Threat Actors Shift Tactics, Targets As Ransomware Evolves

January 25, 2022 - Threat actors are leveraging Ransomware-as-a-Service (RaaS) models, double extortion, and software vulnerability exploits over traditional data encryption, a new report by Abnormal Security discovered. As threat actors broaden their scope and preferred tactics, the threat of ransomware is evolving.

“One of the biggest things to keep in mind is that the way ransomware is delivered is very different than it was even two or three years ago,” Crane Hassold, director of threat intelligence at Abnormal Security, explained in an interview with HealthITSecurity.

“The ransomware landscape is relatively industry agnostic, and a lot of these actors are simply looking for money, and they don't really care where they get it from.”

Researchers identified and studied 4,200 organizations across a variety of sectors that had fallen victim to a ransomware attack in 2020 or 2021. Smaller organizations accounted for a large portion of the total attacks, but larger enterprises produced bigger payouts, the report found.

Although healthcare has been hit particularly hard by ransomware in recent years, only 6.7 percent of the report’s observed attacks were targeted at the healthcare sector. Behind manufacturing, which accounted for roughly 20 percent of the total observed attacks, there was no one sector that eclipsed the rest in terms of attack volume.

This lower-than-expected percentage does not necessarily mean that threat actors are shying away from targeting the healthcare sector. Instead, Hassold posited, threat actors now have more industries and organizations to choose from.

“When ransomware first really exploded back in 2016, healthcare was a major focal point for a lot of those threat actors, primarily because hospitals and medical centers need to have constant access to data in order to remain effective,” Hassold explained.

“A lot of these ransomware actors have moved from purely data encryption to extortion. That sort of changes the game as to who is a more valuable target. If it was still just about locking up information and preventing access, I think healthcare would still be at the top of the list. But now, it’s also about leaking data. That sort of widens the scope of the potential industries that are impacted.”

The report identified three major drivers to ransomware’s transformation: RaaS, extortion, and cryptocurrency. The RaaS model allows cybercrime groups to develop their own ransomware product and license it to other cybercriminals.

This tactic is particularly attractive to threat actors because it allows them to distance themselves from the attack and focus on monetization. It also allows less sophisticated threat actors to launch attacks without having specific technical knowledge.

Extortion has also raised the stakes in recent years. Rather than just encrypting data and demanding a ransom, threat actors are downloading files and using them as leverage in ransom negotiations. If organizations refuse to pay, the cybercriminals threaten to publish the file online.

“Now it's not good enough to back up all of your data. You have to make sure that you're preventing that initial infection, because if you don't, then you have to worry about not only not having access to data but also potentially leaking sensitive information as well,” Hassold emphasized.

Lastly, the convenience and anonymity of cryptocurrency have allowed threat actors to obtain large sums of money without physical barriers.

The findings largely indicated that as ransomware evolves, organizations must adapt their security programs to prepare for a variety of sophisticated attack methods. The report also stressed that every organization, regardless of sector or size, is at risk from ransomware to some extent.

“I think that one of the biggest myths that we saw being deconstructed in our report, is that there's this perception out there that ransomware victims are all these big, massive targets when in reality, it's pretty clear that that's not the case and there are a lot of small businesses and small organizations that are being impacted by ransomware attacks every single day,” Hossold observed.

For healthcare entities, ransomware attacks can have particularly debilitating effects on care continuity and patient privacy. From outpatient facilities to family practices to large health systems, every healthcare organization must prioritize cybersecurity.