Evolving Ransomware Strategies to be Wary of

Ransomware Strategies

The ransomware crisis is spiraling with threat actors meticulously evolving and improving their TTPs. The rise in attacks and the countermeasures taken by law enforcement authorities in recent times has pushed ransomware operators to evolve their strategies.

What’s going on?

  • Ransomware operators are leveraging other criminal organizations, such as trojan distributors, for malware development.
  • These distributors are called access facilitators and supply backdoors to victims via malicious attachments or links sent on email.
  • Proofpoint has tracked at least 10 threat actors who use access facilitators or ransomware affiliates.

Why does it matter?

Ransomware campaigns are now rarely being propagated via emails due to improved detection capabilities, such as better threat hunting. The shift to downloaders as the first-stage payload offers ransomware operators better flexibility and choice.

Some ransomware stats

While talking about ransomware strategies, it would be blasphemy if we don’t look at the latest ransomware statistics dominating the threat landscape.

  • In the past two months, Africa witnessed an increase of 38% in ransomware attacks, followed by Europe at 27%.
  • Since the beginning of the year, ransomware attacks surged by 41%. Latin America observed the most significant rise in ransomware attempts at 62%, followed by Europe at 59%.
  • The highest spikes have been observed in education (347%), transportation (186%), retail and wholesale (162%), and healthcare (159%). All these values are based on weekly attacks.

Other strategies to look out for

  • Another strategy adopted by ransomware attackers is that of double encryption in which they are using various ransomware variants to encrypt the same data.
  • Over time, attackers have come up with new ransomware strains and custom malware. A new Fivehands strain was deployed by a threat actor that used publicly available tools to advance the attack. Experts surmise that the actor is UNC2447.

The bottom line

Email-based threats have definitely become a thing of the past since the beginning of this year. Threat actors are relying on widespread reconnaissance, lateral movement, and privilege escalation techniques before manually deploying the ransomware. Cybercrime has gained traction because of shorter dwell times, collaboration among threat actors, and high payouts. While new efforts have been announced by law enforcement authorities across the globe to curb this, cybersecurity needs to be taken seriously by every organization irrespective of its size.