The content of this post is solely the responsibility of the author. LevelBlue does not adopt or endorse any of the views, positions, or information provided by the author in this article.
Ransomware attacks continue to pose a growing threat to organizations as it has emerged as the number one threat, affecting 66% of organizations in 2023 and pulling over $1 billion from the victims. These attacks have increased in frequency and sophistication, resulting in significant financial loss, operation disruption, theft of sensitive data, and reduced productivity rates. Also, it damages the organization's reputation and results in the loss of customer trust and compliance violations. An organization needs a comprehensive protection strategy to reduce the frequency of these attacks and the risks they pose.
Ransomware Business Model: How These Attacks Are Evolving?
In the past, ransomware attacks mainly relied on phishing emails, remote desktop protocol exploits, and vulnerable ports to increase their chances of success. Additionally, these attacks employ evasion techniques to bypass traditional security measures like firewalls or antivirus software. These methods have resulted in famous attacks like WannaCry, TeslaCrypt, and NotPetya.
With time, ransomware attackers have evolved and have become more sophisticated, targeted, and profitable for cybercriminals. Below is an insight into the latest trends that hackers adopt to launch a successful ransomware attack:
Exploiting Zero-Day Vulnerabilities
The shift in ransomware gangs and their sophisticated tactics and procedures (TTPs) raise the number of ransomware attacks. . Previously, REvil, Conti, and LockBit were the famous ransomware gangs, but now Clop, Cuban, and Play are gaining immense popularity by employing advanced hacking techniques like zero-day vulnerabilities.
Sophos's State of Ransomware 2024 revealed exploited vulnerabilities as the root cause of ransomware attacks. The Clop ransomware gang has used the zero-day vulnerability in the MOVEit Transfer platform to steal the sensitive data of different organizations. This group also targeted the GoAnywhere zero-day vulnerability in January 2023, affecting 130 organizations, and exploited the Accellion FTA servers in 2020. Similarly, Cuban and Play used the same attacking technique to compromise the unpatched Microsoft Exchange servers.
Double and Triple Extortion
Another reason for the rise in ransomware attacks is the introduction of the double or triple extortion technique. Cybersecurity firm Venafi reported that 83% of ransomware attacks included multiple ransom demands in 2022.
Cybercriminals encrypt the data, exfiltrate sensitive information, and threaten to release it or sell it on the dark web if the ransom is not paid in a double extortion scheme. This tactic proves to be highly effective as it holds the victim's data hostage and also introduces the risk of regulatory non-compliance and reputational damage.
With the increased pressure on victims to comply with the attacker's demands, it's found that 62.9% of the ransomware attack victims agree to pay the ransom without having any guarantee of getting the data back. Like during the MCNA Dental breach, the ransomware gang LockBit published all the data on their leak site before the company paid the ransom.
Similarly, a triple extortion ransomware attack adds a third vector, which could be a distributed denial-of-service (DDoS) attack. Ransomware operators seek ransom by putting extra pressure on the organization or even threaten downtime or regulatory issues. Multiple threat actors have used this tactic, such as Vice Society, in an attack against the San Francisco Bay Area Rapid Transit system.
Ransomware-as-a-Service Model (RaaS)
Ransomware infections saw a sharp increase in the first half of 2023 as they were 50% up with the Ransomware-as-a-Service (RaaS) model. With these kits, attackers carry out attacks faster, with the average number of days to execute the attack being four from 60 days.
The Ransomware-as-a-Service (RaaS) model operates on a subscription or commission-based system, making it accessible to individuals with minimum technical expertise. Threat actors no longer need advanced coding skills as they can rent tools from underground markets to launch more devastating attacks.
The RaaS operators like AlphaV, Conti, and REvil are available on the dark web with a range of features and bundles that enable non-technical or amateur hackers to launch successful ransomware attacks. In exchange, these affiliates deduct a hefty amount as a profit gain from the ransom amount. This shift broadens the reach of cyber criminals and increases the frequency and diversity of ransomware infections. All this has posed a significant challenge for individuals, businesses, and critical infrastructure.
The rise of RaaS operators has severe consequences for businesses, including financial and regulatory penalties, operational disruption, and reputational damage. During the infamous ransomware attack on the UnitedHealth subsidiary, Change Healthcare admitted paying a ransom demand of allegedly $22 million to the ALPHV gang. They used stolen credentials to log into the company's Citrix remote access service, which lacks multi-factor authentication. This attack has caused an overall loss of $87 million as of April 2024, and it will likely increase until all investigations are completed.
More Targeted Attacks on IoMT Devices
With the rapid proliferation of the Internet of Medical Things (IoMT) devices like wearable trackers, remote patient monitoring systems, and patient monitoring sensors, healthcare networks are accessed by third-party devices. Unfortunately, this has increased vulnerabilities that attackers can exploit to spread ransomware infection.
According to a study by the Ponemon Institute in 2022, 43% of healthcare organizations in the USA experienced a ransomware attack, and 76% experienced an average of three or more. It also reported that IoMT devices are the primary cause for 21% of all ransomware attacks and lead to adverse effects on patient care.
Recently, Nozomi Network Lab found nearly a dozen security flaws in the GE HealthCare Vivid Ultrasound family and its associated software. The same study further concluded that threat actors could exploit the vulnerabilities to access and alter patient data and install ransomware, eventually disrupting hospital workflow and damaging reputation.
These attacks cause hefty monetary losses and downtime in healthcare services and degrade patient care. For example, a ransomware attack on Medstar Washington Hospital caused the facility to shut down its services completely. Similarly, in another event, a hospital in Los Angeles paid $17,000 in bitcoins as ransom to free its systems.
AI-Powered Ransomware Attacks
The rise of generative AI is another growing concern, as it could lead to more advanced ransomware exploitation in 2024 and beyond. The UK's National Cyber Security Centre (NCSC) issued a report warning that malicious attackers are using AI to evolve ransomware attacks by running advanced reconnaissance.
AI-enabled ransomware attackers can exploit security weaknesses within existing cybersecurity defenses by using AI for reconnaissance. Attackers can also detect and exploit entry points that traditional defenses may neglect. This includes security misconfigurations and zero-day vulnerabilities in software and systems, which further makes it difficult to mitigate against such attacks.
Attackers can also use generative AI to automate various stages of the ransomware infection process. All this increases the efficiency of attacks and reduces the need for human intervention.
Intermittent Encryption
Ransomware attackers even use intermittent encryption tactics to launch attacks. Under this encryption method, they partially encrypt the victims' files and evade the detection systems, causing significant damage. A security vendor discovered this trend in 2021 when the LockBit gang used it. But, in 2022, security researchers found other ransomware gangs, including Black Basta, Blackcat, PLAY, Agenda, and Qyick, using it as an attack vector.
Supply Chain Attacks
Threat actors are targeting supply chain companies to maximize the attack's impact. A weak supply chain leads to ransomware attacks, with 64% of companies believing that the ransomware gangs infiltrate their network via business partners or suppliers.
Instead of extorting the supply chain company, hackers extort their customers. This way, they target multiple companies from a single breach. The most famous example of such a tactic is the Kaseya attack that affected Kaseya and its 1,500 other customers.
Fighting Back Against Ransomware Attacks
Cybersecurity Ventures predicted that the global ransomware cost will exceed $265 billion annually by 2031, with a new attack occurring every two seconds. As ransomware attacks are getting more profitable, organizations must start taking actions to prevent the operational, financial, and legal consequences of the attacks. Some proactive security measures include:
● Employees should receive regular cybersecurity education and ICS cybersecurity training to recognize common attack vectors and strengthen their security posture. Also, the training must emphasize the importance of adhering to security policies and procedures.
● Use extended detection and response (XDR) solutions to continuously monitor and analyze behavior in real-time. It also detects malicious code, deletes their source, quarantines suspicious files, and disconnects or removes the affected endpoint from the network.
● Perform regular security tests, monitoring the suppliers and encrypting the data in transit and at rest to prevent software supply chain attacks.
● Develop a comprehensive incident response plan that outlines essential steps to take if a ransomware attack occurs. This includes isolating affected systems, preserving evidence, notifying relevant parties, and collaborating with law enforcement agencies.
● Adopt the zero-trust approach that requires all the users and devices to verify and authenticate their identity to access the network data and resources. This prevents unauthorized access and mitigate suspicious activities.
● Use patch management tools as they help prevent ransomware attacks by updating the system, software, and applications with the latest patches.
Final Words
Ransomware attacks are becoming the most threatening malware to hit the digital age. They have grown in frequency and severity because attackers' are changing their tactics to increase their success rate. Companies must add more security measures to control these attacks and improve their cybersecurity defense practices. Employees must receive training and be aware in order to respond promptly when such an attack occurs.