Are evolving ransomware attack patterns harder to deter?

Ransomware attack patterns affecting organizations can often be difficult to discover, as they continue to evolve. In the past, cybercriminals would often target the same entry points in an organization and try to infiltrate it with malware.

Today, the attack pattern has evolved. Ransomware attacks are now more targeted and focused on finding the right target. Cybercriminals are leveraging AI and machine learning tools to search for victims who are not only of high value, but also vulnerable to a cyberattack.

According to Barracuda researchers, there was a 64% increase in ransomware attacks in the past 12 months. After analyzing 121 ransomware incidents, corporations and businesses were found to make up over half (57%) of every ransomware attack recorded — with 10% of the incidents asking for a ransom below US$10 million, and 30% demanding a ransom in excess of US$30 million.

Between August 2020 and July 2021, 57% of ransomware attacks continued to zero in on municipalities, healthcare, and education targets. Infrastructure-related businesses accounted for 10% of the attacks studied, with the ransomware evolving to target software supply chains. This was clearly indicated in some of the recent ransomware attacks involving fuel company Colonial Pipeline and meat supplier JBS, both of which had their supply chain disrupted by a ransomware intrusion.

For Fleming Shi, CTO at Barracuda, as cybercriminals work towards bigger paydays in the future, the security industry needs to create solutions that are easily consumable for companies of all sizes. For example, the attack on managed services provider Kaseya saw a global disruption, with most of their customers unable to run their processes online.

“Attackers often start with small organizations that are connected to the larger targets and then work their way up. All of us in the security industry have an obligation to turn sophisticated technology into products and services that can be easily consumed by customers,” said Fleming.

Fleming pointed out that evolving attack patterns mean cybercriminals no longer simply rely on malicious links and attachments to deliver ransomware. Instead, they are leveling up their tactics, including finding ways to hijack credentials through phishing attacks and then using them to challenge web applications used by a victim. Once the application has been compromised, the attacker can introduce ransomware and other malware into the system.

Negotiating with cybercriminals 

“It’s important to note that web applications have many forms, including those enabling users to work from home. A web portal for a segment of your IT infrastructure is just as dangerous as a full-blown SaaS application. On multiple occasions in the past year, attackers exploited an application vulnerability to gain control of the application infrastructure and eventually target the most valuable data to encrypt,” explained Flaming in a blog post.

With cryptocurrency gaining traction as well, cybercriminals are demanding higher amounts. However with the increased crackdown on bitcoin and successful tracing of transactions, Fleming highlighted that cybercriminals are looking to alternative anonymous payment methods, such as the REvil ransomware gang asking for Monero instead of bitcoin.

“In our research, we also saw multiple instances of victims reducing ransom payments by deploying negotiation tactics. JBS negotiated a US$22.5 million ransom payment down to $11 million, and Brenntag, a chemical distributor in Germany, negotiated a US$7.5 million ransom demand down to US$4.4 million. The initial ransom ask may not be the final ask, so if they’re planning to pay, ransomware victims need to exercise negotiation options. The outcome can be savings in the millions,” said Fleming.

At the same time, more organizations are also refusing to pay ransoms, which is likely driving up the initial ransom ask. This trend is also followed by more collaboration with the authorities and ransom negotiators. For example, the FBI recently uncovered the bitcoin wallets of hacker collective DarkSide and was able to recover some of the ransom funds, and authorities have disrupted payments to the affiliates of the ransomware group.

“These are encouraging signs in the fight against these cyberattacks. Beyond legal action, we have also seen the White House speaking directly to world leaders and demanding tough actions against harboring cybercriminals. Given the high-profile, high-impact nature of recent attacks, particularly attacks against critical infrastructure, I believe the U.S. government is no longer just sending warnings. It is ready to take serious actions even against nation-states if there is clear evidence of accomplice or negligence in policing cybercriminals,” said Fleming.