The state of ransomware: Faster, smarter, and meaner

Ransomware payments hit $1.1 billion in 2023, a record high and twice what they were in 2022. The frequency, scope and volume of attacks were all up, as was the number of independent groups conducting the attacks, according to a report by Chainalysis.

“We’re tracking dozens more groups than we used to,” Chris Morgan, senior cyber threat intelligence analyst at ReliaQuest, tells CSO. “And a lot of these groups are taking experience from one operation and starting their own operation in the back of it, often in the wake of law enforcement activity.” With more business activities taking place online, there are more potential victims for ransomware, Morgan says. Plus, there are some countries where law enforcement has limited jurisdiction, a vacuum of opportunity for groups to emerge.

The size of each individual payment is also up, with more than three quarters of all payments totaling $1 million or more — up from just over half in 2021. The only bright spot last year was that more victims refused to pay ransoms and restored from backups, instead. According to Coveware, only 29% of victims paid up in the fourth quarter of 2023, a record low — and down from 85% in 2019. Similarly, cyber insurance claims data from Corvus Insurance, shows that only 27% of victims pay ransoms.

Phishing remains the top way into an organization

Phishing remains a top attack vector for ransomware. “There are a number of ways that ransomware groups facilitate the initial access and social engineering is the one we see the most of,” says ReliaQuest’s Morgan. “It’s overwhelmingly phishing and spear phishing.”

According to the IBM X-Force threat intelligence report released in February, phishing emails were the initial access vector in 30% of all ransomware attacks. Compromised accounts tied for first place, also at 30%, followed closely by application exploits at 29%.

Despite all the phishing simulations and security awareness training, users don’t seem to be getting better at spotting phishing emails. According to Fortra’s global phishing benchmark report, also released in February, 10.4% of users click on a phishing email, up from 7% a year ago. And, of those who click, 60% give up their passwords to the malicious site.

“I just don’t think that training programs work,” says Brian Spanswick, CISO and head of IT at Cohesity. “We do phishing simulations every quarter, but my percentages stay the same — and there’s no pattern about who did and didn’t click. Now with AI making social engineering attacks so much cleverer, my confidence is even lower.”

Even though users are trained in cybersecurity and warned that there will be a phishing simulation happening, 17% still click, Spanswick says. “We’ve been at it for a couple of years, and it seems pretty constant, right around there. And at my previous company, it was the same. And the industry standard is the same.” The solution is to put controls in place to keep those emails from getting through in the first place, and to limit their impact when they do. For example, not letting people have administrative privileges on their laptops, not letting them download video games or attach a storage device, and making sure the environments are segmented.

AI-backed phishing

The increasing sophistication of social engineering attacks is a particular concern. Spanswick says he’s seen a clear increase in AI-generated phishing attempts. Or, at least, likely to be AI. “They may have hired better English majors and read a bunch of press releases from the CEO to get a sense of the tone he uses,” he says. “But it’s significantly more likely that they’re using generative AI.”

According to IBM X-Force, a human-crafted phishing email takes an average of 16 hours to create. By comparison, AI can generate a deceptive phish in five minutes.

There was a time when phishing emails were relatively easy to spot, says Elliott Franklin, CISO at Fortitude Re, a company that provides insurance to other insurance companies. “It used to be that you’d just look for the misspelled words.” Now, the bad guys are using AI to create these messages — and the improvements go far beyond having perfect grammar.

“They’re using AI to check LinkedIn and know to the second when someone changes jobs,” Franklin says. “Then they send them an email welcoming them, from the CEO of that company.” They’re sending pitch-perfect emails asking employees to re-authenticate their multi-factor authentication, he says. Or asking them to sign fake documents. With generative AI, the emails can look absolutely real.

Plus, when you add in all those compromised accounts, then the return email address could be completely real, as well. “Most of our users get a couple of hundred emails a day,” Franklin says. “So, you can’t blame them for clicking on those links.”

And AI doesn’t just let attackers perfectly mimic an executive’s writing style. This January, a deep-faked CFO on a video conference call convinced a finance worker in Hong Kong to send a $25 million wire. There were several other staffers on the call — staffers the finance worker recognized — who were all AI fakes as well.

That worries Franklin because today, when a Fortitude Re employee wants a password reset, they need to do a video call and hold up their ID. “That’s going to work for a while,” says Franklin. But eventually the technology will be easy and scalable enough that any hacker can do it. “Ultimately, that’s what we will have,” he says.

Fortitude Re is tackling the problem on several fronts. First, there are business risk mitigation processes. “We can’t slow our business partners down but we absolutely have to have a written and enforced policy. Say, here, you’ve got to call this person, at this number, and get approval from them — and you can’t just send an email or text. Or you have to go to our company document management system — not an email, not a text, not a direct message on WhatsApp,” said Franklin. Employees are starting to realize that this is important and worth the effort.

Then there’s the basic blocking and tackling of cybersecurity. “That’s the old stuff that people don’t want to talk about anymore. Patching. Identity and access management. Vulnerability management. Security awareness.” It may be old stuff, but if it was easy to do, he wouldn’t have his job, Franklin says. And it all must be done within the budget and with the people he has.

Finally, to deal with the latest evolution in ransomware, Franklin’s fighting fire with fire. If the bad guys are using AI, so can the good guys. In the past the company used Mimecast to defend against phishing emails. But in mid-2023, Fortitude Re switched to a new platform that used generative AI to detect the fakes and help protect the company against ransomware. “Email is the primary source of ransomware attacks, so you have to have a good, solid, email security tool that has AI built in.”

The old-school approach is to look at specific indicators, like bad IP addresses and specific keywords. That’s not enough anymore. “The bad guys have copies of the email security solutions and they can tell what’s blocked and what isn’t,” Franklin says. That means that they can get around traditional filtering.

Today, an email security tool must be able to read the entire message and understand the context surrounding it — like the fact that the employee who is supposedly sending it is on vacation, or that the email is trying to get a user to take an urgent, unusual action.

Ironscales automatically filters out the worst emails, puts warning labels on others that have suspicious content, and uses generative AI to understand the meaning of the words, even if specific keywords aren’t there. Mimecast, along with Proofpoint, have long been the gold standard for email security, says Franklin. “They owned the market, and I was a huge Proofpoint fan and implemented it at a lot of companies. But I don’t think they’re really innovating right now.”

Another example of a trick the bad guys are using is to include a QR code in the phishing email. Most traditional security tools won’t catch it. They just see it as another harmless embedded image. Ironscales can spot QR codes and see if they’re malicious, which was the feature that “really sold us on the program,” Franklin says.

Greg Pastor, director of information security at Remedi SeniorCare, a pharmacy services provider, expects ransomware attacks to continue to increase this year. “We have to fight AI with AI,” Pastor tells CSO. Instead of traditional signature-based antivirus, he uses AI-powered security tools to prevent ransomware attacks, tools like managed detection and response and endpoint detection and response.

In addition, the company uses browser isolation tools from Menlo Security and email security from Mimecast. But, just in case anything still gets through, there’s a plan. “We have a comprehensive incident response program where we simulate a ransomware attack. We’re definitely posturing up for AI attacks,” Pastor says. “The attackers will be integrating AI into their ransomware-as-a-service tools. They’d be stupid not to. You’re not going to make any money as a cybercriminal if you’re not keeping up with the Joneses. It’s a continuous cycle — on the company side, the vendor side, and the cyber criminals.”

Another company that uses AI to defend against ransomware is document storage company Spectra Logic. It now has tools from Arctic Wolf and Sophos that automatically detect suspicious behaviors, according to Tony Mendoza, the company’s vice president of IT. “We try to keep ourselves ahead of the game,” he says. And he has to. “Now I’m seeing way more AI-based attacks. The threat actors are leveraging AI tools that are available to everyone.”

In 2020, when the company’s teams first went remote during the pandemic, the company was hit by a social engineering attack. Someone opened an email they shouldn’t have and attackers obtained access. The attack propagated quickly through the company’s network. Infrastructure was 99% on-prem, he says. “Interconnected. Not segregated. All of our systems were live, transactional systems, incredibly fast — they could propagate a virus in a flash.”

They even compromised the backups and the software used to make the backups. “They wanted $3.6 million in three days,” says Mendoza. “It’s the most stressful situation I’ve ever had in my career.” Luckily, the company also had snapshots, air-gapped and secure from attack, of both data and systems. “So, we immediately cut off communications with them.”

Now, Mendoza says, he’s more proactive. “I understand it will happen again. No security is 100%, especially with AI-based attacks.” Since then, Spectra Logic has invested in security infrastructure, network segmentation, full encryption, anomaly detection that can automatically quarantine devices, an incident response framework, and cyberattack recovery plan. Previously, it only had a recovery plan for a physical disaster.

And anomalies show up a lot, he says — thousands of times a day. “In the past, we’d have to look at it and make a human decision, maybe cut a person off the network if they’re suddenly connecting from North Korea.” But with the volume of incoming threats being so high, only AI can respond quickly enough. “You have to have an automated tool in place.” There were false positives in the beginning, he says, but, like AI does, the systems learned.

Rise of “triple extortion”

According to the NCC Threat Monitor report for 2023, notable trends included the rise of “triple extortion” attacks. Attackers will encrypt data and hold it hostage. But, as more and more victims simply restore from ransomware, they are also exfiltrating the data and threatening to release it publicly. Closing the triple effect, attackers will also notify regulators about the attacks, and the victims directly to put additional pressure on organizations to pay up.

And it gets even worse. A criminal group known as Hunters International breached Seattle’s Fred Hutchinson Cancer Center in late 2023, and when the center refused to pay a ransom, the attackers threatened to “swat” cancer patients. They also emailed patients directly to extort additional money from them. “Hunters International are really trying to apply the pressure,” says Josh Smith, security analyst at Nuspire, a cybersecurity firm. “They’re doubling down on their extortion tactics. The fact that they’ve escalated to this point is very alarming.”

In 2024, other ransomware groups may follow suit if these tactics prove successful. “I do unfortunately believe that we’ll see more of this,” Smith says.

Faster vulnerability exploits

Attackers also doubled down on exploiting new vulnerabilities in 2023. Both the phishing and the vulnerability-based attack strategies are likely to remain popular in 2024, Smith says. “They like the lowest-hanging fruit, the least amount of effort. While phishing is still working, while vulnerabilities are still working, they’ll keep doing it.”

In fact, when cybersecurity firm Black Kite analyzed the experience of 4,000 victims, exploiting vulnerabilities was the number one attack vector. “They have automated tools for mass exploitation,” says Ferhat Dikbiyik, Black Kite’s head of research. “Last year they got into Boeing and other big companies.”

Take, for example, the MoveIt attacks. This was a cyberattack that exploited a flaw in Progress Software’s MoveIt managed file transfer product. Ransomware group Cl0p began exploiting the zero-day vulnerability in May, getting access to MoveIt’s customers. The attacks were devastating, says Dikbiyik. “We identified 600 companies that were open to this vulnerability that were discoverable by open-source tools — and the attackers attacked all of them.”

According to Emsisoft, as of February 2024, the total number of organizations impacted by this vulnerability was over 2,700 and the total number of individuals was more than 90 million.

In January, Black Kite released a new metric, the ransomware susceptibility index, which uses machine learning to predict a company’s exposure to ransomware based on data collected from open source intelligence as well as public-facing vulnerabilities, misconfigurations, and open ports. “Of all the companies that have an index of .8 to 1, 46% experienced a successful ransomware attack last year,” Dikbiyiksays. “That shows that if you are waving flags to pirate ships in the oceans, you will get hit. The best way to battle these guys is to be a ghost ship.”

There is some positive news about zero days. According to IBM X-Force report, there was a 72% drop in zero days in 2023 compared to 2022, with only 172 new zero days. And, in 2022, there had been a 44% drop compared to 2021. However, the total number of cumulative vulnerabilities passed 260,000 last year, with 84,000 of them having weaponized exploits available.

Since many organizations still lag in patching, however, vulnerabilities continue to be a major attack vector. According to IBM, exploits in public-facing applications were the initial access vector in 29% of all cyberattacks last year, up from 26% in 2022.

Rust, intermittent encryption, and more

The pace of innovation on the part of ransomware criminal groups has hit a new high. “In the past two years, we have witnessed a hockey stick curve in the rate of evolution in the complexity, speed, sophistication, and aggressiveness of these crimes,” says John Anthony Smith, CSO and founder of cybersecurity firm Conversant Group.

And the breaches that took place in 2023 demonstrate these threats. “They have combined innovative tactics with complex methods to compromise the enterprise, take it to its knees, and leave it little room to negotiate,” Smith says.

One sign of this is that dwell time — the length of time before the first entry to data exfiltration, encryption, backup destruction, or ransom demand — has dramatically shortened. “While it used to take weeks, threat actors are now often completing attacks in as little as four to 48 hours,” says Smith.

Another new tactic is that attackers are evading multifactor authentication by using SIM swapping attacks and token capture or taking advantage of MFA fatigue on the part of employees. Once a user authenticates themselves, tokens are used to authenticate further requests so that they don’t have to keep going through the authentication. Tokens can be stolen with man-in-the-middle attacks. Attackers can also steal session cookies from browsers to accomplish something similar.

A SIM swapping attack allows ransomware gangs to get text messages and phone calls intended for the victim. The use of personal devices to access corporate systems has only increased these security risks, Smith adds.

According to Shawn Loveland, COO at Resecurity, ransomware attackers continued their use of vulnerabilities in public-facing applications, using botnets, and “living off the land” by using legitimate software and operating system features during an attack. But there were also some new technical aspects of attacks last year, he says.

For example, ransomware developers are now increasingly using Rust as their primary programming language because of its security features and difficulty in being reverse engineered. “This is a significant development in the field,” Loveland says. There is also a new trend towards intermittent encryption, which only encrypts parts of files. “This makes detection more challenging, but the encryption process faster.”

Be ready for more ransomware as a service

Every cybersecurity expert expects ransomware attacks to continue to grow as threat actors scale up their operations while enterprises continue to beef up their defenses. But one segment of the cybercriminal economy that might be in for a change is that of ransomware-as-a-service providers.

The way these systems can work is that the provider creates the ransomware toolset, and individual affiliates send out the phishing emails and negotiate the ransoms. There’s a degree of isolation between the two groups to create resiliency and insulation from law enforcement. But authorities have recently indicated that they will be going after the affiliates. Plus, the affiliates themselves have turned out to be a security risk for the central ransomware provider.

“With the takedown of LockBit, there’s going to be a lot of consideration by cybercriminals to be more hesitant about the affiliate-based system,” says Drew Schmitt, practice lead in the GRIT threat intelligence unit at GuidePoint Security.

And sharing money with affiliates also cuts into the profits of the central ransomware group. “If they could use generative AI for negotiations, they could expand their efficiency,” Schmitt says. That would leave just the core group of ransomware operators and no affiliates, lowering total operational costs for the threat actors. “That’s something that we’re looking at.”

If it does happen, it will probably take a few years before we see the full impact of this change. LockBit, the top ransomware operator in 2023, was taken down by authorities in February. At the time of the takedown, the group had about 180 affiliates. There was hope that the takedown would put a dent in ransomware for 2024, but Zscaler ThreatLabs were already observing new LockBit ransomware attacks, just a week after the takedown. And, according to BleepingComputer, LockBit has updated its decryptors, brought new servers on line, and is already recruiting new pentesters.