Ransomware resurgence: Tackling the new generation of cyber threats
Sadly, there has never been a better phrase than ‘survival of the fittest’ to describe cyber criminal groups. They are constantly refining their tactics to cause greater disruption and earn even bigger profits. The ransomware ecosystem is a resilient and lucrative business model, and attacks are causing huge pain for organizations.
Just look at the recent attack on the British Library. The attack rendered the British Library’s website inoperative, and it’s been reported the institution may have to spend £7 million to recover. The Rhysida group, who were responsible for the attack, disseminated hundreds of thousands of confidential documents on the internet, encompassing both customer and employee information.
Ransomware groups have shown a hydra-like ability to recover -- as may now be happening with Lockbit -- but while we might not be able to stop ransomware attacks completely, we can improve our understanding of their tactics.
By gaining insights into the tactics and techniques of ransomware actors, organizations can better equip themselves with the knowledge to develop more effective defensive strategies against these attacks.
Ransomware still on the up
The fight against ransomware has been raging for years, and in 2023 it showed no signs of slowing down. In fact, incidents of multi-point ransomware increased, and attackers employed techniques which not only degraded their victims’ operations, but also exfiltrated their data for use in further extortion attempts.
WithSecure’s research found that data leaks in the first three quarters of 2023 surged by nearly 50 percent compared to same period in 2022. Furthermore, there were more advertised leaks in the first 9 months of the year than across the whole of 2022.
Ransomware continues to be a major problem for every CISO in every industry. But who is driving this up-surge?
As in previous years, we’ve seen that the majority of ransomware activity is dominated by a few primary brands -- Lockbit, 8Base, Alphv/BlackCat, Clop, and Play accounted for over 50 percent of the leaked data. However, there are also new ransomware brands that have emerged in the last year.
Between January to September 2023, almost half of the 60 identified ransomware brands were newcomers, and they played a major role in driving up attacks. They accounted for nearly half of all the multi-point extortion ransomware groups tracked in 2023, and about a quarter of all leaks.
This shows the endless staying power of ransomware. Despite the work of law enforcement agencies and the cybersecurity industry itself to take down groups, there is a seemingly endless supply of new cyber-crime brands and groups starting afresh.
However, whilst there are many new ransomware groups, often their playbooks are not at all innovative, and many of these new gangs have connections to older brands and groups of operators.
The new era of ransomware: linking past to present
In the world of cyber-crime, new ransomware operators often seek resources from and association with established actors. Many seemingly new ransomware brands are in fact just re-brands or descendants of older more established criminal networks, leveraging reused malware code and playbooks.
For example, the dissolution of the infamous Conti group in May 2022 paved the way for new gangs. Royal, Akira, and Black Suit are all notable beneficiaries of Conti’s legacy. This trend is not unique to Conti; other nascent ransomware groups have also adopted leaked source code from the likes of Lockbit and Babuk. And it's not only the source code that is shared; human resources also move around as individuals take their expertise and resources from one to group to another.
This practice not only reveals the interconnected nature of ransomware groups but also highlights a reliance on proven methods that fuel their success. With ransomware brands and groupings coming and going so quickly, new entrants look to proven tactics and techniques which they know work to maximize their returns.
Whilst an increase in the number of ransomware groups is not a good thing, the lack of innovation is a boon for defenders. This is because the practice of reusing code by cybercriminals provides cybersecurity researchers with a valuable means to trace these groups' origins and relationships, offering deep insights into their operational tactics. This reuse of known ransomware types and tactics is particularly advantageous for organizations, enabling them to more accurately predict and prepare for potential threats.
Enhancing Cyber security Measures Against Ransomware
The use of tried and tested tactics by new ransomware threats offers organizations an opportunity to predict attack strategies and bolster their defenses accordingly. Despite a stark increase in ransomware, there are effective strategies to mitigate their impact.
The key to defending against ransomware attacks is having a continuous, proactive cybersecurity posture. Security measures need to move beyond asset discovery and monitoring; there should be automated scans which identify and address vulnerabilities promptly, thereby diminishing risks and averting threats effectively.
An organization’s arsenal should expand beyond the foundational Endpoint Detection and Response (EDR) and Endpoint Protection Platforms (EPP). They must include advanced threat intelligence and automated response solutions so an organizational resilience can be significantly enhanced.
Adopting a comprehensive security strategy that leverages EDR and EPP, as part of a multi-layered defense will help organizations to adapt to the evolving cyber threat landscape, offering deeper insights and stronger capabilities to counter ransomware effectively. In the face of more attacks and more groups, the key to cyber security is vigilance and adaptability.
The efforts of law enforcement are vital, but we know that when one brand disbands or is taken down there is a high likelihood they will reform and re-emerge in a different guise. For organizations that need to defend against these ever active groups, knowledge is power; by understanding that most of them operate with tried and tested methods, organizations are better equipped to predict, anticipate, and fortify their defenses accordingly.
Stephen Robinson is Senior Threat Intelligence Analyst at WithSecure.