October 7, 2015 By Chris Poulin 3 min read

Ransomware has worked for cybercriminals for many years, and it continues to be a valuable tool in their arsenal. A recent post on Security Intelligence discussed the trend of attackers reverting to older techniques to deliver ransomware to the employee endpoint. But now it’s time to look ahead at the future of ransomware.

Following a Pattern

A good place to start when predicting the future of ransomware is the broader history of malware in general. In light of the way malware has evolved, especially in recent years, the clear next step is likely for ransomware to become situationally aware. Dyre, first discovered in 2014, is a perfect example of a malware that started out as a simple banking Trojan and then quickly developed situational awareness — which led to its becoming substantially more dangerous

Earlier this year, IBM was a key player in identifying a new tactic, which we called Dyre Wolf. Marking a significant break with previous encounters with Dyre, the Dyre Wolf attacks included a social element in which users on an infected endpoint would visit a particular website and get an error message instructing them to call their bank to verify certain personal details. In reality, the message was provided by the attackers and led victims directly to them.

The evolution from Dyre to Dyre Wolf reveals that malware authors and attackers are no longer satisfied with sending out a phishing email and capturing the credentials of 1 or 2 percent of its recipients. Instead, they are developing more sophisticated tools and social engineering tactics to ensure they can target not only key organizations, but key individuals within those organizations.

The Future of Ransomware

When an enterprise gets infected by ransomware today, it has to pay the going rate to get its information released. A mom-and-pop shop that gets infected pays, say, $700 per item to have its data released; a Fortune 100 company that gets infected has to pay that same $700. Right now that number is identical, but clearly the capacity to pay is much larger in a corporate environment than it is in a two- or three-person small business. This is an area in which more situationally aware ransomware could wreak havoc.

Read the complete IBM research paper to learn more about ransomware

Given its past success, traditional ransomware seems destined to continue to thrive on unprotected endpoints. It may even become more lucrative by incorporating social engineering and other advanced attack methods. Ransomware will likely also look to new playing fields such as the Internet of Things (IoT).

When discussing the security of connected cars, for example, the focus is usually on data protection, privacy or, of course, physical safety. But there’s no reason to think new types of ransomware schemes won’t play a role here, as well. If attackers do manage to hack an autonomous car, they could potentially take control, brick the engine and demand a ransom of, say, 10 or 20 bitcoins to release the car. Such a scheme would be relatively easy for a cybercriminal with the right tools and simultaneously disastrous for victimized individuals, organizations and economies.

In terms of general malware trends but also specifically with ransomware, we see a lot of generic malware out there, but we also see some malware that very clearly is trying to stay ahead of the pace of our existing network tools and even new tools that are being developed. This has been the case for 10 or even 15 years, and it’s not likely to change. In such an environment, a successful organization is one that doesn’t rely exclusively on security tools, but rather has a proactive mindset when it comes to protecting assets.

If you’re not threat hunting and proactively preparing for a potential security event, you’re setting yourself up for a rude awakening. You do want to continue to build up your castle wall to keep threats out, but it’s also crucial to plan your response for dealing with ransomware and any other threats that manage to get in.

More from Malware

Hive0051’s large scale malicious operations enabled by synchronized multi-channel DNS fluxing

12 min read - For the last year and a half, IBM X-Force has actively monitored the evolution of Hive0051’s malware capabilities. This Russian threat actor has accelerated its development efforts to support expanding operations since the onset of the Ukraine conflict. Recent analysis identified three key changes to capabilities: an improved multi-channel approach to DNS fluxing, obfuscated multi-stage scripts, and the use of fileless PowerShell variants of the Gamma malware. As of October 2023, IBM X-Force has also observed a significant increase in…

New Hive0117 phishing campaign imitates conscription summons to deliver DarkWatchman malware

8 min read - IBM X-Force uncovered a new phishing campaign likely conducted by Hive0117 delivering the fileless malware DarkWatchman, directed at individuals associated with major energy, finance, transport, and software security industries based in Russia, Kazakhstan, Latvia, and Estonia. DarkWatchman malware is capable of keylogging, collecting system information, and deploying secondary payloads. Imitating official correspondence from the Russian government in phishing emails aligns with previous Hive0117 campaigns delivering DarkWatchman malware, and shows a possible significant effort to induce a sense of urgency as…

ITG10 likely targeting South Korean entities of interest to the Democratic People’s Republic of Korea (DPRK)

7 min read - In late April 2023, IBM Security X-Force uncovered documents that are most likely part of a phishing campaign mimicking credible senders, orchestrated by a group X-Force refers to as ITG10, and aimed at delivering RokRAT malware, similar to what has been observed by others. ITG10's tactics, techniques and procedures (TTPs) overlap with APT37 and ScarCruft. The initial delivery method is conducted via a LNK file, which drops two Windows shortcut files containing obfuscated PowerShell scripts in charge of downloading a…

Ransomware renaissance 2023: The definitive guide to stay safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis. Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today