Ransomware is and has always been a major threat to organizations. But the ways in which ransomware is being deployed and used has evolved significantly in the last year or two, making it even more dangerous. The severity of today’s ransomware attacks were recently documented in a written testimony from Jacqueline Koven, Chainalysis’s Head of Cyber Threat Intelligence, for the House Financial Services Committee. In her testimony, Koven shared Chainalysis data that showed how ransomware attacks are becoming more pervasive and more expensive. Her testimony stated that the number of ransomware victims in 2023 went up 70% from the year prior and bad actors extracted more than $1 billion from U.S. organizations in 2023 — the highest amount ever recorded. Furthermore, more than 70% of all ransom payments from 2021 to 2023 were over $1 million.
These alarming statistics are due to a number of factors, including the rise of ransomware as a service (RaaS), the increasing prevalence of multi-extortion attacks, and the ability for bad actors to penetrate more deeply into organizations. Companies need to be prepared for these new, evolved ransomware attacks and the industry that’s forming around them. Traditional decryption tools and backup data storage are no longer enough to protect a company against an intrusion. These complex attacks require more advanced solutions.
Here is what ransomware looks like today and how you can defend against these attacks.
Historically, a ransomware attack would involve a bad actor breaking into a company’s system, encrypting data, and holding it for ransom. To protect themselves, many companies started backing up data in multiple places, so they could access important files if one version was lost.
Today, however, bad actors are enacting double and multiple extortion attacks, in which they encrypt a company’s data and threaten to leak it to the public, sell it, or launch DDoS attacks that would further disrupt a company’s operations if the ransom isn’t paid quickly. Unfortunately, these types of attacks have proven to be effective for a number of reasons.
If a compromise is made publicly known, a company risks serious financial repercussions in the form of fines and reputational damage. Recent research from Vercara found that 75% of consumers said they would be ready to sever ties with a brand after a cybersecurity issue, and organizations also risk regulatory action if they suffer a cyberattack. OneMain Financial Group was recently fined $4.25 million by the New York State Department of Financial Services when they were found to be violating the department’s regulations requiring some sort of cybersecurity to be in place.
To avoid these substantial costs, many companies — 90% of companies according to Cohesity — are paying ransoms. Ransomware groups know this and have relied on double and multi-extortion attacks more and more to drive up the ransoms companies are willing to pay. Regrettably, they are nearly guaranteed to be effective.
In order to extract enough data to pull off a lucrative multi-extortion attack, bad actors need to embed themselves more deeply into an organization. Thus, many hackers are exploiting known and zero-day vulnerabilities, specifically those in public-facing applications, to gain network access and move laterally through the organization undetected. This allows them to conduct thorough recon, exploiting additional vulnerabilities, manipulating security policies, and escalating privileges as they go.
When access to an organization is obtained, ransomware gangs can either sell access to the organization to other threat actors or further their ransomware attack. In some cases, independent initial access brokers, who are responsible for compromising an organization, (more on that below) will conduct the initial recon and sell that access on the black market to any willing purchaser who can then actually deploy the ransomware.
Not only does the exploitation of known vulnerabilities allow bad actors to move stealthily through an organization’s network, but the fact that they are publicly available means more ransomware groups know how to gain access to a system. And they can use automated tools to scan for known and zero-day vulnerabilities to more easily and quickly find susceptible victims.
Some of these automation tools are powered by AI, which bad actors have started to rely on to expand the number of companies they can target, which also increases their odds of success. As AI becomes more sophisticated, it will only escalate the pervasiveness and success of ransomware attacks.
One major shift in the last year is the significant increase in ransomware as a service organizations (RaaS). Cybersecurity firm Recorded Future reported 538 new ransomware variants in 2023, which means more ransomware gangs are opening shop. Research from Searchlight Cyber, a dark web intelligence company, showed a 56% increase in the number of active ransomware groups in H1 of 2024 compared to H1 2023. Much of this growth is due to the formation of RaaS organizations, which decentralize and democratize ransomware.
Much like SaaS companies, RaaS criminal organizations offer ransomware packages or subscriptions that anyone can deploy for a fee or a cut of the ransom. These companies are run by operators who create the ransomware and lease or sell it to affiliates who then deploy it. While some operators are one-man shops or small groups of hackers, other RaaS organizations are becoming increasingly sophisticated with dozens of employees, including ransomware developers and customer service departments.
In some cases, RaaS organizations utilize initial access brokers. These individuals are highly skilled at identifying and exploiting a vulnerability within an organization, allowing the affiliates to quickly and easily go in and drop the ransomware. Initial access brokers can work as part of a RaaS organization or independently, accessing a company’s network and selling that information to other bad actors on the black market.
This professionalization of the ransomware industry has significantly increased the number of attacks. Cybercriminals no longer need technical expertise to effectively deploy a ransomware attack. With the assistance of RaaS organizations, anyone can deploy a ransomware attack. The ransomware is already developed; the vulnerability has already been found and exploited. All the individual bad actor needs to do is deploy the software.
The rise in RaaS organizations and initial access brokers also changes the way threat actors identify targets. Historically, organizations in highly regulated and essential industries like finance, healthcare, and energy were targeted because they might be the most likely to pay a hefty ransom. But this new way of operating starts with a specific vulnerability. Once that vulnerability has been chosen, bad actors search for companies using the software with the known vulnerability, then deploy ransomware to any and all companies fitting that profile.
This means that no one is safe. Vulnerabilities will be found much sooner, and bad actors are more likely to attack knowing they will be successful with minimal effort.
Because ransomware groups, tactics, and technology have evolved significantly in the last year, companies need to adjust their defenses to protect themselves. Traditional ransomware defenses are no longer effective because ransomware groups are no longer simply holding data captive. They are threatening to release the information to the public, so backup databases and decryption tools won’t put a damper on those threats.
To protect themselves against modern ransomware attacks, businesses need to invest in cyber resiliency and build out more robust defense systems. Businesses need advanced detection and response tools to ensure bad actors are detected, stopped, and removed as soon as they enter their environment. Perhaps most importantly, vulnerability management needs to be a key part of any cybersecurity strategy.
Given that many ransomware attacks start with exploiting a known or zero-day vulnerability, companies must patch software as soon as updates become available. This will reduce the chances of getting on a threat actor’s radar. A detailed incident response plan is also crucial for minimizing damage and avoiding repeat attacks, which are common.
SolCyber is the first-of-its-kind outsourced security program partner. With our 24/7 detection and response services and Foundational Coverage, businesses of all sizes can become cyber resilient in weeks. Not confident in your defense against modern ransomware attacks? Contact the experts at SolCyber today and also take a few moments to watch our recorded webinar “Four decades of ransomware: Learning from the past.”
(You can also watch this video directly on YouTube if you would like additional video controls, including speed-up.)