Ransomware has consistently topped the security threat list in recent times, with notable incidents causing significant disruptions. One such event involved a substantial ransom paid to a major financial institution, resulting in billions of dollars in unsettled transactions and disrupting trillions in debt trading. This underscores the ongoing challenge ransomware poses, particularly to the financial system, prompting global banks to bolster their security defenses.

The primary techniques used by ransomware have evolved, with criminals continually refining their methods to increase effectiveness. This evolution is driven by three key factors: geopolitical influence, the specialization of criminals, and governmental and law enforcement attitudes towards these threats.

Geopolitics Sparks Cyberwar Crisis: Data Deletion Ransoms Surge, Ransomware Groups Split and Regenerate

For years, underground cyberwars related to geopolitics have been ongoing globally. As the Russia-Ukraine conflict intensifies, cyberwars have become increasingly explicit and fierce. Criminal gangs have preempted national actions by launching public strikes against their opponents’ critical infrastructures.

Experts have stated, “The growth rate of ransomware attacks appears to have slowed slightly, but that is just a false signal.” Currently, the world’s most powerful cybercrime groups are focusing their attacks on Ukraine’s critical infrastructure. Once the conflict ends, it is evident that all their technologies, tools, and resources will be rapidly deployed for ransomware attacks.

One of the negative impacts of the Russia-Ukraine war is the increasing destructiveness of ransomware. Ransomware attacks have surged across all industries, with attackers continually trying to stay ahead of vendors by developing new tactics, techniques, and procedures, riding the wave of data deletion.

There are two reasons why criminals adopt this technique: First, the damage to Ukraine’s critical infrastructure has triggered a chain reaction of related network disruptions, providing a natural opportunity for criminal gangs to employ data deletion ransoms. Second, since the goal is ransom, criminals also prefer more effective ransom methods, and data deletion ransom is one of them. Data deletion is faster than encryption and much easier to code, eliminating the need for complex public-private key handling and the provision of intricate decryption codes to recover data after victims pay the ransom. If data is destroyed and the enterprise has no backups, the choice is either to pay or lose the data. Moreover, with the increasingly strong investigative capabilities of law enforcement agencies, the greater the damage caused by criminal gangs after stealing data, the less likely they are to be detected.

Furthermore, volatile geopolitical situations pose other threats. Statistics show that a large-scale, deeply impactful cyber-virus epidemic occurs every six to seven years. The notorious WannaCry ransomworm once exploited the EternalBlue vulnerability to automatically spread to vulnerable machines. If ransomware organizations find a highly prevalent vulnerability, the likelihood of such incidents occurring may be significant. The current global tensions greatly increase the possibility of Shadow Brokers-style hacker leaks.

The current geopolitical situation may also bring an unexpected problem: the splitting and regeneration of ransomware organizations. Many large organizations are transnational, with different members having different geopolitical affiliations. In recent years, many large ransomware groups have collapsed, including the largest one, Conti. After the outbreak of the Russia-Ukraine war, Conti’s leadership leaned towards Russia’s political stance, triggering internal disputes. Ukrainian members separated from Conti, leaking internal documents, forcing Conti to shut down and change its name.

However, while old organizations fall, new ones continue to emerge. With leadership and branches going independent, retiring, and changing courses, the collapse of Conti and the renaming of Darkside demonstrate that changing identities can effectively avoid unwanted attention. Driven by profit, if this continues, the number of “newborn” ransomware organizations will surge dramatically.

Ransomware Functions Become Refined: RaaS and Strategic Adjustments in Parallel

Rise of Elite Criminal Gangs: Commercialization of the Ransomware Industry

Initially, it was just small-scale activities, but after years of evolution, the operational efficiency of these gangs has surpassed many Fortune 500 companies. Elite criminal gangs develop malware, lease it to third-party companies for a fee, reducing personal risk while reaping huge profits. This success will attract more gangs to follow the same path.

However, non-leading ransomware organizations and RaaS paying institutions may struggle against law enforcement agencies. Like playing whack-a-mole, RaaS organizations will surface, launch attacks, be taken down by law enforcement, disappear, and plot to resurface in the future. The instability within criminal organizations is also a significant factor leading to the rise and fall of different organizations.

Evolution of Ransomware Attacks: Emergence of New Strategies, Small-Scale Targets, and Covert Techniques

As defenses against ransomware strengthen, attackers will continually change their strategies. Many will choose simpler, more marginal paths to obtain the same critical data. Increasingly, ransomware will use various effective methods to evade law enforcement, exploiting key vulnerabilities in commonly used applications such as Microsoft Exchange, firewall devices, and other widely used applications to expand their operations.

The focus of ransomware attacks will shift to smaller, less defended organizations. On one hand, larger organizations have stronger defenses; on the other hand, easy-to-operate ransomware continues to emerge. In the future, ransomware attacks will be smaller in scale, lower in amount, but broader in target groups. Moreover, specialized attackers will adopt new attack techniques. Some can combine physical and network intrusions, using drones for close-range hacking attacks, such as installing tools on drones to collect WPA matches for offline cracking of Wi-Fi passwords or even dropping malicious USB keys in restricted areas, waiting for someone to pick them up and insert them into a computer.

Experts believe that ransomware groups will increasingly target cloud services. As the use and dependence on cloud technology continue to surge, third-party supply chains provide more hiding places for those with criminal intentions. Targeting cloud providers can yield significant benefits for attackers, such as HEAT (Highly Evasive Adaptive Threat) attacks and other techniques that circumvent typical security stacks, not only bypassing traditional corporate security measures but also luring employees into their traps.

The persistence of ransomware will also increase. Criminals are beginning to use more covert techniques to profit. Criminal organizations like Elephant Beetle have proven that cybercriminals can infiltrate critical business applications of enterprises and remain undetected for months or even years while silently siphoning off tens of millions of dollars. A threat organization may lurk in the network of a Fortune 500 company for months or even years, stealthily stealing emails and accessing critical data. Only when the criminal organization threatens to transfer sensitive information to the dark web do these companies realize that their data has been stolen.

Economic Downturn Fuels the Growth of Ransomware Threats

Apart from the increasing complexity of existing criminal gangs, another threat deserves attention: the worsening global economic situation.

Firstly, as companies continue to cut costs and lay off IT personnel, more law-abiding individuals may be tempted by RaaS, potentially leading to more ransomware attacks by new potential criminals.

Secondly, companies, affected by the economic situation, will reduce their staff and cut security budgets. For senior management, cybersecurity spending may be seen as an additional expense rather than a fundamental expenditure for maintaining the company. These companies will reduce their budgets for cybersecurity tools or talent to cut costs, but this actually lowers their ability to detect and prevent data breaches, allowing crises to grow unnoticed.

Moreover, relying solely on law enforcement agencies is not enough. There needs to be a governmental-level effort to effectively combat ransomware organizations. While law enforcement agencies may destroy criminal infrastructures, criminal gangs will simply shift to new infrastructures to continue their crimes. The only way to stop ransomware is to block profit—if criminals have no profit, they will stop and try other methods, but this is not easy. As ransomware becomes more destructive, whether to pay the ransom or not can become a significant issue. If a company refuses to meet the criminals’ demands, leaving victims of stolen PII (Personally Identifiable Information) facing unknown risks, any department that prohibits ransom payments will become a target of criticism.

Conclusion: Proactive Defense Against Ransomware Is a Race for the Initiative

Ultimately, overcoming ransomware depends more on the network defense capabilities of each company. However, even the strongest defenses cannot guarantee 100% resistance to ransomware gang infiltration.

Therefore, we usually recommend that companies start proactive defenses as early as possible. The goal of proactive defense is to seize the initiative.

On one hand, companies must race against attackers, preparing defenses before becoming targets and validating their ability to resist the most popular or latest attack methods.

On the other hand, it’s a race against other potential targets. Being the first to validate security effectiveness allows companies to gain an early advantage in the ubiquitous attacks of ransomware gangs.

In the current intense security landscape, companies must enhance their security defenses in a targeted manner, strengthening and improving their weaknesses. SaiXun Validation approaches this from the attacker’s perspective, using real attack methods to validate corporate defenses and precisely locate security shortcomings.

It is particularly important to note that even seemingly minor defense failures need to be promptly identified and fixed. Slow responses are tantamount to giving attackers a green light, making companies more vulnerable to repeated attacks by criminal gangs.

For more information about digiDations’ Security Validation Platform, please follow us or email us at mkt@digidations.com.