Ransomware is a type of malware. Extortion has always been a popular method of obtaining funds, and always will be. Nowadays, it is probably more prevalent in the online world than in the physical world.
We can learn from its history. It has always existed at the national level (Denmark), at the gang level (protection money) and at the individual level (bullying). This practice is now part of the cyber world and still involves nation-states, criminal gangs, and individual hackers. Extortion will never go away, it's just that the means will change. Criminals fine-tune existing monetization methods to make larger profits, or adapt them to new situations.
The same applies to cyber ransomware, which is fundamentally stealing victim data through encryption or infiltration, or both. Encrypting and/or stolen data is a lever for cyber extortion.
Ransomware is effective and profitable enough to continue to grow. But it will be fine-tuned, the profit component will be expanded, and new methods of extortion will be explored. Some companies are already using the more generic term CY-X (cyber extortion) to encompass the range of threats that are evolving around the term ransomware. Extortion is a threat;Ransomware is just one (albeit the main one at the moment) method.
Criminal gangs will continue to up-ante the ante and put more pressure on victims – and this includes more 'info action' operations – engaging in more public shaming on social and open, reaching out directly to executives, employees and customers to exert pressure, EY Consulting Cybersecurity MD Keith Mularski warned, "threats of violence – including family members".
Matt Waxman, senior vice president and general manager of data protection at Veritas Technologies, gives a concrete example of how ransomware extortion can continue to evolve. "By 2024, we expect hackers to move to targeted unit-level data corruption attacks, i.e., secretly planted deep within the victim's database**, which covertly alter or corrupt specific but undisclosed data if the target refuses to pay the ransom. ”
Wexman continued, "The real threat is that victims won't know what data, if any—the hackers may be bluffing—has been altered or corrupted until there is an impact, effectively making all of their data untrustworthy."
The only solution for victims is to ensure that they have a secure copy of their data and are 100% sure that the data is not corrupted and can be recovered quickly. ”
Crypto-free ransomware is nothing new, but it will continue to expand. It evolved from the earlier concept of double extortion – first, data breaches, and second, data encryption. If encryption doesn't trigger ransom fees, then the subsequent disclosure of sensitive data can lead to brand damage and potential compliance fines.
With fewer and fewer companies paying crypto ransoms (through pressure, better decryption possibilities, and cyberinsurance restrictions), criminals sometimes abandon this aspect of extortion.
Rik Ferguson, Vice President of Security Intelligence, Forescout.
Rik Ferguson, VP of Security Intelligence at Forescout, said, "Due to the time-consuming and meaningless overhead of traditional ransomware operations, threat actors prefer to 'deny confidentiality' via leak sites rather than 'deny access' via encryption. "Data theft and extortion work equally well for them, but without significant administrative overhead, no frustrating backup restores, and no cryptographic module coding. ”
It also allows attackers to better conceal attacks. Mark Stockley, cybersecurity evangelist at Malwarebytes, explains, "Ransomware attacks will evolve from 'malware encryption' to 'malware-free data theft.'" "Stealing data, rather than encrypting it, allows criminals to hide from the plain sight by 'making a living' – using the legitimate management tools they find on the networks they're attacking, which don't trigger security software to detect malware. Attacks without malware shift the burden of detection from the malware discovery software to the anomaly finder. ”
A new extortion variant has emerged at the end of 2023 – available in conjunction with encryption or data breaches: ALPHV Blackcat reported MeridianLink to the SEC. Sean Deuby, Chief Technologist for North America at Semperis, commented: "With the new SEC disclosure ruling taking effect [on December 15, 2023], requiring companies to report 'significant' cybersecurity incidents within four days, this strategy is expected to become the norm in ransomware attacks. The SEC will have an army of less altruistic aides. ”
The initial danger of AI extortion is less in malware (although it will eventually be used to find exploitable vulnerabilities), but even more so in terms of laying the groundwork for the spread of malware. "Generative AI is definitely going to be a factor in ransomware. The principles are fairly simple: given a goal, you can scrape employee lists from LinkedIn, scrape their profiles and posts, and search the same person's social networks through search engines, as well as publicly available data. CEO Philippe Humeau explains and co-founder of CrowdSec.
Once you have all the networks for most of your employees, as well as their voices (podcasts), *x, Instagram, linkedin, meta), and **(youtube, tiktok) samples, you have everything you need to generate extremely convincing phishing emails. The next thing you will know is that victims receive a well-designed teardrop phishing campaign. In short, AI could intensify phishing, and this increased and improved phishing could exacerbate ransomware.
It's not a sure thing. Others argue that the existing methods of the criminals are successful enough that they do not require additional AI development costs. But there may be an inflection point in the future where existing methods are failing at an increasing rate, and the decline in the cost of AI will be offset.
The path for ransomware to use AI directly is likely to be slow and gradual – perhaps through the concept of MPV (Most Promising Victim). The theory is that organizations that must operate without interruption and have the funds to pay for it will be the most promising victims.
Ransomware authors find ways to automatically determine 'MPV', allowing ransomware to autonomously determine whether or not MPV criteria are met;For example, "Am I getting to the hospital?", "Can I access the electronic medical record?".", advises Robert Leong, Senior Director and Head of Product Management at HCL Bigfix.
The reason for this is that sending a message to command and control is one of the main ways to detect ransomware. So, ransomware is more successful if it can autonomously determine where it is, what type of organization it's in, and what to encrypt," he continued. Artificial intelligence can be introduced to provide and improve this silent automation.
Historically, hacktivism has been associated with the ethical issues of indigenous thinkers. Amir Hirsh, head of Tenable OT Security, believes this will continue in 2024, with hacking activists using ransomware to increase their publicity. "Hacktivistic groups, in particular, target factory agriculture and energy producers based on their ideology in order to gain maximum degree of popularity and notoriety," he commented. ”
Ilia Kolochenko, Chief Architect, IMMUNIWEB.
At the same time, extreme geopolitical tensions caused by the wars in Ukraine and Gaza will add to the international, rather than domestic, elements of hacktivism. Ilia Kolochenko, chief architect at iMMUNIWEB, said: "Next year, we should expect politically motivated hacktivists to launch large-scale and unavoidable attacks against innocent companies and organizations in a given country or region. ”
These attacks can be highly destructive and are designed to paralyze the operations of businesses that have little or no to do with the political process in the host country. "Hospitals, schools, and even CNI's network infrastructure, such as water facilities, can suffer long-term and irreparable damage. ”
Wipers may, but not necessarily, have been linked to ransomware. Consider a data-encrypted version of ransomware without any means of decryption – it's a basic wiper.
This is an attractive option for geopolitically motivated attackers, especially those who may be labeled as nation-state affiliates. It can be disguised as failed ransomware, i.e., a financially motivated criminal attack. It is difficult to classify a criminal attack as cyber warfare (cyber warfare, in addition to being destructive, must also exhibit a **vs factor). See What is Cyber Warfare? Discuss in more detail and consider the insurer's failure to pay Merck through Notpetya.
Wannacry and Notpetya are good examples. Wannacry has no decryption capabilities, and Notpetya has wreaked havoc all over the world. But both are "disguised" as ransomware, which, although attributed to Russia, cannot be attributed to the clear instructions of **. The danger lies in the occurrence of accidents in the future. "As hostile nation-states continue to wage war against other nation-states, we will definitely see things like wannacry and notpetya happen again," Leong warned. It is expected that hostile nation-states will continue to include it in their toolbox, especially as regional hot wars expand. ”
Despite this, most hostile countries use wipers sparingly. They can provoke a full-scale cyber war - in today's cyber world, the principle of absolute deterrence still exists. A full-scale cyber war will lead to reciprocal, outright cyber sabotage: therefore, the wipers used by the world powers (NATO, Russia, etc.) are precisely aimed at the hot war zone or avoided. (The Middle East is an exception because it's primarily regional, not global.) )
There is another reason for Hummer to be suspicious of the use of wipers by the great powers. "Most of the time, I'm not sure if they really work for a nation-state. It's only when you need to use your strengths against your opponents that you expose your disguise. It's best to stay home, keep a low profile, and use initial access when needed. Hibernation is not a thing of the past, but a thing of the future. ”
However, criminal gangs have not been deterred by fears of cyber warfare. The increasing aggressiveness of non-state hacker activists could easily lead to an increase in wipers in 2024. "We've also seen the development of new data destruction strategies, including custom data theft tools and time-activated wipers, which adds an extra layer of pressure, commented Marcelo Rivero, Senior Malware Research Engineer at Malwarebytes.
Will there be more wipers in 2024? "Possibly," Mr. Murasky said. "Intention is the driving force and the least important factor. Of course, purely a wiper (even disguised as ransomware) is not ransomware technically: its purpose is not extortion, but destruction.
Ransomware-as-a-Service (RaaS) is part of the growing specialization of cybercrime***. Serious and skilled criminals have developed a separation of roles. The gang consists of individual malware coders, access finders (using separate access**), financial operators, and marketers. These combine to provide ransomware services to affiliates,** or rent out complete ransomware packages. It serves several purposes: it helps keep real criminals away from researchers and law enforcement, and it allows more criminals with lower technical skills to launch potentially damaging ransomware attacks. It is known as the "democratization" of ransomware.
This will depend on the marketing efforts of ransomware threat actors around establishing affiliate programs and reducing friction in the onboarding process," said Gerald Auger, an advisor and adjunct professor at Citadel (South Carolina Military Academy). "Sadly, the top ransomware threat actors (Lockbit, Blackcat, Conti, before they were disbanded) operate like a professional business with many employees. Conti, for example, has more than 100 departments, including HR, so if they find a marketing solution for their RaaS affiliate program, it will be a big concern for CISOs (and the information security industry as a whole). ”
Christian H**e, CTO of Logpoint, warns, "RaaS will become more prevalent, providing individuals with minimal technical expertise with the means to execute ransomware attacks. Automation will enable initial access brokers to identify and provide a more leak-proof environment. As a result, the frequency of attacks will spike, affecting organizations of all sizes, especially smaller ones with inadequate cybersecurity measures. ”
RaaS is likely to grow in popularity. "It will continue to expand, especially if the world economy is in recession, as many people have done," Leong commented. The reason is that many will lose their jobs, and those who are less cautious will see RaaS as a way to continue supporting their lifestyles. Since RaaS usually only requires script-kid-level skills, this is appealing to those who are unemployed and looking to make easy money, especially if they want to 'get revenge' on their former employer. ”
Drew Perry, Chief Innovation Officer at Ontinue, points to Scattered Spider as a practical example of RaaS. The group, which is believed to be an affiliate of ALPHV, was behind the MGM hack that was discovered in September 2023**. Others will follow suit," Perry warned.
From our perspective," says Mularski, "RaaS represents the bulk of the extortion threat – there seem to be fewer organizations that operate purely closed private operations." He noted that Lockbit is the most prevalent RaaS operation – with 110 victims in November 2023 alone.
LaaS itself is just one part of the expanding and more prevalent crime-as-a-service (CaaS) criminal activity. Ferguson believes this could lead to a new X-as-a-Service: Victim Analysis as a Service. "Ransomware affiliates have become more selective in their selection of victims, which can be seen in a variety of popular techniques – from relocating organizations known to pay ransoms to choosing only victims with cyber incident insurance," he said. "As a result, the data of potential victims will be highly sought after and create greater demand for such markets. ”
The flip side of democratization is ransomware gangs engaging in specific big game hunts without using the RaaS approach. This typically focuses on the exploitation of zero-day vulnerabilities. In general, a zero-day vulnerability is a one-off** that is too valuable to be dissipated through an affiliate.
Raj Samani, Senior Vice President and Chief Scientist at Rapid 7, commented, "We are observing an increasing number of zero-day vulnerabilities being exploited by ransomware groups, and this trend is unlikely to abate. ”
Stockley agreed. "With the shift to zero-day attacks, ransomware attacks will increase substantially," he said. But he also noted that automation, which could be aided by AI from 2024, would allow groups to scale up without reducing the return on profits from the use of affiliates.
In two waves of attacks this year, the CL0P ransomware gang has shown that it is possible to break free from the scalability shackles of an affiliate model by using zero-day-based automated attacks," he explained. "Previously, it was thought that zero-day was either too complicated or too complex for ransomware gangs. While ransomware gangs will encounter significant hurdles with their widespread use of zero-day vulnerabilities, this cannot be ruled out. ”
Aside from encouraging better cyber defenses, dismantling criminal infrastructure, and seeking individual arrests, there is little that can be done to prevent cyber extortion. The only thing that can stop extortion is to cut its profitability, which is impossible. There are two possible approaches to the current main form of ransomware: to make the ransom payment illegal, and to invalidate the payment process (via digital currency).
The first one is almost impossible. Hummer explained one of the difficulties: "A country like France perfectly lifts a stone to shoot itself in the foot," he said. " "For a decade, people have been saying 'no, no one should pay, don't feed the monsters,' and now, a blurred line is that insurers see a great opportunity to sell policies, but they know they don't actually do it. "Since they have incorporated specific exceptions, they must be met. However, for policies that do pay, cybercriminals know the exact amount that the insurance company is willing to reimburse, and that's the amount they're trying to extort right now away from their target. ”
However, not everyone is pessimistic about the action against ransomware. Jose Araujo, CTO of Orange CyberDefense, is optimistic. "We anticipate that cyber extortion campaigns driven by the Coalition** policy may be ...... tipping pointMore than 40 member countries of the International Anti-Ransomware Initiative have agreed to a joint policy declaring that member states** should not pay ransoms demanded by cybercriminal groups. They also agreed on a shared blacklist of wallets used by ransomware actors, a commitment to hold accountable, and other initiatives. We have yet to see its impact on CY-X statistics, but it is expected that this collaboration could undermine the future viability of the CY-X ecosystem. ”
Others are less optimistic. Claude Mandy, Chief Evangelist at Symmetry Systems, argues, "By 2024, the United States will no longer enact any more comprehensive state or federal legislation to prohibit ransom payments." Instead, we will continue to strongly encourage organizations not to pay ransoms, and law enforcement and federal agencies will continue to target exchanges and organizations that facilitate ransom payments to cybercriminals through sanctions and similar measures, and by imposing higher demands on victims. Disclosure of ransomware payments. ”
The current global geopolitics is not helping the efforts of **. "Law enforcement agencies and prosecutorial authorities [cannot] cooperate in complex cross-border investigations of organized cybercrime," Kolochenko noted. "Ultimately, cyber gangs operate peacefully with impunity in non-extraditable jurisdictions and enjoy a steady increase in income paid by desperate victims. Given that ransomware is a scalable and highly profitable business from an economic standpoint, it's likely that we'll see it spread like a hydra across the globe next year. ”
The result, he warns, is that, combined with pay-as-you-go RaaS, "good old ransomware is likely to become a global cyber epidemic in 2024." ”
However, while ransom payments made through digital currencies may not be eliminated, market forces may succeed. Stockley raised the possibility of a cybercrime "singularity": Bitcoin crashes to zero to destroy ransomware. "The most serious thing that can happen to cybercrime is the disappearance of Bitcoin, which may be unlikely, but not impossible," he said. It takes a huge effort to keep Bitcoin running, and the crypto bubble has burst completely. ”
He continued: "If Bitcoin starts to run substantially, the incentives to keep the massive infrastructure it relies on running could collapse, which could lead to a loss of confidence in other cryptocurrencies. Despite the abundance of digital currencies, ransomware is closely tied to Bitcoin, and ransomware may not exist without Bitcoin or very similar alternatives. Cybercrime isn't going away, but it will enter a highly unavoidable phase as it reorganizes around new business models. ”
Ransomware threats will continue to grow and expand. This is a typical business plan for cybercriminals. When it first appeared, the term was associated with encrypted data. This is a misconception. Paying the ransom under threat is nothing short of extortion. Ransomware is ransomware: extortion through data encryption is just one method.
Criminals are very adaptable. If the profitability of a method decreases, they will change their approach. We've seen this with the growth of big game hunting, the increase in OT targets, the rise of RaaS and AI automation, and a heightened focus on data breaches rather than just data encryption.
The latest version is the ALPHV Blackcat. H**E explained that the group "filed a complaint with the SEC on behalf of MeridianLink alleging its failure to disclose cybersecurity incidents as a penalty for non-payment of the ransom." He believes that this new extortion tactic could become a major driver of the ransomware economy in 2024, especially with the launch of NIS2.
In 2024 and beyond, extortion will continue to grow. This is the basis of crime. Its stealth is constantly changing, and its appearance will continue to change. But in general, ransomware threats will continue to worsen.