The Evolving Landscape of Ransomware: Tactics, Trends, and the Importance of Collaborative Defense
4 Oct 2024
9 MIN read
In today’s digital landscape, ransomware has emerged as one of the most persistent and sophisticated threats facing organisations globally. Ransomware groups, motivated by financial gain and, in some cases, aligned with state-sponsored objectives, continue to evolve their tactics, techniques, and procedures (TTPs) to outpace traditional security measures. This post dives deep into the evolving ransomware ecosystem, exploring advanced tools and vulnerabilities exploited by attackers, targeted industries, the growing nexus between ransomware and intelligence agencies, and the need for collaborative defence strategies. It also outlines the anticipated future trajectory of ransomware groups based on current trends and threats.
Ransomware Groups: A Diverse and Adaptable Threat
Ransomware groups are diverse, operating with various levels of sophistication and leveraging different operational models. The Ransomware-as-a-Service (RaaS) model, adopted by groups such as Hive and Royal, allows affiliates to rent out established and highly capable ransomware frameworks in exchange for a share of the ransom. This “franchise” approach has fueled the proliferation of ransomware underground market, enabling even less technically skilled actors to launch high-impact attacks. Meanwhile, groups like ALPHV and LockBit 3.0 rely on bespoke tools and independently developed methodologies to carry out their operations, underscoring the increasing complexity of the ransomware landscape.
Tactics and Techniques: A Glimpse into the Ransomware Playbook
Understanding the evolving TTPs used by ransomware groups is crucial for developing effective defences. Initial access is often gained via phishing emails, leaked credentials or by exploiting known vulnerabilities in software and systems. However, advanced evasion techniques are becoming a hallmark of ransomware operations, enabling attackers to bypass security measures and remain undetected.
A prominent example is the EDRKillShifter tool, used by groups like RansomHub to exploit vulnerable drivers through the Bring Your Own Vulnerable Driver (BYOVD) technique. This tool allows attackers to disable endpoint detection and response (EDR) systems and antivirus solutions, significantly increasing the effectiveness of ransomware attacks. Similarly, other tools like EDRPrison and EDR-Preloader share commonalities with EDRKillShifter but operate with different focuses. EDRPrison, for instance, intercepts and blocks network telemetry from EDR processes to hinder security monitoring, while EDR-Preloader serves as a pre-execution loader for malware, preparing the environment for subsequent malicious activities.
These evasion techniques signal a broader trend in the ransomware space where groups are continuously refining their capabilities to bypass newer security measures. The increasing use of chunk-based encryption, as seen in Royal ransomware, and the integration of EDR-disabling tools reflect a shift toward more technically proficient malware that complicates data recovery and security response efforts.
Comparison of Advanced Malware Tools: EDRPrison, EDR-Preloader, and EDRKillShifter
While all three malware tools—EDRPrison, EDR-Preloader, and EDRKillShifter—focus on evading detection by EDR systems, their operational methodologies differ.
- EDRPrison specialises in obfuscating network telemetry by blocking packets associated with EDR processes, making it difficult for traditional EDR systems to detect malicious activity.
- EDR-Preloader facilitates the execution of additional malware components, acting as a preparatory tool rather than actively blocking or disabling security measures.
- EDRKillShifter is the most aggressive, using BYOVD techniques to disable security defences outright, allowing ransomware operations to proceed unhindered.
This comparison underscores a key trend: while many tools focus on evasion, newer tools like EDRKillShifter actively neutralise defences, presenting a more formidable challenge for cybersecurity professionals.
Future Trends in Ransomware: Where the Threat is Headed
The future trajectory of ransomware groups is being shaped by several emerging trends and developments within the cybersecurity space. These trends point to increasingly sophisticated attacks and expanding targets, making it essential for organisations to stay ahead of the curve:
- Increasing Use of Advanced Evasion Techniques: Tools like EDRKillShifter, EDRPrison, and EDR-Preloader exemplify the growing emphasis on disabling security defences. As attackers refine these evasion techniques, they will become more adept at bypassing newer security measures, posing an even greater challenge to traditional defences.
- Expansion of Ransomware-as-a-Service (RaaS): The RaaS model continues to grow, making sophisticated ransomware tools available to a wider range of criminals. According to findings from the Insikt Group, the number of new ransomware and data extortion websites is increasing, pointing to the ongoing expansion of RaaS operations and a broader range of tactics employed by affiliates.
- Targeting Critical Infrastructure and Healthcare Sectors: Attacks on sectors like healthcare and critical infrastructure are expected to increase. These industries are particularly vulnerable due to their reliance on outdated systems and the critical nature of their operations. Recent attacks on UMC Health System and Kawasaki Motors Europe exemplify how ransomware groups exploit these vulnerabilities for maximum impact.
- Geographic and Sector-Specific Targeting: Some countries and industries are more vulnerable than others. For example, ransomware groups are increasingly focusing on nations like Brazil, India, Italy, and Spain, which have seen spikes in ransomware targeting. As groups adapt to regional vulnerabilities, geographically focused campaigns are likely to increase.
- Exploitation of Vulnerabilities and Zero-Day Attacks: While ransomware groups will continue to exploit known vulnerabilities (such as CVE-2023-0669 and CVE-2023-34362), zero-day vulnerabilities may become more prominent as organisations improve their patch management practices. Proactive vulnerability management is crucial to prevent such attacks.
- Increased Collaboration Among Ransomware Groups: Ransomware groups may collaborate more frequently, sharing tools, infrastructure, and tactics. The rise of alliances like Water Bakunawa (linked with RansomHub) and underground ransomware communities like RAMP indicates a growing trend of resource-sharing, which could lead to more coordinated and complex attacks.
- Enhanced Data Exfiltration Tactics: Double extortion—where attackers threaten to leak sensitive data in addition to encrypting it—has become the norm. As ransomware groups enhance their data exfiltration techniques, organisations must strengthen data protection and incident response strategies to mitigate the impact of such attacks.
The Shadowy Nexus: Intelligence Agencies and Organised Crime
A particularly alarming trend in ransomware is the increasing overlap between organised cybercrime and state-sponsored intelligence agencies. This week, the UK’s National Crime Agency (NCA) sanctioned and exposed sixteen individuals who were part of Evil Corp, believed to be the most significant cybercrime threat in the world, and showcased their links to the Russian state and other prolific ransomware groups, including LockBit. Not only has Evil Corp been linked to Russian intelligence services—allegedly carrying out cyberattacks on NATO members at the direction of Russian officials—but similar connections are emerging in China.
Organised Crime and Intelligence Links in China
There are growing indications that China is fostering a complex relationship between organised cybercrime and state-sponsored actors. Recent reports suggest that cyber threat actors in China, including hacker-for-hire groups, operate under the influence of government entities such as the Central Cyberspace Affairs Commission. These actors are suspected of engaging in cyber espionage while also conducting financially motivated cybercrime operations, creating a blurred line between state objectives and criminal enterprises.
Hacker-for-Hire Models are becoming increasingly common, particularly within the Ransomware-as-a-Service (RaaS) ecosystem. These groups not only conduct attacks for their own financial gain but may also provide services to nation-states. Evidence shows collaboration among Chinese threat actors, with shared infrastructure and resources facilitating a hacker-for-hire economy. This trend is exemplified by groups like ChamelGang, which have been tied to ransomware operations targeting critical infrastructure, healthcare, and energy sectors—pointing to both espionage and extortion motives.
The Rise of State-Linked Ransomware Operations
Just as in Russia, ransomware operations in China appear to serve dual purposes: enriching organised crime groups while advancing the goals of the state. The rise of RaaS models has made it easier for these groups to operate in both spheres, as they provide hacking services that can be repurposed for state interests. For example, cybercriminal groups aligned with state actors often target critical infrastructure, a tactic that supports both financial extortion and state-sponsored espionage.
The collaboration among hacker groups, and the increasing sophistication of their attacks, particularly on critical sectors, demonstrates the growing threat. Attacks by groups like RansomHub, which target industries like healthcare and energy, highlight the dual nature of these activities, serving both criminal and state objectives.
The cybercrime landscape in China, much like Russia, is becoming increasingly characterised by the overlap of state-sponsored and organised crime activities. As hacker-for-hire services evolve, these groups continue to serve state interests while engaging in extortion and cyber espionage. This complex web of relationships underscores the need for heightened scrutiny and more robust cybersecurity measures globally to counteract these multifaceted threats.
The Importance of Threat Intelligence Sharing in Combating Ransomware
While advanced tools are critical, no organisation can combat ransomware in isolation. Collaboration—particularly through the sharing of threat intelligence—has emerged as a key component of modern cybersecurity strategies. Sharing indicators of compromise (IOCs) such as malicious samples, IP addresses and attack signatures allows organisations to strengthen their collective defences and respond to threats more rapidly.
Breaking Down Silos: The Need for Collaborative Defense
The ransomware threat landscape is too fragmented for any one entity to handle alone. By pooling knowledge and sharing threat intelligence across industries and with government agencies, organisations can enhance their situational awareness, improve response times, and reduce their overall risk.
- Enhanced Threat Detection and Response: Sharing IOCs enables proactive identification and blocking of known threats, allowing organisations to respond quickly to emerging ransomware campaigns.
- Improved Situational Awareness: By sharing broader intelligence on attacker profiles and TTPs, organisations can better anticipate attacks and prioritise resources effectively.
- Faster Vulnerability Remediation: Collaborating on exploited vulnerabilities accelerates patching and reduces the time ransomware groups have to exploit known flaws.
Conclusion: Navigating the Future of Ransomware
The ransomware landscape is continuously evolving, becoming more sophisticated, targeted, and intertwined with geopolitical dynamics. As attackers refine their evasion techniques, expand their reach through RaaS, and form alliances to share resources, organisations must respond by adopting multi-layered defence strategies, engaging in threat intelligence sharing, and proactively managing vulnerabilities.
Solutions like those offered by Agger, which combine advanced detection, behavioural analysis, and rapid recovery functionalities, are critical to combating these advanced ransomware threats. As ransomware continues to evolve, so too must the defences used to stop it, with a focus on collaboration, innovation, and vigilance in the face of this persistent and growing threat.