As Ransomware Groups Evolve, How Do Police and Defenders Keep Up?

Dec. 24, 2024
Proactive defense needs to be prioritized, because offense is going to stay on the back foot.

The cyber threat landscape is constantly changing, but ransomware groups remain one of the most significant threats worldwide. Detections of these attacks have been trending downward over the past few years, but the numbers don’t tell the whole story. The decrease in volume comes as these groups increase their sophistication and attack their victims with greater precision and more advanced techniques.

Law enforcement agencies worldwide are constantly racing against these groups to make cybercrime riskier, less profitable, and more difficult—but with criminals operating in underground networks around the world, it’s often an uphill battle. As police tactics innovate, criminals are doing their own work to stay ahead. Meanwhile, IT teams are facing greater challenges to improve their organization’s security.

Ransomware is Changing

Over the past few years, ransomware groups have increased their use of remote encryption and intermittent encryption techniques and exploited more Endpoint Detection and Response (EDR) bypasses using unmonitored virtual machines. Multi-ransomware attacks, where criminals sell access to others to launch numerous complex attacks, also begin to complicate things even further.

These methods make it more difficult for organizations to block attacks and for law enforcement agencies to pinpoint their source. But they also serve an additional benefit: cybercriminals use the prestige of successfully executing difficult and large-scale attacks to maintain status in the criminal underground.

Defensive and Offensive Tactics

Cybercriminals don’t face as many deterrents as most expect, given the low number of arrests against the number of unprosecuted crimes. Earlier this year, a notable threat actor marketed t-shirts featuring their FBI Most Wanted image. To address these emboldened attackers, particularly those in regions where arrest or extradition is unlikely, law enforcement agencies have had to change their approach.

Government-imposed sanctions and the inclusion of cybercriminals on wanted lists are common tactics. In the past, federal authorities would wait for these individuals to travel through airports where they could be apprehended. But these techniques are now widely known and no longer as effective.

An ideal measure is to dismantle criminal infrastructure when possible—but recently, this has been followed with an additional step. After taking down a criminal enterprise, law enforcement will engage in "name and shame" campaigns. Police take over ransomware leak/data dump sites to publicize their efforts against these groups and to warn others of the consequences of continued association. The goal is to make a criminal organization toxic and not worth associating with for future criminal endeavors.

In the first half of 2024, law enforcement agencies launched major operations to stop ransomware groups, compromising various platforms used by cybercriminals to carry out phishing operations. Specifically, a targeted law enforcement operation dubbed Operation Cronos disrupted LockBit, the biggest financial threat actor group of 2023.

The visibility of law enforcement's targeting and intelligence efforts is crucial. This transparency was effective with LockBit, as other criminal groups distanced themselves from the organization following the operation.

Encouragingly, there is increased cooperation among global law enforcement agencies, resulting in more robust regional support and faster, more effective responses to these attacks. But there will always be gaps that fall to organizations and IT teams to fill. So, what can we do?

Proactive Security is the Key

The good news is that there are many answers to this question. But just like the threats, the solutions are evolving as well.

In years past, it was common to implement “best-of-breed” layered security models to protect specific points of each organization: email, cloud, network, and so on. But that approach no longer produces the results that it used to. These reactive measures leave defenders overwhelmed and unprepared for many modern attack strategies.

Proactive security is becoming critical. The vast data and technology now available to security teams mean that more effective tools can be used to prevent threats. These include attack surface discovery that helps organizations understand their external and internal vulnerabilities; AI models that prioritize critical assets and actions; and attack path predictions that allow analysts to better prepare for potential attacks. Trend Micro researchers have identified a significant increase in ransomware attack likelihood against users with lower security scores across these metrics, emphasizing the importance of these advanced strategies.

Law enforcement agencies are constantly coming up with new ways to make life harder for these attackers, but the attackers are moving quickly as well. Ultimately, the burden of preventing incidents in the first place remains on organizations and their security teams. Proactive defense needs to be prioritized, because offense is going to stay on the back foot.

About the Author

Jon Clay

Jon Clay has worked in the cybersecurity space for over 27 years. Jon uses his industry experience to educate and share insights on all Trend Micro externally published threat research and intelligence. He delivers webinars, writes blogs, and engages customers and the general public on the state of cybersecurity around the world. An accomplished public speaker, Jon has delivered hundreds of speaking sessions globally. He focuses on the threat landscape, cybercriminal undergrounds, the attack lifecycle, and the use of advanced detection technologies in protecting against today’s sophisticated threats. Within Trend Micro, Jon has held roles as sales engineer, sales engineering manager, training manager, product marketing manager, and director of global threat communications before becoming Vice President, Threat Intelligence.

Jon is a volunteer speaker for our Internet Safety for Kids and Families program. This experience has given him a broad technical background, an understanding of business security requirements, and an excellent understanding of the threat landscape. In his spare time, Jon enjoys fly fishing, fly tying, golf, tennis, and spending time with his family.