Ransomware has worked for cybercriminals for many years, and it continues to be a valuable tool in their arsenal. A recent post on Security Intelligence discussed the trend of attackers reverting to older techniques to deliver ransomware to the employee endpoint. But now it’s time to look ahead at the future of ransomware.

Following a Pattern

A good place to start when predicting the future of ransomware is the broader history of malware in general. In light of the way malware has evolved, especially in recent years, the clear next step is likely for ransomware to become situationally aware. Dyre, first discovered in 2014, is a perfect example of a malware that started out as a simple banking Trojan and then quickly developed situational awareness — which led to its becoming substantially more dangerous

Earlier this year, IBM was a key player in identifying a new tactic, which we called Dyre Wolf. Marking a significant break with previous encounters with Dyre, the Dyre Wolf attacks included a social element in which users on an infected endpoint would visit a particular website and get an error message instructing them to call their bank to verify certain personal details. In reality, the message was provided by the attackers and led victims directly to them.

The evolution from Dyre to Dyre Wolf reveals that malware authors and attackers are no longer satisfied with sending out a phishing email and capturing the credentials of 1 or 2 percent of its recipients. Instead, they are developing more sophisticated tools and social engineering tactics to ensure they can target not only key organizations, but key individuals within those organizations.

The Future of Ransomware

When an enterprise gets infected by ransomware today, it has to pay the going rate to get its information released. A mom-and-pop shop that gets infected pays, say, $700 per item to have its data released; a Fortune 100 company that gets infected has to pay that same $700. Right now that number is identical, but clearly the capacity to pay is much larger in a corporate environment than it is in a two- or three-person small business. This is an area in which more situationally aware ransomware could wreak havoc.

Read the complete IBM research paper to learn more about ransomware

Given its past success, traditional ransomware seems destined to continue to thrive on unprotected endpoints. It may even become more lucrative by incorporating social engineering and other advanced attack methods. Ransomware will likely also look to new playing fields such as the Internet of Things (IoT).

When discussing the security of connected cars, for example, the focus is usually on data protection, privacy or, of course, physical safety. But there’s no reason to think new types of ransomware schemes won’t play a role here, as well. If attackers do manage to hack an autonomous car, they could potentially take control, brick the engine and demand a ransom of, say, 10 or 20 bitcoins to release the car. Such a scheme would be relatively easy for a cybercriminal with the right tools and simultaneously disastrous for victimized individuals, organizations and economies.

In terms of general malware trends but also specifically with ransomware, we see a lot of generic malware out there, but we also see some malware that very clearly is trying to stay ahead of the pace of our existing network tools and even new tools that are being developed. This has been the case for 10 or even 15 years, and it’s not likely to change. In such an environment, a successful organization is one that doesn’t rely exclusively on security tools, but rather has a proactive mindset when it comes to protecting assets.

If you’re not threat hunting and proactively preparing for a potential security event, you’re setting yourself up for a rude awakening. You do want to continue to build up your castle wall to keep threats out, but it’s also crucial to plan your response for dealing with ransomware and any other threats that manage to get in.

More from Malware

When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule

In February 2023, X-Force posted a blog entitled “Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers” that details the capabilities of a sample attributed to the Lazarus group leveraged to impair visibility of the malware’s operations. This blog will not rehash analysis of the Lazarus malware sample or Event Tracing for Windows (ETW) as that has been previously covered in the X-Force blog post. This blog will focus on highlighting the opportunities for detection of the FudModule within the…

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

A View Into Web(View) Attacks in Android

James Kilner contributed to the technical editing of this blog. Nethanella Messer, Segev Fogel, Or Ben Nun and Liran Tiebloom contributed to the blog. Although in the PC realm it is common to see financial malware used in web attacks to commit fraud, in Android-based financial malware this is a new trend. Traditionally, financial malware in Android uses overlay techniques to steal victims’ credentials. In 2022, IBM Security Trusteer researchers discovered a new trend in financial mobile malware that targets…

RansomExx Upgrades to Rust

IBM Security X-Force Threat Researchers have discovered a new variant of the RansomExx ransomware that has been rewritten in the Rust programming language, joining a growing trend of ransomware developers switching to the language. Malware written in Rust often benefits from lower AV detection rates (compared to those written in more common languages) and this may have been the primary reason to use the language. For example, the sample analyzed in this report was not detected as malicious in the…