Speaking during Black Hat Europe 2020 Mitchell Clarke and Tom Hall, principal incident response consultants at Mandiant, explored the evolving global ransomware threat landscape.
Clarke and Hall explained that ransom demands are becoming larger, attackers smarter and intrusions longer, with cyber-criminals professionalizing and streamlining their ransomware strategies through partnership platforms – commonly coined Ransomware-as-a-Service offerings.
“These are operators that will target a number of organizations and sell access to ransomware threat actors,” explained Hall.
Ransomware crews have been detected leveraging high-profile critical vulnerabilities to gain footholds in as many victim networks as possible, only to come back weeks or even months later to leverage those footholds into full-scale ransomware deployments, the speakers said.
Such affiliate ransomware platforms are attractive to cyber-criminals because they offer key benefits including malware generation, communication and negotiation with victims and, in some cases, payment processing and decryption utility delivery, Mitchell explained.
One prime example of a prevalent ransomware affiliate group that has established itself in 2020 is REvil, Mitchell added.
“REvil are interesting because they run a Ransomware-as-a-Service platform – a platform with many different affiliates or other attackers that join in to use the same malware and the same platform.”
Looking forward, and due to the ongoing scaling-up of ransomware operators through business-like service platforms, Mitchell predicted that ransomware will continue to pose a major threat to organizations in 2021, citing increasing ransom demands and pay-outs, numbers of victims, damage to organizations and extortion of stolen data.
“Potentially, we will get to a point where the only way to recover [from ransomware] is to pay the ransom or to have a good backup mechanism in place, which may be quite rare at the moment. With so many victims and so much compromise going on, unfortunately, the only trend [for ransomware] is upwards,” Mitchell concluded.