September 26, 2022
Ransomware as a Service & 4 Trends To Be Aware of in 2022
A Deteriorating Ransomware Threat Landscape
Ransomware continues to dominate the cyber threat landscape in 2022, following an unprecedented number of attacks in 2021. Numerous high-profile names such as Nvidia, the Costa Rican Government, and Toyota have fallen victim to devastating ransomware attacks, with the Colonial Pipeline, JBS, and Kaseya attacks of the previous year still fresh in the memory. Data from Statista reveals that 236.1 million ransomware attacks took place in the first half of in what is on course to become one of the most destructive years in recent history.
Here are four ransomware trends that have and will continue to contribute to a deteriorating ransomware threat landscape in 2022 and beyond.
#1 Ransomware-as-a-Service Dominates Attacks
What is Ransomware-as-a-Service?
Ransomware-as-a-Service (RaaS) is a business model where a less advanced threat actor pays to use ready-made ransomware to execute ransomware attacks.
How does RaaS Work?
In the RaaS model, ransomware developers, known as operators, sell their services as in any other business, only that it takes place on the dark web. For example, RaaS operators may have their own website with details of their services, including videos, whitepapers, and reviews. They may also actively recruit customers, known as affiliates, on hacker forums and social media. Well-known RaaS providers may be sought out by want-to-be affiliates for their reputation.
RaaS operators offer their ransomware kits with a variety of subscription models. For example, affiliates could choose to pay a monthly flat fee for continuous use of the ransomware or share an agreed percentage of the ransom payment received with the RaaS operator. RaaS operators may participate in other aspects of an attack other than the attack itself, such as researching targets and assisting with victim negotiations.
The Consequences of RaaS
RaaS has matured into a fully-fledged industry in 2022, with a host of prominent ransomware families such as Conti, LockBit, BlackCat, and Revil. The RaaS model has significantly lowered the entry barriers to profiting from ransomware attacks. Where once this form of cybercrime was limited to highly skilled threat actors, non-experts now have the means to launch destructive ransomware attacks with the help of RaaS. RaaS operators, on the other hand, have been able to widen the scope of their ransomware and generate a lucrative source of income, which in turn allows them to invest in developing more advanced offerings. This win-win business model has inevitably led to a sharp increase in ransomware attacks.
#2 Double and Triple Extortion Paying Dividends
What is Double Extortion?
Double extortion is a tactic where a ransomware attacker steals the victim’s data in addition to encrypting it. By threatening the victim with releasing their data, the attacker puts greater pressure on the victim to pay the ransom.
The Consequences of Double Extortion
Double extortion was developed to counter the improving data backup and disaster recovery mechanisms organizations have in place. With the ability to restore their systems with minimal data loss in the event of a ransomware attack, organizations no longer had to kneel to the ransom demands of attackers to get their business back up and running. As a result, ransomware gangs developed the techniques to exfiltrate the victim’s data before encryption. This means that even if the victim could restore their data, the attacker could still pressure the victim into paying the ransom by threatening to expose or sell their sensitive data. Data from The State of Ransomware 2022 report supports this observation, with 26% of organizations that were able to restore encrypted data using backups still paying the ransom in 2021.
What is Triple Extortion?
Triple extortion adds another layer of pressure on the victim to maximize the success of an attack. This third layer of pressure can take various forms. Data stolen from the victim may comprise sensitive information of third parties such as customers and partners. Attackers may threaten these third parties with the exposure and sale of their data. This tactic is leveraged to manipulate the third parties into putting pressure on the victim to pay the ransom or demand a ransom payment from the third parties directly. Attackers may also launch distributed denial of service (DDoS) attacks against the victim to paralyze their systems to extract payment.
#3 The Emergence of Intermittent Encryption
What is Intermittent Encryption?
As the phrase implies, intermittent encryption is the partial encryption of files. Instead of encrypting an entire file, ransomware is configured to only encrypt part of a file, for example, encrypt every set number of bytes, skip every set number of bytes, or encrypt a set percentage of the file size. Intermittent encryption is executed in a way that the encrypted file is rendered unusable even though it is not fully encrypted.
The Consequences of Intermittent Encryption
The first ransomware to use intermittent encryption was detected by Sophos in August 2021. The LockFile ransomware used intermittent encryption to skip every 16 bytes of a file. This helped it to evade the detection of anti-ransomware solutions because the encrypted file looked statistically very similar to the unencrypted original. Apart from the ability to evade security detection, encrypting only parts of a file also translates into faster encryption speeds. This allows the ransomware to maximize the scope of infection before security solutions and security operators detect and respond to the attack.
The significant advantages of intermittent encryption have seen various ransomware operators advertise their intermittent encryption capabilities in their efforts to recruit affiliates. Granted, intermittent encryption is a relatively new technique and design flaws can enable the victim to restore their data without paying for a decryption key. However, given the benefits of intermittent encryption, ransomware gangs are bound to develop and refine the technology. It is safe to assume that such a development would lead to an increase in the number of successful ransomware attacks.
#4 Cross-Platform Ransomware on the Rise
What is Cross-Platform Ransomware?
Cross-platform ransomware is ransomware that is able to infect and encrypt files across multiple systems, such as Windows, macOS, Linux, Android, and proprietary systems.
The Emergence of Cross-Platform Ransomware
For most of their history, ransomware and other types of malware have been specially written to work on specific platforms. The majority of them are written for Windows due its prevalent use. However, as businesses embrace digitalization, ransomware threat actors find themselves coming up against complex IT environments operating various systems. Instead of writing ransomware for individual systems or giving up certain systems, ransomware groups have started to develop cross-platform ransomware capabilities to maximize the scope of encryption and reap the greatest possible reward.
The Consequences of Cross-Platform Ransomware
Cross-platform ransomware promises to exacerbate an already perilous ransomware threat landscape. Several reports of ransomware with cross-platform capabilities have surfaced in 2022, indicating a rising trend. In May, Kaspersky reported that the notorious Conti group allows certain affiliates to access a Linux version of their ransomware that targets ESXi systems, VMware’s enterprise-grade hypervisor. In July 2022, Kaspersky reported two new ransomware, Black Basta and Luna, that are written in the Rust multi-platform language and work of Windows, Linux, and ESXi systems. The ability to target ESXi systems is of particular concern. ESXi is an industry-leading hypervisor and widely used by organizations. By compromising a single ESXi host, an attacker can encrypt the files of hundreds and thousands of virtual machines, causing widespread damage.
Ransomware Protection with ForeNova
The above developments in ransomware tactics and techniques heighten the risk of ransomware attack. It is imperative for organizations large and small, private and public to upgrade their ransomware protection to safeguard their data and prevent significant losses and impact.
ForeNova is here to help.
ForeNova is a specialist vendor of Network Detection and Response (NDR) technology. Our signature NDR solution, NovaCommand, provides security administrators with complete visibility of threats residing in the network. Using anomaly-based detection powered by artificial intelligence and machine learning, NovaCommand is equipped to detect and provide context into inconspicuous deviations in network behavior, allowing security operators to investigate and respond to signs of malicious activity before attackers can execute their ransomware.
ForeNova NovaCommand is the only complete, holistic security solution to prevent and mitigate ransomware attacks in real-time.
- Block every step in the ransomware kill chain
- Direct integration between firewall and endpoint agents without using TI or management console as a go-between
- Block command & control communications and lateral propagation based on direct endpoint input
- Verify endpoint infection based on command & control communications
Organizations that wish to get protected against ransomware but not in a position to invest in the technology and personnel can leverage our Managed Network Detection and Response service. Managed NDR is an affordable subscription-based service where we provide the technology and expertise to protect your business. With round-the-clock threat detection and response from our 24/7 security operations center, customers can gain peace of mind from professional ransomware protection and dedicated their resources to growing the business.