A Guide to Evolving Ransomware Types
Ransomware Attacks Are On The Rise, And The Types Of Ransomware Are Changing All The Time. We Break Down The Threat To Help Protect Your Business.
- Ransomware has become one of the most prevalent and damaging cybersecurity threats in an economy of remote workers.
- Attackers have typically used ransomware to encrypt victims’ data, demanding that companies pay to regain control of their networks and information.
- But there’s no single method for this crime, with ransomware types now in a state of constant evolution.
Ransomware attacks have surged in 2020-21. The overnight shift to remote work left little room for companies to stress-test their IT security or properly train employees to spot potential threats in the new environment, opening the door to a wave of attacks from opportunistic cybercriminals.
Over a third of organizations worldwide recently said they’d experienced a ransomware attack in the past 12 months, according to a survey by International Data Corp. Mimecast’s State of Email Security 2021 (SOES) showed ransomware damaging organizations on many levels. First, they experienced an average of six days of downtime after an attack. Second, many companies were ultimately forced to pay ransom to regain control of their IT systems and resume operations. Third, sensitive data was exposed; often it wasn’t even returned when a ransom was paid.
What’s making matters worse is that criminals are continually changing their method of operation, or MO — switching up tactics, techniques and procedures. Different criminal gangs and their “brands” of ransomware suddenly explode on the scene, in part through sales of ransomware-as-a-service (RaaS) to other criminals on the black market. A brand may fade away, only to be recoded, rebranded and relaunched as a new type of ransomware. “Old school” cyberattacks such as distributed denial of service (DDoS) have even been repurposed for ransomware.
All this leaves security professionals playing a never-ending game of catchup. This article looks at the current state of play in four areas:
- Basics: What exactly is ransomware today?
- Vectors: How do ransomware attackers infect targets?
- Types: What are some of the latest ransomware types?
- Response: How can you protect your business from ransomware attacks?
What Is Ransomware?
Ransomware is a malicious form of software used by threat actors to hold people or organizations ransom in exchange for payment. But even the basic strategies of ransomware are changing today, in the following ways:
- Encryption: Ransomware attacks have typically encrypted files on targets’ computers or networks so they are no longer accessible, with victims asked to pay to retrieve the data. As ransomware has evolved, though, other approaches have emerged.
- Data theft: Instead of encrypting data, a growing number of attackers are extracting files and threatening to sell them on the Dark Web unless a ransom is paid.
- Hybrids: Recognizing that security professionals have improved backup and recovery systems, some attackers both encrypt data and steal files, to increase the likelihood they will get paid their ransom.
- Wiper malware: In these attacks, threat actors encrypt data and may request a ransom. However, their primary aims are to destroy, disrupt and possibly cover up cyberespionage. Any data involved is actually irretrievable even by the attackers, and paying a ransom won’t get it back.
- DDoS extortion: Long dormant, the use of DDoS has recently reemerged as a means of forcing ransom payments, by flooding websites or servers with too much traffic until payment is received. Sometimes, DDoS threats are combined with the other strategies listed above.
Various Vectors: How Do Ransomware Attackers Break In?
The rise of remote work has redefined ransomware in several ways, including the vectors of attack. And while estimates of the prevalence of each vector vary, these are currently the most common:
- Remote desktop protocol (RDP): This is a protocol that connects servers to remote desktops, for uses including IT support. Organizations’ networks are exposed when RDP ports are left open or only weakly protected on the internet. RDP vulnerabilities are today’s No. 1 ransomware attack vector.
- Virtual private networks (VPNs): VPNs are not always as secure as needed, particularly when organizations’ security teams fail to keep their VPN software updated as vendors release patches to fix security flaws.
- Email: Email goes in and out of favor among extortionists, but remains among the top three attack vectors, with phishing emails that dupe victims into opening infected attachments, clicking on malicious links or revealing passwords. Some ransomware is using email in new ways, for example, entering networks via encrypted emails (like a financial services company might send) to avoid email security filters.
What makes ransomware so nefarious is that once cybercriminals gain access to a single computer in your business, they move across your network, deploying malware to encrypt or steal data from multiple devices and networks. The effects of a network breach can snowball quickly, handcuffing departments and entire businesses for days or weeks until they eliminate the threat or pay the requested ransom.
Types of Ransomware
This recent headline underscored the speed of change in types of ransomware: “One big ransomware threat just disappeared. Now another one has jumped up to fill the gap.” The threat landscape of ransomware gangs and types is always shifting. Some prominent threat actors have recently gone offline but are expected to reemerge using new tactics under new names.
Avaddon provides an example of a widely used RaaS that recently shut down. Avaddon attackers used phishing and email spam campaigns to deliver malicious files, suggesting that the attachments actually contained compromising photos. They threatened to expose victims’ files and to launch DDoS attacks. They reportedly hit nearly 3,000 victims.
Reports of other big RaaS brands that have receded recently include Egregor, Darkside and REvil, for reasons including pressure from law enforcement. But as the headline above indicated, the resulting gap has been filled by other ransomware types, such as an updated version of LockBit. The LockBit attackers are said to exploit RDP and VPN vulnerabilities and, once in, to use tools that help establish network access and install ransomware.
Other new or rebranded ransomware includes PayloadBIN, BlackMatter, several exploiters of Windows PrintNightmare printer vulnerabilities — and a running count of others in what one security expert referred to as “Ransomware Gangs and the Name Game Distraction.” In another new development, some cyber attackers are selling access as a service (AaaS). In one form of AaaS, after an attacker has breached a company for their own purposes, that access is sold to other actors.
Mainly, though, what’s clear is that ransomware and its perpetrators are proliferating. Attacks in the first six months of 2021 eclipsed the whole of 2020, by one report.
How to Protect Your Organization from Ransomware Attacks
Companies need to protect their data and networks, including email accounts and archives containing a wealth of sensitive information. Advice on doing so abounds, including Mimecast’s Ransomware Kit. But ransomware protection often comes down to the basic best practices of building cyber resiliency. “Using a layered approach to security, a tried and tested continuity and recovery plan, and going back to basics is the best method to use when defending against ransomware,” said Carl Wearn, Head of Risk & Resilience, E-Crime & Cyber Investigation at Mimecast.
The rapid evolution of ransomware today elevates some of these practices in priority, including the following:
- Know the enemy: Continually monitor alerts and other sources of information from governments and private security researchers that track cybercrime.
- Know yourself: Identify and address vulnerabilities and weaknesses that could be exploited, and keep up when your vendors release software patches.
- Plan for recovery: A continuity plan with secure backups can cut your losses and even put you in a better position to negotiate with extortionists.
- Rally your people: Employee training and awareness should be an ongoing business requirement, with measurable goals and results.
- Prevent lateral movement: Segment your network and separate operational and non-operational data.
The Bottom Line
The threat of ransomware has never been greater, and the accelerated evolution of ransomware types is compounding the threat. The Threat Center has assessed it’s highly likely (≈80% – ≈90%) that the coming year will see increased attacks, as groups will want to profit from it before momentum builds for any inevitable regulation, or enforcement renders ransomware ineffective as a form of extortion. Knowing the nature of the attacks you face and maintaining a cyber resilience strategy are your best bets to protect against ransomware in this challenging environment.
 “IDC Survey Finds More Than One Third of Organizations Worldwide Have Experienced a Ransomware Attack or Breach,” International Data Corp.
 “New Evil Corp Ransomware Mimics PayloadBin Gang to Evade U.S. Sanctions,” Bleeping Computer
 “Ransomware Gang Uses PrintNightmare to Breach Windows Servers,” Bleeping Computer
Subscribe to Cyber Resilience Insights for more articles like these
Get all the latest news and cybersecurity industry analysis delivered right to your inbox
Sign up successful
Thank you for signing up to receive updates from our blog
We will be in touch!