In recent years, ransomware attacks have increased and become the most notorious cyber threat. According to a recent survey of 1,200 cybersecurity professionals, more than half of respondents (57 percent) experienced a data leak or breach in the past 12 months (many as a result of a ransomware attack), an increase of 6 percent from the previous year when they were asked the same question.
This increase underscores the changing tactics of cybercriminals who employ models such as Ransomware-as-a-Service (RaaS) and “double extortion” techniques to steal data and hold organizations hostage in exchange for payment.
The RaaS approach was briefly assimilated from the software-as-a-service (SaaS) model, where users or, in this case, cybercriminals paid for access to ransomware or other malware kits to launch attacks. However, this version of RaaS is no longer relevant.
As of 2016, the RaaS model is based on a profit-sharing scheme inspired by the gig economy. It is no longer about allowing people with less technical skills to participate in cybercrime, but about replacing generalists with cybercrime specialists. Think of Uber, Airbnb and others: the model involves independent contractors, income variability, online platforms, tax-based payments and flexibility. These attributes also apply to the RaaS model.
Director of Technical Solutions at Bitdefender.
RaaS Affiliates: The Real Threat to Businesses
In the new RaaS model, we see two different types of people: operators and affiliates. Operators are the developers who specialize in creating and maintaining ransomware code and infrastructure that are then packaged into RaaS kits and sold (or rented) to other cybercriminals, known as RaaS affiliates. Affiliates, who may not have the technical expertise to develop their own malware, leverage these kits to launch attacks against organizations, making it much easier to capitalize on the main benefits of ransomware: a quick payout and return on investment.
Think of affiliates as independent contractors who possess expertise in other areas of cybercrime, such as social engineering, breaching systems, and evading detection using a variety of hacking tools and techniques. Their goal is to compromise the organization and, once inside, gain information, move laterally, exfiltrate data, and eventually deploy the ransomware. At the end of a successful operation, operators and affiliates split the profits. Affiliates don’t waste time or resources developing their own ransomware. Instead, they focus their efforts on the most lucrative part of the scheme: launching attacks and collecting ransoms. This streamlined approach allows them to target a broader range of victims and potentially make more profit.
Ransomware trends to watch in 2024 and beyond
We have identified several trends that highlight the most significant changes in ransomware tactics and emphasize the urgent need for advanced cybersecurity measures.
Data exfiltration coupled with encryption has become a key tactic for ransomware groups to double-extort their victims. In addition to encrypting data and demanding payment for its release, cybercriminals steal sensitive information to blackmail victims. This method pressures organizations to pay to avoid public disclosure of sensitive data, which can include customer information, intellectual property, and financial records. Many times, they even skip the data encryption step altogether, as it attracts far less law enforcement attention than shutting down a company’s operations.
The manual hacking phase is the core of today’s ransomware operations, so it demands more attention than the actual data encryption, which serves as the final payload. While the hacking stage can last for days, weeks, or even months, the encryption process only takes a few hours. Therefore, most of the effort is spent on hacking rather than encryption.
A worrying trend is attackers exploiting vulnerabilities in internet-facing devices and applications. They are shifting focus from targeting specific companies to known weaknesses in popular platforms, allowing them to act much faster and gain access to hundreds or even thousands of victims quickly. For example, the Log4j flaw (2021) took about a month to become weaponized after its discovery. Today, attackers are exploiting new vulnerabilities in popular platforms within 24 hours.
Supply chain expansion is another key trend that will continue over the course of 2024 and beyond. Compromised contractors, suppliers, or other companies within a network can serve as entry points for attackers, leading to the initial compromise of larger organizations. This expansion of attack vectors highlights the interconnectedness of modern business operations and the need for comprehensive supply chain security.
As cybercriminals constantly develop new tactics and the lines between consumer and business security continue to blur with the hybrid work model, exposing organizations to ever-increasing risks, there are steps businesses can take to help prevent ransomware threats.
The primary goal is to strengthen defenses against manual hacking operations. This is ensured by establishing robust security operations, either internally or through managed detection and response (MDR) services. These operations involve continuous monitoring through security teams and tools such as endpoint detection and response (EDR) or extended detection and response (XDR), complemented by ongoing security enhancements. Training employees to detect and report suspicious activity, coupled with MDR services that provide expert cybersecurity, 24-hour monitoring, advanced detection, response capabilities, and proactive threat hunting, significantly strengthens the security posture, making it much more difficult for attackers to succeed through manual hacking.
From a technology perspective, businesses should also focus on a multi-layered security approach that covers endpoints as well as networks, key applications such as email, and cloud environments – in other words, the entire infrastructure. It’s important to remember that no single solution will prevent a successful ransomware attack, but the more barriers and opportunities there are to detect and eliminate a threat, especially in the early stages, the better.
We list the best access control systems.
This article was produced as part of TechRadarPro's Expert Insights channel, where we showcase the brightest and brightest minds in the tech industry today. The views expressed here are those of the author, and not necessarily those of TechRadarPro or Future plc. If you're interested in contributing, find out more here:
