If you don’t think ransomware is one of the most serious criminal threats to your organization in 2024, you haven’t been paying attention.
Ransomware was a $1.1 billion industry in 2023, and successful attacks inflicted brand, financial, and operational damage to nearly every type of organization, large, small, and middling. Just ask MGM Resorts, which didn’t pay a ransom to the Scattered Spider group but estimates that its losses from the data extortion attack exceeded $100 million, including $10 million for technology consulting services, legal fees, and expenses for other third-party advisers.
What can we expect in 2024? Here are six key things you need to know about today’s ransomware tactics, strategies, and trends.
2024 will be a lot like 2023—but worse
Regarding defending your organization against ransomware, security experts expect 2024 will be an even more challenging year than 2023. Why? Because the sheer number of ransomware attacks is increasing significantly.
The number of known attacks grew by 68% in 2023, according to ThreatDown’s 2024 State of Malware report. And the number of ransomware attacks in January 2024, compared to January 2023, has increased by 73%.
You should expect to pay a larger ransom
Not only did the volume of attacks increase dramatically in 2023, but the average paid ransom also increased. The average ransomware payment in 2023 was $1.54 million, which is almost twice as much as the 2022 figure of $812,380, according to Sophos.
Don’t underestimate your adversaries, such as the Conti Group
Your ransom-seeking adversaries are often well-organized and well-managed. Contrary to what some people imagine, you’re not squaring off with some scruffy guy with poor personal hygiene who works out of a basement apartment in New Jersey.
Leaked internal chat logs from the Conti Group, a ransomware entity based in Russia, reveal that it possesses many of the trappings of a small legitimate business. For instance, the chat logs show that, at the time of the leak, Conti had 60 employees, an HR department, performance reviews, a slew of training opportunities, and even an “employee of the month” program.
Watch out for malicious advertising, aka malvertising
For many years, ransomware groups gained entry to an organization via macros in Microsoft documents that were downloaded from the internet. Now that Microsoft has blocked macros in its documents, cybercriminals have shifted their efforts to malvertising, which are realistic-looking advertisements and websites that bristle with malware.
A typical example of malvertising is a Google Search ad that mimics a famous brand like Amazon or Zoom. When an employee clicks on the fake ad, they are taken to a website that will attempt to steal credentials from a user’s browser or computer.
Malvertising pays off for ransomware groups because it’s more difficult to detect by phishing emails. Also, employees are less aware of its existence and often are not trained about how to identify it. But it’s costing companies untold millions of dollars each year.
Zero-day exploits are a big business
Exploiting Zero-day vulnerabilities at scale was one of the vital ransomware developments in 2023. The CLOP ransomware group perfected the tactic of using short, automated zero-day attacks to hit organizations around the globe simultaneously. Once CLOP had gained access to a victim’s network, it stole the organization’s data, and instead of encrypting the data and holding it for ransom, CLOP threatened to release the data on a data leaks website if a ransom payment wasn’t forthcoming.
In January 2023, CLOP launched an automated attack on companies that use the GoAnywhere MFT secure file transfer tool. CLOP exploited a Zero-day vulnerability to create unauthorized accounts in a victim’s network, which were used to steal data and install malicious tools. The details about the 100 or so victims who didn’t cough up a ransom began appearing on CLOP’s data leaks site in March. Ouch!
AI: It’s just a matter of time
AI is the technology to watch. Exactly how ransomware groups are using it is not clear, but Palo Alto Network’s Unit 42 has seen “signs that bad actors are using AI to attack organizations at a larger scale.“
One of these signs is that ransomware groups are cycling quickly through attack vectors, seeking new effective ways into a company’s network, according to Unit 42.
Unit 42 expects ransomware groups to use AI to be more effective. For instance, AI will make it less expensive and faster to execute numerous simultaneous attacks aimed at exploiting multiple vulnerabilities. Also, AI could be used to accelerate post-exploitation activities such as lateral movement and reconnaissance.
One of the most chilling pronouncements about AI-generated malware is that it could engage in “a long, slow-burn operation aimed at eventually finding a way into an organization—perhaps over a time period that a human would be unlikely to sustain.” For this and other reasons, now is the time for organizations to get proactive about security. Expecting a moat-and-wall style of defense will protect your castle no longer suffices.