How ransomware is evolving to evade detection
While some reports show the number of ransomware attacks actually fell in 2022, none of us inside the industry were declaring victory. Cybercriminals are notoriously nimble, and they’re shifting their strategies, making them harder to spot and harder to outmaneuver. While cyber professionals must constantly look for every security hole, cybercriminals need only find one.
This year, we’re seeing threat actors focus principally on two sets of tactics – specialization and the deployment of new ransomware techniques aimed at avoiding detection. No matter how quickly MDR and XDR providers innovate detection methods and flag threats, cybercriminals will continue to hone their skills at the same, if not quicker, speeds.
Specialization of Crime
First, specialization. Since ransomware first took root in the mid-2000s, perpetrators built out large, vertically integrated cybercrime organizations, giving them the necessary resources to carry out big jobs. But that’s changing. Now, cybergangs are following the ransomware as a service (RaaS) model – outsourcing many of the functions and stages of a typical ransomware attack, giving only a small portion of the ransom to the original structure designers.
This is changing the makeup of the cybercrime business. The fact that organizations are slimming down and creating networks of specialist partners makes them more resilient to law enforcement takedowns and more difficult to track. That’s a given. What it also has done is create a market where smaller groups – or even individual contractors – can develop deep, targeted sets of skills that can elevate the effectiveness of a ransomware attack. Similar to how a specialist in safe cracking contributes to a successful bank robbery.
Rather than carry out a ransomware attack from beginning to end, one group may target the victim and then hand it off to a series of contractors to perform a whole string of tasks. One sets ransomware demands, a second maximizes the infection, a third executes the ransomware, a fourth negotiates with victims, and so on. Each of these functions requires specialized skills, and each one reinforces the recent demand for advanced threat detection and response across a business’ entire footprint, not just the endpoints.But it doesn’t end there. Ransomware initiators are contracting with specialists of all kinds, opening up opportunities for talent from a variety of disciplines. Skilled negotiators are contracting with cyber outfits, arguing that they can bring in 20% premiums on specific jobs. As cyber gangs compete with each other for work, they hire marketers to perform competitive intelligence. Cybergroups don’t tend to completely trust one another, so each brings in its own cryptocurrency experts to help them move their money. Developers provide code for non-malicious back-end tasks. And some outfits are even bringing in business and people managers to optimize their resources.
This is creating a budding, adaptable ransomware ecosystem.
But an ecosystem alone won’t stop cybercriminals from getting caught. The stakes are high, so thieves are trying out new ways to avoid detection by targeting businesses deemed soft targets and potential gateways to a larger organization.
Some are shifting away from conventional programming languages onto lesser-used platforms like Rust, Go, and Swift. They do this for several reasons. More exotic languages that aren’t commonly used can evade endpoint solutions and hinder researchers’ analyses. If thieves are harder to spot once they’re in your network, they can stay longer and do more damage. Some programming languages enable thieves to write code for multiple operating systems, allowing them to target more environments and more systems.
Exploring New Avenues of Ransom
Another worrying development is that undetectable malicious bootloading tools are now becoming widely available for sale on the black market to just about anyone. Some were previously used only by experienced cyber gangs while others, such as Black Lotus, have anti-hacking features that had been reserved for nation-state APT groups and military operations. Because the malware loads when a user boots up a computer, it embeds itself in the system’s firmware, allowing it to skate past antivirus software security checks and remain undetected.
Additionally, we’re seeing instances of AI’s influence through the expanded use of automated phishing attacks, impersonation attacks and social engineering attacks. Anyone who dislikes chatbots now may dislike them even more when fake chatbots set up to phish bank details from victims grow more sophisticated.
What To Do
How do end users protect themselves against the evolving wave of ransomware tactics? The usual ways. While countertactics will evolve, recommendations and best practices will be roughly the same as they were years ago. No matter the size of your business - even if you cannot build a full-time security operations center - having dedicated tools to hunt threats and flag potential hazards will make all the difference as RaaS models gain more popularity and widen the door to ransomware. Having multiple layers of security, building on traditional endpoint detection and response (EDR) capabilities with extended detection and response (XDR), and making security part of your overall business strategy are the best defenses against emerging threats.
About the author: Martin Zugec is the Technical Solutions Director at Bitdefender, helping to protect the world from cybercrime. He has over 20 years of experience in IT, spending most of his career in the field as an architect. He specializes in large-scale projects that often involve automation and security, working for many Fortune 500 companies on projects all around the world. Today, he is speaking at conferences, blogging, explaining technology, and getting engaged with technical communities. He is curious about the world around him and likes to think out of the box.