{"id":16843,"date":"2023-02-02T13:32:57","date_gmt":"2023-02-02T12:32:57","guid":{"rendered":"https:\/\/www.show.it\/cyber-insights-2023-ransomware\/"},"modified":"2023-02-02T13:32:57","modified_gmt":"2023-02-02T12:32:57","slug":"cyber-insights-2023-ransomware","status":"publish","type":"post","link":"https:\/\/www.show.it\/en\/cyber-insights-2023-ransomware\/","title":{"rendered":"Cyber Insights 2023: Ransomware"},"content":{"rendered":"<\/p>\n
\n
\n
\n

About SecurityWeek Cyber Insights |<\/strong> At the end of 2022,\u00a0SecurityWeek\u00a0liaised with more than 300 cybersecurity experts from over 100 different organizations to gain insight into the security issues of today \u2013 and how these issues might evolve during 2023 and beyond. The result is more than a dozen features on subjects ranging from AI, quantum encryption, and attack surface management to venture capital, regulations, and criminal gangs.<\/em><\/p>\n<\/div>\n<\/div>\n

\"Cyber<\/figure>\n<\/div>\n

SecurityWeek Cyber Insights 2023 | Ransomware \u2013<\/strong> The key purpose behind cybercriminality is to gain money. Extortion has always been a successful and preferred method to achieve this. Ransomware is merely a means of extortion. Its success is illustrated by the continuous growth of ransomware attacks over many years.<\/p>\n

The evolution of ransomware has not been static. Its nature has changed as the criminals have refined the approach to improve the extortion, and the volume (generally upward) has ebbed and flowed in reaction to market conditions. The important point, however, is that criminals are not married to encryption, they are married to extortion.<\/p>\n

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions: the geopolitical influence of the Russia\/Ukraine war, the improving professionalism of the criminal gangs, and more forceful attempts<\/a> by governments and law enforcement agencies to counter the threat.<\/p>\n

The cyberwar effect<\/strong><\/h2>\n

The Russia\/Ukraine war has removed our blinkers. The world has been at covert cyberwar for many years \u2013 generally along the accepted geopolitical divide \u2013 but it is now more intense and more overt. While the major powers, so far at least, have refrained from open attacks against adversaries\u2019 critical infrastructures, criminal gangs are less concerned.<\/p>\n

\u201cThe rate of growth in ransomware attacks is currently slowing slightly<\/a> [late 2022] \u2013 but this will prove to be a false dawn,\u201d suggests Mark Warren, product specialist at Osirium. \u201cCurrently, the most successful teams of cybercriminals are focused on attacking Ukraine\u2019s critical infrastructure. The second that conflict is over, all the technology, tools and resources will be redeployed back into ransomware attacks \u2013 so organizations and nation states alike must not become complacent.\u201d<\/p>\n

One of the most likely effects of the European conflict will be an increasingly destructive effect from ransomware. This has already begun and will increase through 2023. \u201cWe are seeing an increase in more destructive ransomware attacks at scale and across virtually all sector types, which we expect to continue into 2023,\u201d comments Aamir Lakhani, cybersecurity researcher and practitioner for FortiGuard Labs.<\/p>\n

\u201cRansomware will continue to make headlines, as attacks become more destructive, and threat actors develop new tactics, techniques, and procedures to try and stay one step ahead of vendors,\u201d agrees John McClurg, SVP and CISO at BlackBerry.<\/p>\n

\u201cWe expect ransomware to continue its assault on businesses in 2023,\u201d says Darren Williams, CEO and founder at BlackFog. \u201cSpecifically, we will see a huge shift to data deletion in order to leverage the value of extortion.\u201d\u00a0<\/p>\n

There are two reasons for this move towards data deletion. Firstly, it is a knock-on effect of the kinetic and associated cyber destruction in Ukraine. But secondly it is the nature of ransomware. Remember that ransomware is merely a means of extortion. The criminals are finding that data extortion is more effective than system extortion via encryption. Andrew Hollister, CISO LogRhythm, explains in more detail:<\/p>\n

\u201cIn 2023, we\u2019ll see ransomware attacks focusing on corrupting data rather than encrypting it. Data corruption is faster than full encryption and the code is immensely easier to write since you don\u2019t need to deal with complex public-private key handling as well as delivering complex decryption code to reverse the damage once the victim pays up,\u201d he said.\u00a0<\/p>\n

\u201cSince almost all ransomware operators already engage in double extortion, meaning they exfiltrate the data before encrypting it, the option of corrupting the data rather than going to the effort of encryption has many attractions. If the data is corrupted and the organization has no backup, it puts the ransomware operators in a stronger position because then the organization must either pay up or lose the data.\u201d<\/p>\n

\n
\"Ransomware<\/a>
Ransomware Resilience & Recovery Summit<\/a>\u00a0| March 8, 2023<\/strong><\/figcaption><\/figure>\n<\/div>\n

It should also be noted that the more destruction the criminal gangs deliver after exfiltrating the data, the more completely they will cover their tracks. This becomes more important in an era of increasing law enforcement focus on disrupting the criminal gangs.<\/p>\n

But there is an additional danger that might escape from the current geopolitical situation. Vitaly Kamluk, head of the Asia-Pacific research and analysis team at Kaspersky explains: \u201cStatistically, some of the largest and most impactful cyber epidemics occur every six to seven years. The last such incident was the infamous WannaCry<\/a> ransomware-worm, leveraging the extremely potent EternalBlue<\/a> vulnerability to automatically spread to vulnerable machines.\u201d\u00a0<\/p>\n

Kaspersky researchers believe the likelihood of the next WannaCry happening in 2023 is high. \u201cOne potential reason for an event like this occurring,\u201d continued Kamluk, \u201cis that the most sophisticated threat actors in the world are likely to possess at least one suitable exploit, and current global tensions greatly increase the chance that a ShadowBrokers<\/a>-style hack-and-leak could take place.\u201d<\/p>\n

Finally, it is worth mentioning an unexpected effect of the geopolitical situation: splintering and rebranding among the ransomware groups. Most of the larger groups are multi-national \u2013 so it should be no surprise that different members might have different geopolitical affiliations. Conti is perhaps the biggest example to date.<\/p>\n

\u201cIn 2022, many large groups collapsed, including the largest, Conti,\u201d comments Vincent D\u2019Agostino, head of digital forensics and incident response at BlueVoyant. \u201cThis group collapsed under the weight of its own public relations nightmare, which sparked internal strife after Conti\u2019s leadership pledged allegiance to Russia following the invasion of Ukraine. Conti<\/a> was forced to shut down and rebrand as a result.\u201d Ukrainian members objected and effectively broke away, leaking<\/a> internal Conti documents at the same time.<\/p>\n

But this doesn\u2019t mean that the ransomware threat will diminish. \u201cAfter the collapses, new and rebranded groups emerged. This is expected to continue as leadership and senior affiliates strike out on their own, retire, or seek to distance themselves from prior reputations,\u201d continued D\u2019Agostino.\u00a0<\/p>\n

The fracturing of Conti and multiple rebrandings of Darkside into their current incarnations has demonstrated the effectiveness of regular rebranding in shedding unwanted attention. \u201cShould this approach continue to gain popularity, the apparent number of new groups announcing themselves will increase dramatically when in fact many are fragments or composites of old groups.\u201d<\/p>\n

Sophistication<\/strong><\/h2>\n

The increasing sophistication, or professionalism, of the criminal gangs is discussed in Cyber Insights 2023: Criminal Gangs<\/a><\/em>. Here we will focus on how this affects ransomware.<\/p>\n

RaaS<\/strong><\/h3>\n

The most obvious is the emergence of ransomware-as-a-service. The elite gangs are finding increased profits and reduced personal exposure by developing the malware and then leasing its use to third-party affiliates for a fee or percentage of returns. Their success has been so great that more, lesser skilled gangs will follow the same path.<\/p>\n

\u201cIt initially started as an annoyance,\u201d explains Matthew Fulmer, manager of cyber intelligence engineering at Deep Instinct, \u201cbut now after years of successful evolution, these gangs operate with more efficiency than many Fortune 500 companies. They\u2019re leaner, meaner, more agile, and we\u2019re going to see even more jump on this bandwagon even if they\u2019re not as advanced as their partners-in-crime.\u201d<\/p>\n

The less advanced groups, and all affiliates of RaaS, are likely to suffer at the hands of law enforcement. \u201cIt is likely that there will be a constant battle between law enforcement agencies and ransomware affiliates. This will either be veteran\/more established ransomware affiliates or new ransomware groups with novel ideas,\u201d comments Beth Allen, senior threat intelligence analyst at Intel 471.\u00a0<\/p>\n

\u201cMuch like whack-a-mole, RaaS groups will surface, conduct attacks, be taken down or have their operations impacted by LEAs \u2013 and then go quiet only to resurface in the future. The instability within criminal organizations that we have observed will also be a contributing factor to groups fading and others surfacing to fill the void.\u201d<\/p>\n

Changing tactics<\/strong><\/h3>\n

As defenders get better at defending against ransomware, the attackers will simply change their tactics. John Pescatore, director of emerging security trends at SANS, gives one example: \u201cMany attackers will choose an easier and less obtrusive path to gain the same critical data. We will see more attacks target backups that are less frequently monitored, can provide ongoing access to data, and may be less secure or from forgotten older files.\u201d<\/p>\n

Drew Schmitt, lead analyst at GuidePoint, sees increased use of the methodologies that already work, combined with greater attempts to avoid law enforcement. \u201cRansomware groups will likely continue to evolve their operations leveraging critical vulnerabilities in commonly used applications, such as Microsoft Exchange, firewall appliances, and other widely used applications,\u201d he suggested.\u00a0<\/p>\n

\u201cThe use of legitimate remote management tools such as Atera<\/a>, Splashtop<\/a>, and Syncro is likely to continue to be a viable source of flying under the radar while providing persistent access to threat actors,\u201d he added.<\/p>\n

But, he continued, \u201cransomware \u2018rebranding\u2019 is likely to increase exponentially to obfuscate ransomware operations and make it harder for security researchers and defenders to keep up with a blend of tactics.\u201d<\/p>\n

Warren expects to see criminal ransomware attacks focusing on smaller, less well-defended organizations. \u201cState actors will still go after large institutions like the NHS, which implement robust defenses; but there are many small to mid-size companies that invest less in protection, have limited technical skills, and find cyberinsurance expensive \u2013 all of which makes them easy targets.\u201d<\/p>\n

This will partly be an effect of better defenses in larger organizations, and partly because of the influx of less sophisticated ransomware affiliates. \u201cWe can expect smaller scale attacks, for lower amounts of money, but which target a much broader base. The trend will probably hit education providers hard: education is already the sector most likely to be targeted,\u201d he continued.<\/p>\n

He gives a specific example from the UK. \u201cEvery school in the UK is being asked to join a multi-academy trust, where groups of schools will be responsible for themselves. With that change comes great vulnerability. This \u2018network\u2019 of schools would be a prime target for ransomware attacks; they are connected, and they\u2019re unlikely to have the resilience or capabilities to protect against attacks. They may have no choice but to reallocate their limited funds to pay ransom demands.\u201d<\/p>\n

But it won\u2019t just be more of the same. More professionalized attackers will lead to new attack techniques. Konstantin Zykov, senior security researcher at Kaspersky, gives an example: the use of drones. \u201cNext year, we may see bold attackers become adept at mixing physical and cyber intrusions, employing drones for proximity hacking.\u201d<\/p>\n

He described some of the possible attack scenarios, such as, \u201cMounting drones with sufficient tooling to allow the collection of WPA handshakes used for offline cracking of Wi-Fi passwords or even dropping malicious USB keys in restricted areas in hope that a passerby would pick them up and plug them into a machine.\u201d<\/p>\n

Marcus Fowler, CEO of Darktrace Federal, believes the existing ransomware playbook will lead to increased cloud targeting. \u201cPart of this playbook is following the data to maximize RoI. Therefore, as cloud adoption and reliance continue to surge, we are likely to see an increase in cloud-enabled data exfiltration in ransomware scenarios in lieu of encryption,\u201d he said. \u201cThird-party supply chains offer those with criminal intent more places to hide, and targeting cloud providers instead of a single organization gives attackers more bang for their buck.\u201d<\/p>\n

Evasion and persistence are other traits that will expand through 2023. \u201cWe continue to see an emergence in techniques that can evade typical security stacks, like HEAT<\/a> (Highly Evasive Adaptive Threats) attacks,\u201d says Mark Guntrip, senior director of cybersecurity strategy at Menlo. \u201cThese tactics are not only are tricking traditional corporate security measures but they\u2019re also becoming more successful in luring employees into their traps as they identify ways to appear more legitimate by delivering ransomware via less suspecting ways \u2013 like through browsers.\u201d<\/p>\n

Persistence, that is, a lengthy dwell time, will also increase in 2023. \u201cRather than blatantly threatening organizations, threat actors will begin leveraging more discreet techniques to make a profit,\u201d comments JP Perez-Etchegoyen, CTO at Onapsis. \u201cThreat groups like Elephant Beetle have proven that cybercriminals can enter business-critical applications and remain undetected for months, even years, while silently siphoning off tens of millions of dollars.\u201d<\/p>\n

David Anteliz, senior technical director at Skybox, makes a specific persistence prediction for 2023: \u201cIn 2023, we predict a major threat group will be discovered to have been dwelling in the network of a Fortune 500 company for months, if not years, siphoning emails and accessing critical data without a trace. The organizations will only discover their data has been accessed when threat groups threaten to take sensitive information to the dark web.\u201d<\/p>\n

Fighting ransomware in 2023<\/strong><\/h2>\n

The effect of ransomware and its derivatives will continue to get worse before it gets better. Apart from the increasing sophistication of existing gangs, there is a new major threat \u2013 the worsening economic conditions that will have a global impact in 2023.\u00a0<\/p>\n

Firstly, a high number of cyber competent people will be laid off as organizations seek to reduce their staffing costs. These people will still need to make a living for themselves and their families \u2013 and from this larger pool, a higher than usual number of otherwise law-abiding people may be tempted by the easy route offered by RaaS. This alone could lead to increased levels of ransomware attacks by new wannabe criminals.<\/p>\n

Secondly, companies will be tempted to reduce their security budgets on top of the reduced staffing levels. \u201cOnce rumblings of economic uncertainty begin, wary CFOs will begin searching for areas of superfluous spending to cut in order to keep their company ahead of the game,\u201d warns Jadee Hanson, CIO and CISO at Code42. \u201cFor the uninformed C-suite, cybersecurity spend is sometimes seen as an added expense rather than an essential business function that helps protect the company\u2019s reputation and bottom line.\u201d<\/p>\n

She is concerned that this could happen during a period of increasing ransomware attacks. \u201cThese organizations may try to cut spending by decreasing their investment in cybersecurity tools or talent \u2013 effectively lowering their company\u2019s ability to properly detect or prevent data breaches and opening them up to potentially disastrous outcomes.\u201d<\/p>\n

One approach, advocated by Bec McKeown, director of human science at Immersive Labs, is to treat remaining staff as human firewalls. \u201cI believe that 2023 will be the year when enterprises recognize that they are only as secure and resilient as their people \u2013 not their technologies,\u201d she says. \u201cOnly by supporting initiatives that prioritize well-being, learning and development, and regular crisis exercising can organizations better prepare for the future.\u201d<\/p>\n

Done correctly, she believes this can be achieved in a resource- and cost-effective manner. \u201cAdopting a psychological approach to human-driven responses during a crisis \u2013 like a cybersecurity breach \u2013 will ensure that organizations fare far better in the long run.\u201d<\/p>\n

But perhaps the most dramatic response to ransomware will need to come from governments, although law enforcement agencies alone won\u2019t cut it. LEAs may know the perpetrators but will not be able to prosecute criminals \u2018protected\u2019 by adversary nations. LEAs may be able to take down criminal infrastructures, but the gangs will simply move to new infrastructures. The effectively bullet-proof hosting provided by the Interplanetary File System (IPFS<\/a>), for example, will increasingly be abused by cybercriminals.<\/p>\n

The only thing that will stop ransomware\/extortion will be the prevention of its profitability \u2013 if the criminals don\u2019t make a profit, they\u2019ll stop doing it and try something different. But it\u2019s not that easy. At the close of 2022, following major incidents at Optus<\/a> and Medibank<\/a>, Australia is considering making ransom payments illegal \u2013 but the difficulties are already apparent.<\/p>\n

As ransomware becomes more destructive, paying or not paying may become existential. This will encourage companies to deny attacks, which will leave the victims of stolen PII unknowingly at risk. And any sectors exempted from a ban will have a large target on their back.<\/p>\n

While many foreign governments are known to be, or have been, considering a ban on ransom payments, this is unlikely to happen in the US. In a very partisan political era, the strength of the Republican party \u2013 with its philosophy of minimal government interference in business \u2013 will make it impossible.<\/p>\n

In the end, it\u2019s down to each of us\u2026<\/strong><\/h2>\n

Ultimately, beating ransomware will be down to individual organizations\u2019 own cyber defenses \u2013 and this will be harder than ever in 2023. \u201cThere\u2019s no letup in sight,\u201d comments Sam Curry, CSO at Cybereason. \u201cRansomware continues to target all verticals and geographies, and new ransomware cartels are popping up all the time. The biggest frustration is that it is a soluble problem.\u201d<\/p>\n

He believes there are ways to stop the delivery of the malware, and there are ways to prevent its execution. \u201cThere are ways to prepare in peacetime and not panic in the moment, but most companies aren\u2019t doing this. Saddest of all is the lack of preparation at the bottom of the pyramid in smaller businesses and below the security poverty line. Victims can\u2019t pay to make the problem go away. When they do, they get hit repeatedly for having done so. The attackers know that the risk equation hasn\u2019t changed between one attack and the next, nor have the defenses.\u201d<\/p>\n

Related<\/strong>: It Doesn\u2019t Pay to Pay: Study Finds 80% of Ransomware Victims Attacked Again<\/a><\/p>\n

Related<\/strong>: New Zealand Government Hit by Ransomware Attack on IT Provider<\/a><\/p>\n

Related<\/strong>: Ransomware, Malware-as-a-Service Dominate Threat Landscape<\/a><\/p>\n

The post Cyber Insights 2023: Ransomware<\/a> appeared first on SecurityWeek<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"

About SecurityWeek Cyber Insights | At the end of 2022,\u00a0SecurityWeek\u00a0liaised with more than 300 cybersecurity experts from over 100 different organizations to gain insight into the security issues of today \u2013 and how these issues might evolve during 2023 and beyond. The result is more than a dozen features on subjects ranging from AI, quantum […]<\/p>\n","protected":false},"author":2,"featured_media":16844,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[27,143,80,96,115,161],"tags":[],"class_list":["post-16843","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybercrime","category-cyberinsights2023","category-malware-threats","category-ransomware","category-threat-intelligence","category-trends"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/posts\/16843","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/comments?post=16843"}],"version-history":[{"count":0,"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/posts\/16843\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/media\/16844"}],"wp:attachment":[{"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/media?parent=16843"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/categories?post=16843"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/tags?post=16843"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}