From using a network’s own legitimate system tools against itself to buying Ransomware-as-a-Service, hackers are getting bolder by the day.

In our latest 2021 Threat Report, Sophos has identified that the average ransom payout by global companies in the third quarter of 2020 alone had risen by 21% compared to the previous quarter.

The average ransom payout in Q3 was the equivalent of S$233,817.30, payable in cryptocurrency. A year ago, the average payout was S$84,116. In Singapore, ransomware cases increased by nearly 75% between January and October 2020 versus the same period in 2019, according to their Cyber Security Agency.

But no one is off limits. Not the hospitals treating critically ill patients, not the schools working around the clock to maintain safe in-class learning, and not the IT organizations tasked with enabling thousands of employees to work from home.

The fact that ransomware gangs like Ryuk have attacked hundreds of healthcare providers this year goes to show how ruthless these criminals really are. We have also seen a gold rush of recent devastating attacks that are unlike anything the cybersecurity industry has ever experienced, and there are no signs of them slowing down.

Staying one step ahead of ransomware gangs means being vigilant, proactive, and prepared.

Here are four increasingly dangerous threat vectors that will define the near-future of ransomware.

  1. Abuse of legitimate tools
    Cybercriminals are ramping up their abuse of otherwise legitimate tools to gain entry into information systems and to stay under the radar, while they maneuver to launch the payload when ready. Standard tools being used for nefarious purposes do not automatically generate red flags from automated detection systems, and can easily go undetected.
  2. Commodity malware
    Low level malware such as botnets and loaders—which may lack the sophistication and effectiveness of more advanced persistent threats—should never be underestimated for their potential role in a larger attack. Seemingly ordinary malicious malware can cause serious problems if allowed to persist.

    Some of these botnets and loaders, along with human-operated Initial Access Brokers (i.e., middlemen for ransomware), are increasingly being leveraged to gain a foothold into a target’s network, performing reconnaissance and sending back valuable data to a command-and-control host. Human operators behind these threats will look for signs of value, brokering lucrative targets to the highest bidder—such as a ransomware operator—which is exactly what we recently saw when Ryuk used the Buer Loader to deliver ransomware.

    Even run-of-the-mill detections should not be ignored. Blocking or removing malware just once, and then cleaning the machine afterward, is not always the end of it. These seemingly minor infections often afflict more targets in one fell swoop than realized at first. Allowing that to go unnoticed for too long can enable criminals to facilitate more damaging ransomware attacks later on.
  3. Big-game ransomware families
    Ransomware can be thought of as a spectrum with two defined poles. On one end of that spectrum, you have the ‘big game’ ransomware families that focus on a relatively narrow band of targets—specifically because their targets are larger organizations with the resources or cyber-insurance to pay multimillion-dollar ransoms.

    These big-game gangs will continue building on their already successful tactics, techniques, and procedures and grow even more sophisticated in both their methods to strike and their ability to evade detection.
  4. Entry-level attackers
    On the other end of that spectrum are the ‘entry-level’ attackers that take the opposite approach: spamming large volumes of targets with low-grade ransomware-as-a-service (RaaS) attacks. This fast-food approach to ransomware is easier to defend against, but it is also easier for attackers to deploy. By attacking many targets in one go, even a small percentage of wins can still lead to large numbers of successfully victimized companies, emboldening attackers and funding ongoing operations. This will continue to pose a threat this year, as they become more collaborative, almost like cartels, sharing best-of-breed tools with each other for greater success.

    The ransomware threat landscape may be split between these two groups, but it is critical that security teams and managed security providers are taking both extremes into account as part of their threat detection and response strategies. The breadth of this spectrum may be getting bigger, but its span will remain as potent and dangerous as ever, if not more so, this year.

Fast incident response needed

The best way to detect and stop such human adversaries is with human-led threat hunting.

Trained experts know the subtle indicators and red flags to look for; they know how to spot a legitimate tool being used illegitimately in a way that automated detection tools may miss. Endpoint detection and response (EDR) is also essential as a foundational tool, but adding sets of 24/7 expert human eyes will ensure more effective protection and better security outcomes.

As ransomware gangs become more sophisticated in 2021, organizations need to be able to meet the challenge with their best foot already forward—and armed with their fastest incident response capabilities.