The ransomware ecosystem has changed beyond recognition in 2024, and organizations must adapt their defenses accordingly, warned experts at Infosecurity Europe 2024.
Martin Zugec, Technical Solutions Director at Bitdefender, told attendees to “forget what you know” about ransomware, and learn how new groups are changing the rules of the game.
He explained that this change has been driven by the recent collapse of two leading ransomware-as-a-service (RaaS) operators: LockBit, whose infrastructure was taken down by law enforcement in February 2024, and BlackCat, who appeared to conduct an ‘exit scam’ after securing a ransom payment from US healthcare payment provider Change Healthcare in March.
This has led to the emergence of a new RaaS model, with affiliates moving between different RaaS operators.
Christiaan Beek, Senior Director of Threat Analytics at Rapid7, told Infosecurity that the ransomware landscape now feels like the “Wild West.”
For example, while groups like LockBit told affiliates not to target healthcare organizations, the new groups do not appear to have any such restrictions.
Rapid7 observed 78 active groups in May 2024, and affiliates are constantly jumping around the operators they work with, assessing factors like their speed, reliability and their strain’s ability to avoid endpoint security tooling.
“Reputation is key in the underground – it’s like a normal business marketplace,” commented Beek.
Changing Ransomware Attack Techniques
The first half of 2024 has seen some notable shifts in how ransomware operators and affiliates target organizations:
Targeting of Vulnerabilities
Zugec noted that ransomware attackers are increasingly exploiting vulnerabilities in edge network devices and software supply chains ahead of targeting specific organizations, enabling them to infiltrate multiple victims in one go. A key example of this was the MOVEit file transfer attack in 2023, which impacted thousands of organizations worldwide.
He noted that that vulnerability exploitation has overtaken phishing and social engineering attacks as the cause of ransomware incidents for the first time in 2024.
In many cases, there’s a large gap between initial compromise and ransomware being deployed. This is because affiliates compromise so many organizations, and then work out which ones to prioritize according to factors like the size of the organization, the ease of accessing victims’ data and whether they provide a gateway to a more lucrative target.
Data Exfiltration is the Primary Goal
Data exfiltration is now the main way of extorting victims, with encryption often seen as a “nice to have” add-on, while many attackers don’t bother locking down data at all, according to Zugec.
This trend has been borne out of improved backup solutions, which help victims recover quickly in the event their data has been encrypted.
Post-Compromise is a Manual Hacking Operation
Zugec noted that post-initial compromise activities rely on manual operations to move laterally and access sensitive data. This is a trend also observed by Beek, who said attackers frequently employ living-off-the-land techniques while inside the victims’ networks.
“Nowadays what we see is they enter with a vulnerability, and they elevate their privileges. Then the first thing they do is to find out where the most data in this company is held. After exfiltration has occurred, then they will deploy the ransomware,” he explained.
How to Defend Against Modern Ransomware Attacks
Despite the growing threat of ransomware, experts at Infosecurity Europe noted that the changing tactics do provide an opportunity for defenders. Beek said the trend of attackers focusing on data exfiltration provides more opportunities to detect the activity before the ransomware is deployed.
“If you have appropriate controls in place, you should see spikes in your traffic where there’s abnormal activity in your network,” he noted.
Bugec believes there is currently too much focus on the end part of a ransomware incident, and organizations should look to deploy defenses that prevent lateral movement and manual hacking operations when attackers have entered the network.
This is an approach also advocated by Erhan Temurkan, Director of Security and Technology at Fleet Mortgages, who said it is vital organizations establish defensive controls around their key data to prevent exfiltration.
“Know your data, know where your data is. What we’re trying to avoid is that ‘smash and grab’,” he outlined.
Additionally, with vulnerability exploitation now one of the main ways attackers gain initial access, patching processes have become ever more important.
Beek said that attackers now commonly exploit critical vulnerabilities within 24 hours of a patch being released, making data-led prioritization a necessity.
He advised security teams engage with threat researchers, who can provide rapid insights into critical vulnerabilities being exploited in real time.
“If there is a vulnerability being exploited in the wild for ransomware attacks, forget the others and focus on this one today,” urged Beek.