Ransomware has worked for cybercriminals for many years, and it continues to be a valuable tool in their arsenal. A recent post on Security Intelligence discussed the trend of attackers reverting to older techniques to deliver ransomware to the employee endpoint. But now it’s time to look ahead at the future of ransomware.

Following a Pattern

A good place to start when predicting the future of ransomware is the broader history of malware in general. In light of the way malware has evolved, especially in recent years, the clear next step is likely for ransomware to become situationally aware. Dyre, first discovered in 2014, is a perfect example of a malware that started out as a simple banking Trojan and then quickly developed situational awareness — which led to its becoming substantially more dangerous

Earlier this year, IBM was a key player in identifying a new tactic, which we called Dyre Wolf. Marking a significant break with previous encounters with Dyre, the Dyre Wolf attacks included a social element in which users on an infected endpoint would visit a particular website and get an error message instructing them to call their bank to verify certain personal details. In reality, the message was provided by the attackers and led victims directly to them.

The evolution from Dyre to Dyre Wolf reveals that malware authors and attackers are no longer satisfied with sending out a phishing email and capturing the credentials of 1 or 2 percent of its recipients. Instead, they are developing more sophisticated tools and social engineering tactics to ensure they can target not only key organizations, but key individuals within those organizations.

The Future of Ransomware

When an enterprise gets infected by ransomware today, it has to pay the going rate to get its information released. A mom-and-pop shop that gets infected pays, say, $700 per item to have its data released; a Fortune 100 company that gets infected has to pay that same $700. Right now that number is identical, but clearly the capacity to pay is much larger in a corporate environment than it is in a two- or three-person small business. This is an area in which more situationally aware ransomware could wreak havoc.

Read the complete IBM research paper to learn more about ransomware

Given its past success, traditional ransomware seems destined to continue to thrive on unprotected endpoints. It may even become more lucrative by incorporating social engineering and other advanced attack methods. Ransomware will likely also look to new playing fields such as the Internet of Things (IoT).

When discussing the security of connected cars, for example, the focus is usually on data protection, privacy or, of course, physical safety. But there’s no reason to think new types of ransomware schemes won’t play a role here, as well. If attackers do manage to hack an autonomous car, they could potentially take control, brick the engine and demand a ransom of, say, 10 or 20 bitcoins to release the car. Such a scheme would be relatively easy for a cybercriminal with the right tools and simultaneously disastrous for victimized individuals, organizations and economies.

In terms of general malware trends but also specifically with ransomware, we see a lot of generic malware out there, but we also see some malware that very clearly is trying to stay ahead of the pace of our existing network tools and even new tools that are being developed. This has been the case for 10 or even 15 years, and it’s not likely to change. In such an environment, a successful organization is one that doesn’t rely exclusively on security tools, but rather has a proactive mindset when it comes to protecting assets.

If you’re not threat hunting and proactively preparing for a potential security event, you’re setting yourself up for a rude awakening. You do want to continue to build up your castle wall to keep threats out, but it’s also crucial to plan your response for dealing with ransomware and any other threats that manage to get in.

more from Malware

Unprecedented Shift: The Trickbot Group is Systematically Attacking Ukraine

Following ongoing research our team, IBM Security X-Force has uncovered evidence indicating that the Russia-based cybercriminal syndicate "Trickbot group" has been systematically attacking Ukraine since the Russian invasion — an unprecedented shift as the group had not previously targeted Ukraine. Between mid-April and mid-June of 2022 the Trickbot group, tracked by X-Force as ITG23 and also known as Wizard Spider,…

World’s Largest Darknet Market Shut Down, $25 Million in Bitcoin Seized

On April 5, German authorities announced the takedown of the Hydra marketplace, the world’s largest darknet market trading in illicit drugs, cyberattack tools, forged documents and stolen data. The criminal operation, with about 17 million customer accounts, raked in billions in bitcoin before getting shut down. On its website, the Federal Criminal Police Office (BKA) stated it had secured and…

Countdown to Ransomware: Analysis of Ransomware Attack Timelines

This research was made possible through the data collection efforts of Maleesha Perera, Joffrin Alexander, and Alana Quinones Garcia. Key Highlights The average duration of an enterprise ransomware attack reduced 94.34% between 2019 and 2021:  2019: 2+ months — The TrickBot (initial access) to Ryuk (deployment) attack path resulted in a 90% increase in ransomware attacks investigated by X-Force Incident…