The Professionalization of Ransomware: What You Need to Know

The rise of ransomware-as-a-service (RaaS) is just one marker in the emergence of a more organized and professional class of ransomware gangs focused on new ways of monetizing ransomware beyond encryption, including double and triple extortion.

The rise in attacks has also been accompanied by an increasingly professional threat actor community, largely replacing the loosely affiliated groups of the past.

Many of these malicious actors operate almost exactly like legitimate corporations with a full financial motivation for their activities.

As average ransomware payment now commands north of $800,000, according to a Sophos report, perhaps it is unsurprising that ransomware groups are looking to evolve and benefit from an increasingly lucrative attack vector.

A recent report by LookingGlass notes the professionalization of ransomware has been fueled by sophisticated software and networks, making it a serious problem that threatens businesses and consumers alike.

“The skill on display in terms of ransomware development, including encryption methodologies and their ability to leverage initial access brokers, points toward signs that ransomware gangs are reaching a new level of professional acumen,” the report noted.

Signs of Diversification, Specialization

“Similar to corporations, ransomware actors have developed their own supply chains, which have allowed for diversification, specialization and broader access to a range of components needed for a ransomware attack,” explains Jeremy Kirk, cyber threat intelligence analyst at Intel 471.

For example, no longer does a single threat actor have to run their own phishing campaign to steal login credentials. Instead, login credentials can be purchased in underground cybercriminal markets from brokers who specialize in breaking into networks.

“Exploit code used to take advantage of a software vulnerability can be purchased, and bad actors can also sign up with affiliate programs run by ransomware groups,” Kirk says.

Those RaaS programs offer ready-built ransomware malware, negotiation portals, and customer support for those affiliates, which pay a portion of ransoms in return.

“Ransomware affiliate programs that act as cybercriminal supply chains have magnified the scale of ransomware since they’ve also enabled somewhat lesser-technical cybercriminals to execute attacks,” he adds.

Ransomware as an Expanding Business

Bud Broomhead, CEO at Viakoo, points out the business opportunities from a successful ransomware attack are expanding.

“It used to be just to gain payment and release the data, but now also involves shopping the data to others, which requires having a sales team, competing against other professional ransomware organizations, which means having a marketing team, and more extensive computing and networking, requiring an IT organization,” he says.

He predicts mergers and acquisitions, IP licensing, external lobbying, and industry-level conferences are all either currently or soon will be part of the evolution.

Joseph Carson, chief security scientist and advisory CISO at Delinea, says when organized crime met cybercriminals, they changed the path of ransomware to operate more like a business.

“This change means that with every release of a new ransomware variant they are becoming more advanced with newer features and techniques to avoid detection all of which should raise alarms for IT security professionals,” he explains.

He adds when ransomware criminals operate as a business, this means IT professionals must stay ahead of their techniques and improvements.

Cybercriminals Investing the Rewards of Their Labors

Carson notes ransomware continues to reward their creators financially and they are investing some of those rewards back into making the next version more profitable.

“While some countries continue to provide safe havens for cybercriminal gangs to operate, ransomware will continue to cause havoc for many organizations around the world,” he says. “Eventually, ransomware will evolve so much it will start to impact the physical world, locking you out of your car, your home and your digital life.”

He points out cybercriminals are also researching ways around the latest security controls and have invested resources and time into social engineering focused on abusing users' trust and targeting cyber fatigue.

Broomhead says three things change with the professionalization of ransomware actors, starting with the likelihood that phishing attacks are likely to become more sophisticated and needs more defenses beyond current “don’t click links” training.

“Second, there must be more focus on hardening and securing the IoT/OT devices that host bots and are involved in malware deployment, and finally there will be need for all connected assets -- not just IT -- to be discovered and assessed for potential ransomware,” he explains.

Strategies for IT Security Teams

Carson says it is critical that IT professionals are current with the ransomware trends and techniques, as it will help IT professionals identify the best ways to reduce those risks and enhance the security controls for the business they are hired to protect.

From his perspective, the breakup of some of the large ransomware criminal gangs makes it more likely that smaller splinter groups will become the top threat in 2023. “They have the knowledge of a larger ransomware gang and can now operate more efficiently, sometimes even more targeted,” he says.

Kirk explains ransomware is still largely successful due to security mistakes or weaknesses that usually can be mitigated or eliminated. “The risk from stolen login credentials can be mitigated by employing multifactor authentication,” he says. “Cybersecurity awareness training can reduce the likelihood an employee may be tricked into downloading a malicious attachment.”

He adds that promptly patching software -- particularly for internet-facing systems such as email servers or VPNs -- is extremely important, as is ensuring that remote connectivity software is securely managed.

Broomhead adds with the potential of quantum computing to be used to decrypt data based on current methods, IT professionals should also be conscious that encryption alone may not prevent extensive data theft.

“Knowing the methods and tools used by threat actors is a basis for forming defenses around it,” he says.

What to Read Next:

The Cost of a Ransomware Attack, Part 1: The Ransom

The Cost of a Ransomware Attack, Part 2: Response & Recovery

LAUSD Ransomware Attack: Understanding Cybersecurity Risks in Education