The gravitational force of ransomware’s black hole is pulling in other cyberthreats to form one massive, interconnected ransomware delivery system – with significant implications for IT security, cybersecurity company Sophos claims in the Sophos 2022 Threat Report.
As one of the most potentially damaging and costly types of malware attacks, ransomware remains the kind of threat that keeps most administrators up at night. As we move into 2022, ransomware shows no sign of slowing down, though its business model has gone through some changes that seem likely to persist and even grow over the coming year, Sophos claims.
Over the past 18 months, the Sophos Rapid Response Team has been called in to investigate and remediate hundreds of cases involving ransomware attacks. Over this period, there have been significant changes to the ransomware landscape: the targets have shifted to ever-larger organizations, and the business model that dictates the mechanics of how attacks transpire has shifted.
The most significant change Sophos observed is the shift from “vertically oriented” threat actors, who make and then attack organizations using their own bespoke ransomware, to a model where one group builds the ransomware tools and then leases the use of that those tools out to specialists in the kind of virtual breaking-and-entering that requires a skillset that is distinct from that of ransomware creators.
Ransomware-as-a-service (RaaS) offerings are not new. In previous years, their main contribution was to bring ransomware within reach of lower-skilled or less well-funded attackers.
“This has changed, and, in 2021, RaaS developers are investing their time and energy in creating sophisticated code and determining how best to extract the largest payments from victims, insurance companies, and negotiators. They’re now offloading to others the tasks of finding victims, installing and executing the malware, and laundering the pilfered cryptocurrencies. This is distorting the cyber threat landscape as common threats, such as loaders, droppers, and Initial Access Brokers that were around and causing disruption well before the ascendancy of ransomware, are being sucked into the seemingly all-consuming ‘black hole’ that is ransomware,” Chester Wisniewski, a principal research scientist at Sophos, is quoted in a press release.
Researchers at Sophos looked at the most common ways attackers try to pressure victims into paying ransoms. Unsurprisingly, the most common threat involves publishing or auctioning stolen data on a hacker forum. Sophos expects that threats of extortion over the release of data will continue to be part of the overall threat posed by ransomware well into the future.
Sophos researchers also predict that cryptocurrency will continue to fuel cybercrimes such as ransomware and malicious crypto mining. They expect the trend to continue until global cryptocurrencies are better regulated.
In 2021, Sophos researchers uncovered crypto miners, such as Lemon Duck and the less-common MrbMiner, taking advantage of the access provided by newly reported vulnerabilities and targets already breached by ransomware operators to install crypto miners on computers and servers.
The September 2021 sanctions announced by the U.S. against Russia-based cryptocurrency exchange SUEX OTC alleged that 40% of the known transactions on the exchange were used to transfer money to known cybercriminal groups, including at least eight groups operating ransomware campaigns. One ransomware group sanctioned in 2019, known as Evil Corp, appears to be attempting to evade these sanctions by rebranding its ransomware under several distinct names.
“As a method of evading sanctions, cryptocurrencies are well suited to the task, which may be why criminals based in regions of the world that remain under traditional economic sanctions exclusively deal in cryptocurrency. Beyond that, because cryptocurrency is anonymous, it can be difficult to determine where the money ends up. And as cryptocurrency has gained favor in sanctioned countries, it’s not surprising that we’ve observed illicit cryptocurrency miners spreading in the wild that send their output to organizations based in those places where people cannot use the traditional banking system,” Sophos report reads.
More from CyberNews:
Subscribe to our newsletter