How ransomware has got more sophisticated, and why you need to worry
Human-operated ransomware is a new, tailor-made attempt to lock up your files.
Ransomware continues to be a blight against vulnerable IT users worldwide, with a near-doubling of the volume of attacks between 2021 and 2020. Cybersecurity company NCC Group recorded a 93% rise in the number of attacks launched against individuals, showing that the scale of the problem continues to give cause for concern.
It can be easy to forget that ransomware is a relatively new phenomenon still on the rise, and the potential of the exploit hasn’t yet reached its limit. At present, most ransomware attacks are far from targeted: instead, they’re spray and pay attacks, where hackers launch a strain of ransomware into the wild that they hope will infect as many computers as possible and wait to see what their potential rewards are. It’s a haphazard approach that still likely nets those involved a bumper payday but isn’t as efficient as it can be.
With the concept of ransomware a proven business model for cybercriminals, they’re starting to move on to a new vector of ransomware attacks that shun the idea of sending out strains and praying to hit the jackpot, and instead tailoring it to specific would-be victims in the hopes of maximizing the potential returns. And it’s this which is causing concern for those tracking cybercrime.
A worrying new trend
The concerning new trend was picked up by Microsoft, which warned of the risks of the ransomware-as-a-service gig economy, which it calls human-operated ransomware. The attacks are “one of the most impactful threats to organisations,” Microsoft writes.
The company used the term “human-operated ransomware” to make clear that this is far from the old spray and pray attacks of days gone by. Now humans are tracking and tailoring how an attack unfolds at every stage based on what they find in a target’s network.
“Unlike the broad targeting and opportunistic approach of earlier ransomware infections, attackers behind these human-operated campaigns vary their attack patterns depending on their discoveries – for example, a security product that isn‘t configured to prevent tampering or a service that’s running as a highly privileged account like a domain admin,” Microsoft writes.
That’s a worry because it shows malicious intent and the fact that would-be victims are now engaged in a cat-and-mouse game, where attackers are taking an active interest in the IT system architecture of their business in order to try and earn the most money possible.
Repeat victims at risk
It also causes a headache for organizations trying to get back on an even keel once they’ve fallen victim and either decided to pay the ransom to unlock their files or to move on and start afresh.
“Human decision-making early in the reconnaissance and intrusion stages means that even if a target’s security solutions detect specific techniques of an attack, the attackers may not get fully evicted from the network and can use other collected knowledge to attempt to continue the attack in ways that bypass security controls,” warns Microsoft.
There’s the real risk of being doubly extorted: falling foul of a ransomware strain, paying to have your files unlocked, then realizing that in the time that the hacker spent inside your system and monitoring it, they’ve understood another vulnerability that they return to – or worse, one they note down and try to sell on as part of the ransomware-as-a-service economy to another hacker.
“Giving in to the attackers’ demands doesn’t guarantee that attackers ever ‘pack their bags’ and leave a network,” writes Microsoft. “Attackers are more determined to stay on a network once they gain access and sometimes repeatedly monetize attacks using different malware or ransomware payloads if they aren’t successfully evicted.”
It may all seem hypothetical, but it isn’t. Over the course of six months, Microsoft analyzed 2,500 potential target organisations. They found 60 of them were hit with a ransomware attack, of which 20 were successfully breached.
It means that it’s more important than ever to not just look at your initial line of defense against hackers but also to ensure your systems are designed and architected in such a way that they’re guaranteed to be secure. After all, now your attacker isn’t simply hitting and running: they’re going in, taking a look, and seeing what else they can exploit.
More from Cybernews:
Subscribe to our newsletter