Ransomware is set to evolve into a greater threat in 2021 as service offerings and collaborations increase.
Speaking on a webinar this week, Carbon Black’s Tom Kellermann, Greg Foss and Rick McElroy said the year turned out “different than predicted” and the shift to working from home also impacted the e-crime landscape. “This created an industrialization of e-crime groups and their abilities to extend from single groups into business pipelines,” Foss said. This has led to a supply chain of one party getting access, to another selling access and another “selling access to a ransomware-as-a-service group.”
Foss explained the traditional end goal of ransomware operators is to offer up the service as that has led to the concept of “double extortion techniques” where systems were once encrypted across the network and a payment was requested, but now, as users are able to better recover from backups, attackers are changing their tactics to exfiltrate sensitive information from a company and post it online as a means of blackmail.
As well as becoming more efficient and professional, Foss also said the groups are smaller than realized and are focusing on the ransomware-as-a-service option. Also, access is gained to networks and “is more wide reaching and pivotable nowadays than we saw in years past.”
Kellerman said: “The Maginot line of cybersecurity transformation failed as the first adopters were the e-crime groups and cybercrime cartels, and we just have to pay attention now as perimeter defenses have failed and continue to fail, and visibility and hardening has become an extreme challenge. Most attacks you see today are attacks from the inside out – digital insiders using trusted ecosystems to leverage ransomware attacks and espionage and crime campaigns.”
Looking at ransomware in particular, the trio said they do not see this stopping or slowing down “and we continue to predict that this is going to extend significantly,” Foss said. He claimed ransomware groups have brought more people into their groups and are making sure they are getting trusted people, with nation state adversaries taking part as well.
“We see this reaching out to additional operating systems; traditionally this has only impacted Windows primarily, but with MacOS having such a market reach in the professional ecosystem of most organizations, we predict it will be targeted as well,” Foss said. “Linux is one we have started to see more campaigns begin to target, and a lot are looking at defacing webpages in addition to taking over core components of ecosystems that these companies operate.”
Foss also explained that there is greater collaboration between ransomware groups, and in 2021, he predicts that we will see more ransomware and the variants “will be re-factored and turned into purely destructive attacks.”
He said there have been attacks on large databases where everything is wiped and replaced with fake data, and he predicted that the destructive attacks will be used more in the future.
McElroy said this is a case of the attacker thinking about what else they can do with ransomware, as they are using it to conduct Denial of Service attacks too. “I expect to see a large increase in that as the adversaries collect more data on what is actually critical to the inside of these organizations,” he said.
Asked by Infosecurity about how attackers are using ransomware for more than the initial encrypt and extortion, McElroy said the idea is that extortion is big business, but now access is being sold on the dark web “and that becomes really dangerous as you have a bunch of guys on the dark web who execute attacks for cryptocurrency.” However, he also said there is a “trickle down effect” where there are innovators at the top of the model who do innovative things.
“Innovation is occurring at the top end, but as soon as this stuff hits the wild, the cyber-groups learn from that and scale it out as well,” McElroy said.