A Deep Dive into the Evolution of Ransomware Part 2
Ransomware
has
become
an
increasingly
damaging
presence,
wreaking
havoc
on
organizations
of
all
sizes
and
across
industries.
Without
understanding
the
traditions
that
underpin
these
malicious
strategies,
combatting
them
can
feel
like
a
daunting
task.
In
part
one,
we
explore
ransomware’s
evolution
to
gain
perspective
on
how
cybercriminals
adapt
their
tactics
in
response
to
changing
threats.
This
entry
looks
into
factors
that
trigger
changes
in
cyber
criminals’
business
models.
Triggers
for
a
paradigm
shift
Cybercriminals
are
a
savvy
and
adaptive
bunch,
capable
of
quickly
changing
their
business
model
in
response
to
changes
within
the
information
security
landscape.
These
are
several
triggers
that
could
prompt
them
to
make
subtle
evolutions
or
major
revolutions
in
ransomware
operations:
-
Increase
in
successful
law
enforcement
activities
against
ransomware
groups
Law
enforcement
and
security
researchers
are
in
an
ongoing
battle
against
ransomware
groups,
with
multi-jurisdictional
takedowns
of
criminal
organizations
and
computer
experts’
monitoring
activities
posing
a
major
threat
to
the
spread
of
this
malicious
software.As
these
efforts
aim
to
make
it
more
difficult
for
hackers,
paranoia
is
arising
within
their
ranks
that
someone
may
be
working
undercover
with
law
enforcement
or
other
security
professionals. -
Government
regulations
on
cryptocurrency
The
advent
of
cryptocurrency
has
enabled
cross-country
monetary
exchanges
with
a
high
degree
of
anonymity,
greatly
incentivizing
cyber
criminals
to
deploy
ransomware.
Consequently,
appropriate
regulations
on
the
usage
and
circulation
of
digital
currencies
can
help
limit
this
activity
by
reducing
its
financial
reward.However,
cryptocurrency
regulations
are
expected
to
have
an
impact,
potentially
making
money
laundering
a
lot
more
difficult. -
More
sanctions
on
ransomware
and
enabling
services
As
a
measure
of
foreign
policy,
countries
worldwide
have
implemented
economic
sanctions
aimed
to
hold
individuals
and
organizations
accountable
for
violations.
The
United
Nations
(UN)
and
the
US
Treasury
Department’s
Office
of
Foreign
Assets
Control
(OFAC)
are
two
prominent
entities
that
maintain
sanction
lists.Some
ransomware
actors
have
been
put
on
sanction
lists.
Some
facilitating
services
like
crypto
exchanges
have
been
designated
too.
However,
the
sanctions
are
expected
to
have
a
limited
impact
on
ransomware. -
Changes
in
the
IT
security
landscape
and
move
to
the
cloud
With
an
increased
number
of
companies
transitioning
to
decentralized
data
centres
and
remote
workforces,
ransomware
groups
are
expected
to
struggle
with
their
operations.
However,
it
is
also
predicted
that
these
actors
will
also
adapt
and
try
to
find
ways
to
exploit
cloud
servers. -
Poor
OpSec,
which
leads
to
a
business
reevaluation
Ransomware
as
a
Service
(RaaS)
groups
are
not
immune
to
operational
security
mistakes.
Our
team
recently
identified
numerous
Tor-hidden
websites
of
RaaS
operations,
whose
clear
web
IP
addresses
were
able
to
be
determined
due
in
part
to
common
oversights
such
as
exposing
more
services
than
necessary
and
lack
of
adequate
access
management
on
the
hidden
sites.Several
prominent
RaaS
groups
have
been
hacked
for
months
by
either
LE
or
security
researchers.
As
a
result,
we
expect
that
these
actors
will
increase
their
OpSec.
What
ransomware
will
look
like
in
an
evolution
In
recent
years,
ransomware
has
become
a
pervasive
threat
that
can
lead
to
challenges.
From
government
institutions
and
hospitals
to
enterprises
and
critical
infrastructure
–
no
organization
was
safe
from
the
scourge
of
these
cyber-attacks
with
increasing
ransom
demands
leaving
organizations
vulnerable.
However,
in
2022
there
appears
to
be
stabilization
of
this
malicious
activity
though
it
does
not
mean
the
issue
at
hand
will
simply
disappear
into
the
night;
rather
ransomware
will
likely
just
evolve
gradually
over
time
potentially
even
developing
its
revolution
culminating
in
something
more
sophisticated
than
what
we
have
seen
before.
It
could
lead
towards
rationality
among
perpetrators
as
they
hone
their
skills
making
them
evermore
professional
operators
within
cyberspace.
For
instance,
during
attacks,
while
also
implementing
better
operational
security
measures.
Recent
reports
indicate
that
nation-state
actors
are
turning
to
ransomware
for
reasons
beyond
monetary
gain.
Nation-state
actors
have
long
utilized
it
as
a
smokescreen
to
mask
their
true
intent
of
espionage
or
destruction,
and
this
type
of
activity
is
anticipated
to
remain
popular
in
the
foreseeable
future.
Furthermore,
evolutions
such
as
utilizing
more
zero-day
exploits
and
targeting
cloud
infrastructure
may
make
ransomware
even
harder
to
defend
against–potentially
having
an
immense
effect
on
its
success
rate
going
forward.
As
ransomware
actors
continue
to
shift
their
criminal
business
models,
they
look
for
ways
to
increase
profits.
Fortunately,
we
can
anticipate
and
prepare
ourselves
against
the
revolutions
that
may
occur
in
response
to
incentives
like
these.
By
understanding
what
forces
drive
them
toward
innovation,
we
can
stay
one
step
ahead
of
this
ever-evolving
threat
landscape.
In
the
final
part
of
this
series,
we’ll
explore
the
near
and
far
future
of
ransomware
business
models
and
what
it
means
for
organizations.
About Author
