Decoding the Ransomware Renaissance Of 2023-2024

Welcome to the Ransomware Renaissance of 2024: an era where cyber crime innovations are outpacing our defenses and criminals can re-invent their business model on a daily basis. This year, Ransomware groups proved to us they are moving faster than ever, taking a no-holds-barred approach. In fact, 2024 might be the best year ever for ransomware groups, with several very high-profile attacks that had huge payouts like a huge $75 million payment from an unknown victim paid to the secretive Dark Angels ransomware group. These criminal groups specialize in “big game hunting” - going after global, larger businesses , healthcare and critical infrastructure as those are likely to pay higher ransoms. In 2023, Lockbit and BlackCat were on the top of the 'Ransomware As A service' pyramid , netting more than 1 Billion$ in actual ransom payments. While we did see some major law enforcement actions, takedown and even arrests, nothing seems to slow down the ransomware tide!

The FBI is still searching for Dimitry Yuryevich Khoroshev: the alleged kingpin of Lockbit’s ‘Ransomware As A service’ Empire. Meanwhile, BlackCat successfully resurrected their operations in February 2024 with a hefty 22$ million ransom from Change Healthcare - and then proceeded to scam their own affiliates in March 2024.

And while the top cats are plotting their return on the scene (perhaps with another rebrand) group like Cl0p, Play, RansomHub and Akira are bolder than ever as they fiercely compete for a piece of the ransomware pie. This ‘churn’ and fragmentation is also incentivizing criminals to be more creative and clever , thus fueling the next wave of the renaissance.

How does this wave of malicious innovation play out? In quite a few ways:

1. GenAI: 2021's hand-crafted phishing emails are passe. In 2024 Ransomware is delivered by AI-generated phishing emails that could fool your CEO , and they can crank those out 100X times faster.
2. Hyper Fast Exploitation: Previously, criminal groups took days or weeks to weaponize new vulnerabilities, in 2023 & 2024 we're seeing bad guys do it in hours. Case in point - Cl0p particularly fast - in May 2023 Cl0p exploited a zero-day vulnerability in a file transfer appliance, compromising over hundreds of organizations in just a few days.
3. Encryption Tactics: In the past two years we also saw the move from slow full file encryption, which is not only time-consuming - it's also easily detectable. Now, most sophisticated ransomware groups like BlackCat use "intermittent encryption" to encrypt only parts of files , which is faster, and makes it harder for security tools to detect the attack in progress.
4. Elaborate Extortion Strategies: Criminals are coming up with clever ways to further incentivize their victims to pay - instead of 'just' data encryption and ransom demands. Enter the 'TRIPLE extortion threat' : Pay us or else 1) the data gets it (and you wont have access to it) 2) the data will be leaked to everyone to see (and your brand will suffer) 3) Info about the breach is actively publicized to customers/ the press/ regulators. Other groups even go a further (4th!) step: DDoS attacks to drive their point home. All of these tactics are meant to pressure victims to pay, as more organizations are pledging NOT to pay ransom.

5. Operational Sophistication: In 2024, Ransomware is delivered as-a-Service (RaaS) - With cloud based platforms that are extremely active with 24/7 support, user-friendly dashboards, and even loyalty programs for repeat "customers." Those customers are actually their 'affiliates' - the lower level criminals that actually find targets and push out the malware itself. They usually get to keep 80-90% of any ransoms paid, with the Ransomware-as-a-service 'core developers' getting a 10-20% commission.

Phew.. That's a lot of innovation right there! So what can we learn from these tactics?? Here are 3 lessons to be more prepared for the future:

• Go FAST or go home: speed of exploitation is a key factor leading to the success of many criminal ransomware campaigns, like Cl0p & Akira who have been known to pounce on their targets, turning vulnerabilities into working exploits and active ransomware campaigns within days and even HOURS sometime. So what? So we HAVE to move faster in order to patch or protect against exploits weaponizing newly discovered vulnerabilities. One way to do that is to use tools like CISA’s KEV to prioritize critical patching!?
• AI is helpful (for baddies) : criminals aren’t shy or hesitant to use AI to automate and accelerate attacks, creating more effective malware and more elaborate, well written and personalized phishing campaigns? So we need to fight FIRE with FIRE - use AI and automation wherever possible, to help uncover threats, identify phishing emails and stop malware from spreading. To do that well?? We need to understand how AI can help defenders. Here’s a good place to start..?
• Continuous product evolution - Ransomware players and in particular, Ransomware-as-a-Service platforms are constantly offering new features to their affiliates like improved encryption algorithms that use ‘intermittent encryption’ for faster deployment, new evasion techniques, and they even invest in improving and updating their “customer support” to better facilitate ransom payments and decryption. The lesson here is that we need to ADAPT and do things differently, learn about new tools and technologies, and come up with ways to leverage the existing tools we have in creative ways! Here’s one creative project I like, finding source code re-use by bad guys and using that as a defensive toolset!

If you’d like to learn more about these topics, and hear me speak LIVE , sign up for FREE to some of my upcoming talks for some fresh content??? ?? :???

1. September 5: CloudBound online - Speaking about using AI for cybersecurity
2. September 9 Presale1 online - The Ransomware Renaissance?
3. September 26: The Open Source Security Summit
4. October 10: MSPGlobal “Insights From A Hacker” - Live & in person at PortAventura, Barcelona