Ransomware in 2024: Fileless, Double Extortion, AI and More
Ransomware in 2024 will be much like ransomware in 2023 except for a few new twists that organizations should be aware of.
Along with "traditional" ransomware attacks, the threat actors are continually upgrading their game with new approaches, technology and techniques.
To help organizations get a handle on the primary security threat of our times, experts Dave Kawula and John O'Neill Sr. recently presented an online summit titled "2024 Ransomware Outlook," which is now available for on-demand replay.
Relatively new ransomware techniques such as double extortion, Ransomware-as-a-Service (RaaS), fileless ransomware, Living-off-the-Land (LotL) attacks and more were discussed by Kawula, managing principal consultant at TriCon Elite Consulting, and O'Neill Sr., chief technologist at AWS Solutions. Both are on the front lines of the cybersecurity wars, continually helping organizations protect themselves or recover from attacks.
Here's a summary of their thoughts on a couple ransomware concerns in 2024.
This technique is a more complex and aggressive form of cyberattack compared to traditional ransomware. In a double extortion attack, cybercriminals not only encrypt the victim's data, rendering it inaccessible, but also steal sensitive information before encrypting it.
Key aspects of this technique include:
- Data Encryption and Theft: The first step involves infiltrating a victim's network and encrypting crucial data. Simultaneously, the attackers exfiltrate, or steal, sensitive data from the victim.
- Dual Threat: Victims face two threats -- the encryption of their data and the potential leak of their stolen information. This double threat significantly increases the pressure on the victim to pay the ransom.
- Ransom Demands: The attackers demand a ransom payment to decrypt the stolen data. Additionally, they threaten to release the sensitive information publicly if their demands are not met.
- Increased Leverage: By holding both the encrypted data and the stolen information, attackers have more leverage to coerce victims into paying the ransom.
- Targeting Sensitive Information: Often, the data stolen in such attacks includes confidential or proprietary business information, sensitive personal data, or other critical documents.
- Growing Popularity Among Cybercriminals: This technique has become increasingly popular among ransomware groups as it can increase the likelihood of a payout.
Here, Kawula explained that this method can be seen as a response to improved backup technologies, which have given organizations the ability to recover from traditional ransomware. Recognizing this, attackers have evolved their tactics. They now upload stolen files to the dark web and threaten to release them unless a ransom is paid. This puts additional pressure on victims, who might have backups but now also face the risk of having their data and intellectual property exposed. Thus it's important to monitor outbound network traffic to detect and prevent such attacks.
O'Neill Sr. responded by recalling an extortion of the Finnish government, specifically on social services.
"And they did exactly what you said and uploaded," O'Neill Sr. said. "And then, of course, they screwed up and they ended up releasing all those patients records."
"Cyberattacks and ransomware don't just affect livelihoods, they affect lives. Because subsequent to the release of that private therapy information and everything else, there have been quite a few lives negatively affected. I'll just put it that way."
John O'Neill Sr., chief technologist, AWS Solutions
"And this is where kind of my message that you've heard me say before, where cyberattacks and ransomware don't just affect livelihoods, they affect lives, because subsequent to the release of that private therapy information and everything else, there have been quite a few lives negatively affected. I'll just put it that way."
This model has significantly lowered the barrier to entry for conducting ransomware attacks, leading to an increase in the number and frequency of these attacks globally. RaaS has become a major concern for cybersecurity due to its role in facilitating widespread and damaging cyberattacks.
Key characteristics include:
- Subscription-based Model: Just like SaaS, RaaS operates on a subscription or rental basis, allowing affiliates to access and use ransomware tools for a fee.
- Ease of Use: This model enables even those with limited technical expertise to conduct ransomware attacks by providing user-friendly tools and interfaces.
- Shared Profits: The operators and affiliates typically share the profits from the ransomware attacks. The operators get a cut for providing the software, while the affiliates earn through successful ransomware deployments.
- Widespread Impact: RaaS has contributed to the proliferation of ransomware attacks by making these tools more accessible to a broader range of cybercriminals.
- No Need for Advanced Skills: Affiliates do not need to have the technical skills to develop ransomware themselves, as they can simply use the pre-developed tools offered by RaaS providers.
In the presentation, Kawula explained this approach is also related to insider threats "because the thing is, we're in a state and an economy where if an individual with a high level of credentials is struggling to make their mortgage payments, there's individuals that will pay for those admin level credentials."
He also likened RaaS to an affiliate program, recalling noticing a big uptick in ransomware where files used in attack disclosed an affiliate ID program.
"And it was basically a type of pyramid that was built around this ransomware as a service," Kawula said. "So you can go sell it and go sell it to the next person to sell to next person. And the more of it that's delivered, the more of it that's out there for you. And so who's getting paid at the back end, obviously the most is the person that starts this."
"But at the end of the day, this creates an interesting dynamic where you're actually getting paid to drop these payloads in individual networks. And these are a little more scary, because this one here can typically be an entry point coming in via physical access, right. So this one's a little scary."
Dave Kawula, managing principal consultant, TriCon Elite Consulting
"But at the end of the day, this creates an interesting dynamic where you're actually getting paid to drop these payloads in individual networks. And these are a little more scary, because this one here can typically be an entry point coming in via physical access, right. So this one's a little scary, right, John?"
O'Neill Sr. responded: "Absolutely. And the thing I'm going to mention here is the boom of the access broker. So you know, as part of the ransomware as a service, we have the threat actors helping threat actors. One gains access, and then puts that up on the dark web as an auction and sells those access credentials items to other threat actors that then want to take on the full-blown attack or whatever. And there could be an option for one set of access credentials, or there could be an option of selling things in bulk. And there's thousands of these ads going on right now. So this really is the era of the access broker in terms of pushing ransomware as a service forward."
You can learn the duo's valuable insights about other attacks -- fileless ransomware, LotL attacks, AI-enhanced ransomware -- along with details about various attackers, including CLOP, ALPHV and Star Blizzard, and info on supply chain attacks, zero-day exploits and more in the on-demand replay.
Attending such summit presentations live brings extra benefits, however, such as interaction with presenters via a Q&A, not to mention one attendee of each summit will win a raffle for a valuable prize.
With those benefits in mind, here are some summits coming up this month from the parent organization of Virtualization & Cloud Review:
The full list can be seen here.
David Ramel is an editor and writer for Converge360.