31 Aug What’s next for ransomware?

Dan Norman, from the ISF considers what the future of ransomware holds for companies around the globe.

Companies globally are acknowledging ransomware as a key threat and cross-border law enforcement are challenging threat actors more proactively… However, attackers will slowly but surely be forced to overcome these challenges; for example, recently the Lockbit ransomware gang has developed a malicious bug bounty programme, taking a community-led approach to identifying flaws and improving attack vectors for nefarious means.

So what about the next three to five years? Where next for ransomware? As ransomware becomes more popular and well-known, attackers will have to adapt their techniques, leading to triple-pronged attacks with greater levels of extortion, exfiltration of data, encryption and threatening their targets into submission. The future of ransomware will be bleak, far more surreptitious, discerning and dangerous.

The current landscape

Ransomware, in its current format, is considered a double attack technique: attackers can 1) encrypt the data and 2) extort the target at the same time. Ransomware has been incredibly successful throughout recent history, especially in the 2010s and 2020s.

In 2011 a wave of screen locking ransomware hit organisations across Europe and the US; in 2013 Cryptolocker became one of the first modern-day industrialised ransomware campaigns; In 2017 Wannacry became the first nation-state-sponsored ransomware campaign; and now cases like Maze, REvil, Conti and others perform double extortion – slowly exfiltrating data from the network and encrypting files, making the response for organisations a real challenge – pay the ransom and hope the attacker returns the stolen files or decrypts them… or face the damage.

Shifting sands

Trend analysis suggests that attackers will shift their business models to expand into triple extortion techniques: exfiltrate the data, encrypt the files, then threaten the targets into submission.

Attackers will take a more progressive and persistent attack approach, entering corporate networks, stealing data slowly and staying under the radar, encrypting selectively. Attack methods are expected to shift away from easier-to-detect, widely dispersed techniques to a more crafted, bespoke model.

Targets will typically be selected based on factors such as strength of defence, levels of insurance cover and likely appetite for paying as well as their profile and prominence. The extortionists will likely focus on intimidating the subjects of stolen data privately and publicly, as well as the victim organisation, with the intention of applying direct and indirect pressures upon both groups to pay.

They will likely threaten – and not hesitate – to auction intellectual property to the highest bidder. They will also continue to leak small fragments of sensitive information into the public domain to create further tension and angst in the wider community, making the response incredibly challenging.

The challenge for security practitioners

Many security practitioners believe that their ability to effectively respond will become more complex and challenging over the next few years, especially when regulators force organisations to immediately disclose attacks.

Moreover, nation states that impose sanctions that actually inhibit the payments of ransoms to certain actors mean if corporate devices or data is encrypted, they cannot actually respond with any conviction. Over the last few years organisations have focused on taking out cyber or ransomware insurance to protect against this threat, but another trend is suggesting that insurance providers are limiting payment coverage, making it even harder to mitigate the risk.

Proactive measures

Organisations are slowly but surely investing in protective, detective and responsive controls to mitigate the risk of ransomware, but as the threat adapts, organisations will have to become more resilient and proactive. Organisations should:

• Ensure the subject of ransomware has been socialised with the board and then understand your level of cyber hygiene versus the threat.
• Review existing organisational cyber incident and crisis response protocols, and complete simulation exercises to test efficacy.
• Identify data sources most likely to be hit by targeted extortion attacks (e.g. mission critical data assets, intellectual property).
• Prepare, implement and actively maintain an organisational playbook for responding to extortion attacks.
• Revisit security architecture to ensure appropriate network segmentation to protect mission-critical data assets, such as considering a strategy of zero trust.