Cybercriminals act profit-oriented, as we know from companies, and continue to professionalize and rationalize their attack methods. That's why 2024 will be another year of ransomware.
In 2024, the ransomware industry is expected to become more opportunistic, said Martin Zugec, Technical Solutions Director at Bitdefender. This trend culminated in the CitrixBleed attack in 2023. Security experts at Bitdefender Labs expect the following trends to dominate ransomware activity this year:
1. Accelerated exploitation of zero-day exploits
Cybercriminals who rationally and efficiently use automated scans to look for gaps in victim networks will attempt to profitably exploit the discovered vulnerabilities within 24 hours. After a manual analysis, they select the optimal attack tools. In order to act faster and anticipate companies' increasingly prioritized patching measures, actors with the appropriate IT skills and resources are investing in real zero-day vulnerabilities and no longer waiting for proof-of-concept (PoC) codes.
Ransomware groups continue to focus on enterprise applications. This software is not updated as quickly and automatically compared to end-user solutions such as browsers or office software. Cybercriminals try to extend the time frames resulting from this more conservative update approach as much as possible. The process required for Access Brokers or Ransomware Affiliates to prioritize attack opportunities provides defenders with the opportunity to identify and mitigate the threat. Companies will therefore soon focus more on risk management.
2. Cybercriminals aren't picky about the industry they target - game developers
The selection of possible attack targets and the approach depends on the industry or company size. Ransomware groups are increasingly able to understand the risk profiles of their victims. Manufacturing and similar business-dependent industries are prime targets for encrypting the information needed to do so, while healthcare or law firms are easier targets for data theft. The experts at Bitdefender Labs expect an increase in attacks on game developers in 2024.
Small or medium-sized companies with inherently limited ransom potential serve as a source of business connections to scale attacks through these channels. This often occurs via VPN/VDI connectivity or via compromised business emails. Knowledge of existing links that can be used to extend attacks to the largest possible target group is the most valuable asset for ransomware affiliates in this group of victims. Indirect attacks via the supply chain are becoming promisingly more efficient.
3. Modernized off-the-shelf code
High-quality ransomware code will become mainstream in 2024. Ransomware developers are increasingly using Rust as their primary programming language. It makes it possible to write more secure code. Reverse engineering and analyzing these attacks is difficult for security analysts. Rust also allows hackers to compile code for different operating systems. While ransomware for macOS isn't expected, it does make hypervisors and other server workloads increasingly and more easily targeted.
In the future, the code of ransomware will favor intermittent partial encryption and gradually move to quantum-resistant methods such as NTRU Encryption. The intermittent method makes it more difficult for security tools to detect attacks because the file is statistically similar to the original. In addition, ransomware can now encrypt more files faster.
4. Move away from encryption towards data theft
The trend towards data exfiltration continues, apart from production and manufacturing. Groups such as CL0P, BianLian, Avos, BlackCat, Hunters International and Rhysida are pioneers of this trend.
Threatening to forward, sell, or disclose data carries the potential for higher ransom payments. After information theft, victims have two options: they can try to ensure the confidentiality of the data (by paying) or accept that the attackers will publish it. With encryption, however, various options are available - such as restoring information from backups. Although not 100 percent.
On the other hand, when stealing or disclosing data, cybercriminals can pose as involuntary penetration testers and offer to handle breaches discreetly. These are softer factors than when encrypting information, where hackers may irretrievably destroy data. The blackmailers exploit the knowledge of compliance requirements to generate ever higher ransoms.
5. Cyber criminal industry is looking for skilled workers
Competition between criminal ransomware groups will intensify. Therefore, they are looking for suitable personnel. Not only are technical skills required to carry out attacks, but also the know-how of cyber insurance, compliance and legal regulations in order to maximize ransoms. This opens opportunities for non-technical specialists to join the growing criminal ecosystem.
In the ransomware-as-a-service market, an organization's reputation plays an increasingly important role. Groups with operational problems are therefore likely to rename themselves as a result. Nevertheless, they will find it difficult to recruit suitable affiliate partners under the new “brand”, especially after several failures. Some cybercriminals may decide in the future to sell their remaining assets to others and then disband, as seen in the examples of Hive and Hunters International.
6. Disrupting state-controlled cybercrime
In 2024, ransomware actors who act opportunistically and for profit will also adopt tools and techniques that were previously known from state-sponsored attackers. Governments that have previously tolerated these groups may need to establish rules of engagement. This is especially true when cybercriminal operations begin to cause conflict with allied countries or undermine the interests of their own government.
Ransomware business models have evolved significantly since 2017. Attackers and victims of every industry and size are currently witnessing an enormous transformation in this area. In view of increasingly sophisticated attacks, victims have no choice but to not only use tools such as Extended Detection and Response (XDR), but also to further expand their skills and capabilities in defense, for example through Managed Detection and Response (MDR).
More at Bitdefender.com
About Bitdefender Bitdefender is a leading global provider of cybersecurity solutions and antivirus software, protecting over 500 million systems in more than 150 countries. Since it was founded in 2001, the company's innovations have consistently ensured excellent security products and intelligent protection for devices, networks and cloud services for private customers and companies. As the supplier of choice, Bitdefender technology is found in 38 percent of security solutions deployed around the world and is trusted and recognized by industry experts, manufacturers and customers alike. www.bitdefender.de