About SecurityWeek Cyber Insights | At the end of 2022, SecurityWeek liaised with more than 300 cybersecurity experts from over 100 different organizations to gain insight into the security issues of today – and how these issues might evolve during 2023 and beyond. The result is more than a dozen features on subjects ranging from AI, quantum encryption, and attack surface management to venture capital, regulations, and criminal gangs.
SecurityWeek Cyber Insights 2023 | Ransomware – The key purpose behind cybercriminality is to gain money. Extortion has always been a successful and preferred method to achieve this. Ransomware is merely a means of extortion. Its success is illustrated by the continuous growth of ransomware attacks over many years.
The evolution of ransomware has not been static. Its nature has changed as the criminals have refined the approach to improve the extortion, and the volume (generally upward) has ebbed and flowed in reaction to market conditions. The important point, however, is that criminals are not married to encryption, they are married to extortion.
The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions: the geopolitical influence of the Russia/Ukraine war, the improving professionalism of the criminal gangs, and more forceful attempts by governments and law enforcement agencies to counter the threat.
The cyberwar effect
The Russia/Ukraine war has removed our blinkers. The world has been at covert cyberwar for many years – generally along the accepted geopolitical divide – but it is now more intense and more overt. While the major powers, so far at least, have refrained from open attacks against adversaries’ critical infrastructures, criminal gangs are less concerned.
“The rate of growth in ransomware attacks is currently slowing slightly [late 2022] – but this will prove to be a false dawn,” suggests Mark Warren, product specialist at Osirium. “Currently, the most successful teams of cybercriminals are focused on attacking Ukraine’s critical infrastructure. The second that conflict is over, all the technology, tools and resources will be redeployed back into ransomware attacks – so organizations and nation states alike must not become complacent.”
One of the most likely effects of the European conflict will be an increasingly destructive effect from ransomware. This has already begun and will increase through 2023. “We are seeing an increase in more destructive ransomware attacks at scale and across virtually all sector types, which we expect to continue into 2023,” comments Aamir Lakhani, cybersecurity researcher and practitioner for FortiGuard Labs.
“Ransomware will continue to make headlines, as attacks become more destructive, and threat actors develop new tactics, techniques, and procedures to try and stay one step ahead of vendors,” agrees John McClurg, SVP and CISO at BlackBerry.
“We expect ransomware to continue its assault on businesses in 2023,” says Darren Williams, CEO and founder at BlackFog. “Specifically, we will see a huge shift to data deletion in order to leverage the value of extortion.”
There are two reasons for this move towards data deletion. Firstly, it is a knock-on effect of the kinetic and associated cyber destruction in Ukraine. But secondly it is the nature of ransomware. Remember that ransomware is merely a means of extortion. The criminals are finding that data extortion is more effective than system extortion via encryption. Andrew Hollister, CISO LogRhythm, explains in more detail:
“In 2023, we’ll see ransomware attacks focusing on corrupting data rather than encrypting it. Data corruption is faster than full encryption and the code is immensely easier to write since you don’t need to deal with complex public-private key handling as well as delivering complex decryption code to reverse the damage once the victim pays up,” he said.
“Since almost all ransomware operators already engage in double extortion, meaning they exfiltrate the data before encrypting it, the option of corrupting the data rather than going to the effort of encryption has many attractions. If the data is corrupted and the organization has no backup, it puts the ransomware operators in a stronger position because then the organization must either pay up or lose the data.”
It should also be noted that the more destruction the criminal gangs deliver after exfiltrating the data, the more completely they will cover their tracks. This becomes more important in an era of increasing law enforcement focus on disrupting the criminal gangs.
But there is an additional danger that might escape from the current geopolitical situation. Vitaly Kamluk, head of the Asia-Pacific research and analysis team at Kaspersky explains: “Statistically, some of the largest and most impactful cyber epidemics occur every six to seven years. The last such incident was the infamous WannaCry ransomware-worm, leveraging the extremely potent EternalBlue vulnerability to automatically spread to vulnerable machines.”
Kaspersky researchers believe the likelihood of the next WannaCry happening in 2023 is high. “One potential reason for an event like this occurring,” continued Kamluk, “is that the most sophisticated threat actors in the world are likely to possess at least one suitable exploit, and current global tensions greatly increase the chance that a ShadowBrokers-style hack-and-leak could take place.”
Finally, it is worth mentioning an unexpected effect of the geopolitical situation: splintering and rebranding among the ransomware groups. Most of the larger groups are multi-national – so it should be no surprise that different members might have different geopolitical affiliations. Conti is perhaps the biggest example to date.
“In 2022, many large groups collapsed, including the largest, Conti,” comments Vincent D’Agostino, head of digital forensics and incident response at BlueVoyant. “This group collapsed under the weight of its own public relations nightmare, which sparked internal strife after Conti’s leadership pledged allegiance to Russia following the invasion of Ukraine. Conti was forced to shut down and rebrand as a result.” Ukrainian members objected and effectively broke away, leaking internal Conti documents at the same time.
But this doesn’t mean that the ransomware threat will diminish. “After the collapses, new and rebranded groups emerged. This is expected to continue as leadership and senior affiliates strike out on their own, retire, or seek to distance themselves from prior reputations,” continued D’Agostino.
The fracturing of Conti and multiple rebrandings of Darkside into their current incarnations has demonstrated the effectiveness of regular rebranding in shedding unwanted attention. “Should this approach continue to gain popularity, the apparent number of new groups announcing themselves will increase dramatically when in fact many are fragments or composites of old groups.”
The increasing sophistication, or professionalism, of the criminal gangs is discussed in Cyber Insights 2023: Criminal Gangs. Here we will focus on how this affects ransomware.
The most obvious is the emergence of ransomware-as-a-service. The elite gangs are finding increased profits and reduced personal exposure by developing the malware and then leasing its use to third-party affiliates for a fee or percentage of returns. Their success has been so great that more, lesser skilled gangs will follow the same path.
“It initially started as an annoyance,” explains Matthew Fulmer, manager of cyber intelligence engineering at Deep Instinct, “but now after years of successful evolution, these gangs operate with more efficiency than many Fortune 500 companies. They’re leaner, meaner, more agile, and we’re going to see even more jump on this bandwagon even if they’re not as advanced as their partners-in-crime.”
The less advanced groups, and all affiliates of RaaS, are likely to suffer at the hands of law enforcement. “It is likely that there will be a constant battle between law enforcement agencies and ransomware affiliates. This will either be veteran/more established ransomware affiliates or new ransomware groups with novel ideas,” comments Beth Allen, senior threat intelligence analyst at Intel 471.
“Much like whack-a-mole, RaaS groups will surface, conduct attacks, be taken down or have their operations impacted by LEAs – and then go quiet only to resurface in the future. The instability within criminal organizations that we have observed will also be a contributing factor to groups fading and others surfacing to fill the void.”
As defenders get better at defending against ransomware, the attackers will simply change their tactics. John Pescatore, director of emerging security trends at SANS, gives one example: “Many attackers will choose an easier and less obtrusive path to gain the same critical data. We will see more attacks target backups that are less frequently monitored, can provide ongoing access to data, and may be less secure or from forgotten older files.”
Drew Schmitt, lead analyst at GuidePoint, sees increased use of the methodologies that already work, combined with greater attempts to avoid law enforcement. “Ransomware groups will likely continue to evolve their operations leveraging critical vulnerabilities in commonly used applications, such as Microsoft Exchange, firewall appliances, and other widely used applications,” he suggested.
“The use of legitimate remote management tools such as Atera, Splashtop, and Syncro is likely to continue to be a viable source of flying under the radar while providing persistent access to threat actors,” he added.
But, he continued, “ransomware ‘rebranding’ is likely to increase exponentially to obfuscate ransomware operations and make it harder for security researchers and defenders to keep up with a blend of tactics.”
Warren expects to see criminal ransomware attacks focusing on smaller, less well-defended organizations. “State actors will still go after large institutions like the NHS, which implement robust defenses; but there are many small to mid-size companies that invest less in protection, have limited technical skills, and find cyberinsurance expensive – all of which makes them easy targets.”
This will partly be an effect of better defenses in larger organizations, and partly because of the influx of less sophisticated ransomware affiliates. “We can expect smaller scale attacks, for lower amounts of money, but which target a much broader base. The trend will probably hit education providers hard: education is already the sector most likely to be targeted,” he continued.
He gives a specific example from the UK. “Every school in the UK is being asked to join a multi-academy trust, where groups of schools will be responsible for themselves. With that change comes great vulnerability. This ‘network’ of schools would be a prime target for ransomware attacks; they are connected, and they’re unlikely to have the resilience or capabilities to protect against attacks. They may have no choice but to reallocate their limited funds to pay ransom demands.”
But it won’t just be more of the same. More professionalized attackers will lead to new attack techniques. Konstantin Zykov, senior security researcher at Kaspersky, gives an example: the use of drones. “Next year, we may see bold attackers become adept at mixing physical and cyber intrusions, employing drones for proximity hacking.”
He described some of the possible attack scenarios, such as, “Mounting drones with sufficient tooling to allow the collection of WPA handshakes used for offline cracking of Wi-Fi passwords or even dropping malicious USB keys in restricted areas in hope that a passerby would pick them up and plug them into a machine.”
Marcus Fowler, CEO of Darktrace Federal, believes the existing ransomware playbook will lead to increased cloud targeting. “Part of this playbook is following the data to maximize RoI. Therefore, as cloud adoption and reliance continue to surge, we are likely to see an increase in cloud-enabled data exfiltration in ransomware scenarios in lieu of encryption,” he said. “Third-party supply chains offer those with criminal intent more places to hide, and targeting cloud providers instead of a single organization gives attackers more bang for their buck.”
Evasion and persistence are other traits that will expand through 2023. “We continue to see an emergence in techniques that can evade typical security stacks, like HEAT (Highly Evasive Adaptive Threats) attacks,” says Mark Guntrip, senior director of cybersecurity strategy at Menlo. “These tactics are not only are tricking traditional corporate security measures but they’re also becoming more successful in luring employees into their traps as they identify ways to appear more legitimate by delivering ransomware via less suspecting ways – like through browsers.”
Persistence, that is, a lengthy dwell time, will also increase in 2023. “Rather than blatantly threatening organizations, threat actors will begin leveraging more discreet techniques to make a profit,” comments JP Perez-Etchegoyen, CTO at Onapsis. “Threat groups like Elephant Beetle have proven that cybercriminals can enter business-critical applications and remain undetected for months, even years, while silently siphoning off tens of millions of dollars.”
David Anteliz, senior technical director at Skybox, makes a specific persistence prediction for 2023: “In 2023, we predict a major threat group will be discovered to have been dwelling in the network of a Fortune 500 company for months, if not years, siphoning emails and accessing critical data without a trace. The organizations will only discover their data has been accessed when threat groups threaten to take sensitive information to the dark web.”
Fighting ransomware in 2023
The effect of ransomware and its derivatives will continue to get worse before it gets better. Apart from the increasing sophistication of existing gangs, there is a new major threat – the worsening economic conditions that will have a global impact in 2023.
Firstly, a high number of cyber competent people will be laid off as organizations seek to reduce their staffing costs. These people will still need to make a living for themselves and their families – and from this larger pool, a higher than usual number of otherwise law-abiding people may be tempted by the easy route offered by RaaS. This alone could lead to increased levels of ransomware attacks by new wannabe criminals.
Secondly, companies will be tempted to reduce their security budgets on top of the reduced staffing levels. “Once rumblings of economic uncertainty begin, wary CFOs will begin searching for areas of superfluous spending to cut in order to keep their company ahead of the game,” warns Jadee Hanson, CIO and CISO at Code42. “For the uninformed C-suite, cybersecurity spend is sometimes seen as an added expense rather than an essential business function that helps protect the company’s reputation and bottom line.”
She is concerned that this could happen during a period of increasing ransomware attacks. “These organizations may try to cut spending by decreasing their investment in cybersecurity tools or talent – effectively lowering their company’s ability to properly detect or prevent data breaches and opening them up to potentially disastrous outcomes.”
One approach, advocated by Bec McKeown, director of human science at Immersive Labs, is to treat remaining staff as human firewalls. “I believe that 2023 will be the year when enterprises recognize that they are only as secure and resilient as their people – not their technologies,” she says. “Only by supporting initiatives that prioritize well-being, learning and development, and regular crisis exercising can organizations better prepare for the future.”
Done correctly, she believes this can be achieved in a resource- and cost-effective manner. “Adopting a psychological approach to human-driven responses during a crisis – like a cybersecurity breach – will ensure that organizations fare far better in the long run.”
But perhaps the most dramatic response to ransomware will need to come from governments, although law enforcement agencies alone won’t cut it. LEAs may know the perpetrators but will not be able to prosecute criminals ‘protected’ by adversary nations. LEAs may be able to take down criminal infrastructures, but the gangs will simply move to new infrastructures. The effectively bullet-proof hosting provided by the Interplanetary File System (IPFS), for example, will increasingly be abused by cybercriminals.
The only thing that will stop ransomware/extortion will be the prevention of its profitability – if the criminals don’t make a profit, they’ll stop doing it and try something different. But it’s not that easy. At the close of 2022, following major incidents at Optus and Medibank, Australia is considering making ransom payments illegal – but the difficulties are already apparent.
As ransomware becomes more destructive, paying or not paying may become existential. This will encourage companies to deny attacks, which will leave the victims of stolen PII unknowingly at risk. And any sectors exempted from a ban will have a large target on their back.
While many foreign governments are known to be, or have been, considering a ban on ransom payments, this is unlikely to happen in the US. In a very partisan political era, the strength of the Republican party – with its philosophy of minimal government interference in business – will make it impossible.
In the end, it’s down to each of us…
Ultimately, beating ransomware will be down to individual organizations’ own cyber defenses – and this will be harder than ever in 2023. “There’s no letup in sight,” comments Sam Curry, CSO at Cybereason. “Ransomware continues to target all verticals and geographies, and new ransomware cartels are popping up all the time. The biggest frustration is that it is a soluble problem.”
He believes there are ways to stop the delivery of the malware, and there are ways to prevent its execution. “There are ways to prepare in peacetime and not panic in the moment, but most companies aren’t doing this. Saddest of all is the lack of preparation at the bottom of the pyramid in smaller businesses and below the security poverty line. Victims can’t pay to make the problem go away. When they do, they get hit repeatedly for having done so. The attackers know that the risk equation hasn’t changed between one attack and the next, nor have the defenses.”