The Evolution of Ransomware: What to Expect in 2020 and Beyond

Keeping pace with rapid change within the cybersecurity field, the evolution of ransomware has been swift and complex since the malware’s inception. The scattergun approach to ransomware distribution that used to be popular with criminals (peaking in 2017 with the WannaCry attack) has now fallen to the wayside in favor of more targeted attacks on individual businesses.

The driver behind this change is simple: businesses are more likely to submit to the demands of the ransomware. They’re scared of the regulatory fines that they will be subject to if any data gets exposed (particularly since the advent of GDPR and other similar regulatory measures recently introduced across all 50 U.S. states) so criminals know that they are more likely to pay, and pay big, if they fall prey to an attack.

Attackers have been emboldened in this approach due, in no small part, to ransomware growing in sophistication. Look at Sodin (okibi) ransomware as one example – released in 2019, it can burrow deep into a system to elevate privileges by planting itself in CPU architecture. This makes it much harder to detect and, therefore, less likely to be removed.

The Evolution of Ransomware is Driven by Profitability

Attackers don’t want to waste their time on ransomware that isn’t delivering on profitability. As ransomware becomes more sophisticated, the chances of its success increases. When criminals are confident that they can profit from organizations with deeper pockets than your average PC user, you bet they’re going to give it a shot. And that’s exactly what’s happening now.

This doesn’t mean that attackers have a lot of easy wins under their belts. Targeting specific businesses may require a lot of “dwell time” on a victim network, spending anywhere from days to months trying to identify a chink in the armor that they can exploit. Because of this, companies have time to detect and remediate any malicious presence. If they’re quick to act, they emerge unscathed and the only loss will be felt by the attacker. But if the attacker’s patience pays off, they’re likely to hit the jackpot.

How Doxware is Changing the Game

There are new malware tactics being deployed by attackers which are helping them to seal the deal during a successful ransomware attack. Look at doxware, for example, heralded by some as the next step in the evolution of ransomware. It may be new on the block – it was only in November 2019 that Maze ransomware became the first to offer attackers the ability to upload stolen data to a public site if they don’t receive payment – but it adds a new threat level that wasn’t there before. And it’s gaining in popularity: since November, we’ve seen several new doxware products come onto the market.

While the profits associated with successfully attacking a large organization were compelling enough for most malicious actors, the ability to threaten the exposure of sensitive data makes attacking large organizations irresistible. The leverage that they gain through doxware is worth the additional time and effort expended during these targeted attacks. The more fear they can incite, the higher the payout.

OT Environments are Under Increasing Threat from Ransomware

Another way that use of ransomware is developing can be found in the network areas in which it is, and will be, deployed. Specifically, criminals are honing their focus on operational technology (OT) environments. These are areas which are incredibly difficult to protect – they run on outdated technology which cannot be scanned or patched, many machines and devices are critical to operations so cannot be turned off and, although a lot of these machines pre-date the internet, they are now being forced to connect with web-connected devices – and are important at a nation-state level (particularly thinking about utilities like oil, gas, water, electricity, etc.)

New viable ransomware attacks on OT-adjacent systems have been demonstrated; this is something that’s only going to increase. As seen in the  Vulnerability and Threats Report 2020, the number of new advisories issued by ICS-CERT between 2019 and 2020 increased by 53 percent. Attackers are coming after OT; ransomware is a very valuable tool and it’s doubtless that they are going to use it to its full potential.

We’re Going to Hear About More Ransomware Attacks This Year

We can also expect to hear about more incidents as a result of companies now being forced to disclose data breaches. This is important to consider when you hear stories about a rise in ransomware attacks over the next year – the actual number of ransomware attacks may not dramatically increase, but the number of public disclosures will. Companies now have nowhere to hide.

Finally, it’s important to talk about the current sophistication level of ransomware. Although attackers have made a lot of progress in terms of the malware’s sophistication, as an industry it is still fairly rudimentary from an economic perspective. There is a lot of room for growth, both in terms of malware sophistication and financial potential. The market is far from being saturated and the tools which are currently being deployed are not yet operating at maximum efficiency. Like any professional in any other industry, we can expect to see ransomware developers and deployers work to improve efficiency. This means that there will be greater depth to the business models used by deployers, including the intelligence on which their deployments are based.

Really, we are in the early stages of ransomware’s potential. The need for security leaders to understand how criminals are able to implant this malware within their networks is great now and will get greater still as time moves on. The time to act to protect businesses from the real and present threat of ransomware is yesterday; if businesses fail to contain their network perimeter, they will likely be forced to pay out a lot of money – both to criminals and to relevant regulatory authorities.