damage.”
Wipers
Wipers could be, but are not necessarily, associated with ransomware. Consider the data encryption version of ransomware absent any means of decryption – it’s a basic wiper.
This is an attractive option for geopolitically motivated attackers (especially those that could be labelled as nation-state affiliated). It can be disguised as a failed ransomware – that is, a financially-motivated criminal attack. It is difficult to classify a criminal attack as cyberwarfare (which, apart from being destructive must also show an element of government versus government). See What is Cyberwar? for a more detailed discussion, and consider the insurers’ failure to exclude payout to Merck over NotPetya.
WannaCry and NotPetya are good examples. WannaCry had no decryption capabilities, and NotPetya caused massive destruction around the world. But both were ‘disguised’ as ransomware, and although attributed to Russia, could not be attributed to a clear government instruction. The danger is in future accidents. “As adversarial nation states continue to wage war on other nation states, we will absolutely see a recurrence of things like WannaCry and NotPetya,” warns Leong. “Expect that adversarial nation states will continue to have this in their toolkit, especially if regional hot wars expand.”
Nevertheless, wipers are used with care by most adversarial nations. They could spark a full cyberwar – and in today’s cyberworld, the principal of absolute deterrence remains. All-out cyberwar would lead to mutual and complete cyber destruction: so, wipers used by the world powers (NATO, Russia, and China) are finely targeted within the hot war zone or avoided. (The Middle East is an exception because it is primarily regional rather than global.)
Humeau has another reason for doubting the use of wipers by the big nations. “I’m not sure they are really useful for a nation state, most of the time. You only blow your cover when you need to leverage your advantage against an adversary. It’s better to stay in, lay low and use your initial access when you’ll need it. Dormant agents are not a thing from the past, but for the future.”
However, criminal gangs are not deterred by cyberwar concerns. The increasing aggression of non-state hacktivists could easily lead to an increase of wipers in 2024. “We’re also witnessing a move toward new data destruction tactics, including custom data theft tools and time-activated wipers, adding an extra layer of pressure on victims to negotiate,” comments Marcelo Rivero, senior malware research engineer at Malwarebytes.
More wipers in 2024? “Probably,” says Mularski. “Intent is the driving force – it’s also the most unpredictable factor.” Technically, of course, a pure wiper (even if disguised as ransomware) is not ransomware: its purpose is not extortion, but destruction.
Democratized by RaaS
Ransomware-as-a-Service (RaaS) is part of the growing professionalism of the cybercriminal underworld. Serious and technically adept criminals have evolved a separation of roles. Gangs comprise separate malware coders, access finders (using separate access brokers), finance operators, and marketers. These combine to offer ransomware services to affiliates, either selling or leasing out the complete ransomware package. It has several effects: it helps keep the real criminals at aims length from researchers and law enforcement, and it allows a far greater number of lesser skilled criminals deliver potentially devastating ransomware attacks. It has been dubbed the ‘democratization’ of ransomware.
“It will depend on the ransomware threat actors’ marketing efforts around building an affiliate program and making the onboarding process low friction,” suggests Gerald Auger, consultant and adjunct professor at The Citadel (the military college of South Carolina). “Sadly, top tier ransomware threat actors (Lockbit, Blackcat, Conti, before they disbanded) are run like professional enterprises with many employees. Conti, for example, had over a hundred, including an HR department – so, if they figure out marketing for their RaaS affiliate program, it’s going to be a considerable concern for CISOs (and the infosec industry in general).”
“RaaS will become more commonplace, offering individuals with minimal technical expertise the means to execute ransomware attacks,” warns Christian Have, CTO at Logpoint. “Automation will enable Initial Access Brokers to identify and offer more breach-ready environments. Consequently, there will be a surge in attack frequency, impacting organizations of all sizes, particularly smaller ones with inadequate cybersecurity measures.”
RaaS is likely to grow in popularity. “It will continue to expand, and especially if the world has an economic downturn, as many are predicting,” comments Leong. “The reasoning is that many people will lose their jobs and that the less scrupulous will see RaaS as a way to continue supporting their lifestyle. Since RaaS generally only requires script kiddie-level skills, this will be alluring to those who are out of work and looking to make easy money, especially if they want to ‘get back’ at their former employers.”
Drew Perry, Chief Innovation Officer at Ontinue, points to Scattered Spider as an example of RaaS in action. The group is thought to be an affiliate of Alphv, and was behind the MGM hack that was discovered in September 2023. “There will be a resurgence of hacktivism or home-grown ransomware operators from the West, with Scattered Spider being the poster child that others will copy,” warns Perry.
“From our point of view,” says Mularski, “RaaS represents the bulk of the extortion threat –there seem to be fewer groups running purely closed/private operations.” He points to LockBit as the most pervasive RaaS operation – with 110 victims claimed in November 2023 alone.
RaaS itself is merely one part of the expanding and more general Crime-as-a-Service (CaaS) criminal operation. Ferguson believes it may lead to a new X-as-a- service: victim profiling-as a service. “Ransomware affiliates are becoming pickier when it comes to victim selection, which can be seen in a variety of trending techniques – from retargeting organizations that have been known to pay ransoms to selecting only victims that have cyber incident insurance,” he says. “As a result, data on potential victims will be highly sought after and create greater demand for this type of market.”
Zero-days
The converse of democratization is specific big game hunting by ransomware gangs without using the RaaS method. This often focuses on the use of zero-day vulnerabilities. In general, a zero-day is a use-once weapon, too valuable to be dissipated through affiliates.
Raj Samani, SVP and chief Scientist at Rapid 7, comments, “We have observed an increasing number of zero-day vulnerabilities being exploited by ransomware groups, and it’s unlikely this trend will abate.”
Stockley agrees. “Ransomware attacks will increase massively following a shift to zero-day attacks,” he says. But he also notes that automation (likely to be aided by the added spice of AI from 2024 onward) will allow individual groups to scale without diminishing their profit return through the use of affiliates.
“In two waves of attacks this year the Cl0p ransomware gang showed that it was possible to break free from the scalability shackles of the affiliate model by using automated attacks based on zero days,” he explains. “Previously it was assumed that zero days were either too complex or too sophisticated for ransomware gangs. While there would be significant obstacles to the widespread use of zero days by ransomware gangs it cannot be ruled out.”
Government (in)action
Apart from encouraging better cyber defenses, taking down criminal infrastructures, and seeking personal arrests, there is little that governments can do to prevent cyber extortion. The only thing that will stop extortion is to curtail its profitability, and that is impossible. For the current primary form of ransomware, there are two possible approaches: to make the payment of ransoms illegal, and to make the payment process (via digital currencies) ineffective.
The first is almost impossible. Humeau explains one of the difficulties: “Places like France have superbly shot themselves in the foot,” he says. “After a decade of saying “No, no-one should ever pay, don’t feed the monster”, there is now a blurred line, created by the insurance companies seeing a great opportunity to sell policies that they know they will not actually have to fulfil because of specific exceptions that they’ve woven in. However, for the policies that do pay out, you have cybercriminals that know the exact amount that insurers are willing to reimburse, and that’s the amount that they are now trying to extort from their targets.”
Not everyone is pessimistic about government actions against ransomware, however. Jose Araujo, CTO, Orange Cyberdefense, is optimistic. “We foresee a potential turning point on cyber extortion activity driven by joint government policy… over 40 countries members of the International Counter Ransomware Initiative have agreed a joint policy declaring that member governments should not pay ransoms demanded by cybercriminal groups. They also agreed a shared blacklist of wallets used by ransomware actors, commitment of pursuing actors responsible, amongst other initiatives. We are yet to see its impact on Cy-X statistics but anticipate this cooperation may damper the viability of Cy-X ecosystem in future.”
Others are less optimistic. “Through 2024, there will be no further state or federal comprehensive legislation enacted in the US to ban the payment of ransoms,” believes Claude Mandy, chief evangelist at Symmetry Systems. “Instead, organizations will continue to be strongly encouraged not to pay ransoms, and law enforcement and federal agencies will continue to target the exchanges and organizations that facilitate the routing of payments to cybercriminals through sanctions and similar measures, facilitated by increased requirements on victims to disclose ransomware payments.”
Current global geopolitics isn’t helping government efforts. “Law enforcement agencies and prosecutorial authorities [cannot] collaborate in complex cross-border investigations of organized cybercrime,” notes Kolochenko. “Ultimately, cyber gangs calmly operate from non-extraditable jurisdictions with impunity, enjoying steadily growing income paid by desperate victims. Given that from an economic viewpoint ransomware is a scalable and highly profitable business, we will likely see its hydra-like proliferation around the globe next year.”
The result, he warns, is that coupled with pay-as-you-go RaaS, “Good old ransomware may well attain the status of the global cyber pandemic in 2024.”
However, while governments may be unable to eliminate extortion payment through digital currencies, market forces could possibly succeed. Stockley raises the possibility of a cybercrime ‘singularity’: Bitcoin crashes to zero destroying ransomware. “Just about the most consequential thing that could happen to cybercrime,” he says, “is Bitcoin going away, which may not be likely, but isn’t out of the question. It requires significant effort to keep Bitcoin going and the cryptocurrency bubble has well and truly burst.”
He continues, “If Bitcoin starts to decline significantly the incentives that keep the massive infrastructure it relies on running could collapse, which could precipitate a loss of confidence in other crypto coins. Despite a plethora of digital currencies, ransomware is firmly wedded to Bitcoin and probably couldn’t exist without it, or a very similar replacement. Cybercrime wouldn’t go away, but it would enter a highly unpredictable phase as it reorganizes around new business models.”
Continuing threat of ransomware
The ransomware threat will continue to grow and expand. It is the quintessential business plan for cybercriminals. When it first appeared, the term became associated with encrypting data. This is a misconception. Paying a ransom under threat is simply extortion. Ransomware is extortionware: extortion through data encryption is simply one method.
Criminals are adaptable. If one method becomes less profitable, they will modify their approach. We have already seen this with the growth of big-game hunting, increased targeting of OT, the rise of RaaS and AI-automation, and greater concentration on data exfiltration rather than solely data encryption.
The most recent variation on the last came Alphv/Blackcat. This group “filed a complaint with the SEC on behalf of MeridianLink for neglecting to disclose a cybersecurity incident as punishment for not paying the ransom,” explains Have. He believes this new extortion tactic could become a primary driver in the development of the ransomware economy in 2024, especially with the introduction of NIS2.
Extortion will continue to grow in 2024 and beyond. It is the basis of criminality. How it is cloaked is in a continuous state of flux, and that change in appearance will continue. But in common parlance, the ransomware threat will continue to worsen.
Related: Xerox Confirms Data Breach at US Subsidiary Following Ransomware Attack
Related: Why Ransomware Response Matters More Than Protection
Related: Watch Sessions: Ransomware Resilience & Recovery Summit
Related: Cyber Insights 2023 | Ransomware
