5 Ransomware Trends Organizations Should Know in 2021

An uptick of ransomware headlines in the news is a reminder that any organization can fall victim to an attack. Recently, we’ve seen ransomware operators target vulnerable on-premises Microsoft Exchange servers and a tech giant get hit with an exorbitant $50 million ransom demand.

Like most cyber attacks, ransomware attacks have evolved over time.

As described in our recent “Proactive Protection Against Ransomware” webinar, here are five recent ransomware trends we’ve observed that organizations need to be aware of and prepare for.

  1. Ransomware is increasingly targeted
  2. Ransomware has greatly advanced from the scareware tactics of the early 2000s. Instead of spam-like, opportunistic attacks that relied on tricking individuals to get payouts of a couple hundred dollars per successful attack, ransomware has become increasingly targeted.

    Instead of targeting individuals, ransomware operators have switched primarily to targeting organizations in what is known as “big game hunting.” Often, the actors target specific industries, such as healthcare, where targeted victims may have less dedicated security resources, cannot sustain long downtimes and may have a higher incentive to get encrypted data back sooner. In short, attackers are seeking out organizations that they anticipate will pay out, rather than fight back or switch to back-up data systems, even if the extortion threat is used.

    Today’s ransomware has become sophisticated enough that it includes advanced anti-reverse engineering code for prevention of front-line security researchers’ attempts to analyze files for Threat Intelligence. Mechanisms such as runtime environment checks for virtualization, location, physical environment such as external IP address resolution, and many advanced features are now commonplace. This means getting Indicators of Compromise (IOCs) to Security Defenders can be delayed.

    Further, by sending an email to a known individual at a known company, an attacker can better target an organization because the linkage between target and entity are plainly obvious. Performing even more granular targeting also gives attackers a greater degree of success.

  3. Attackers favor email phishing as a delivery mechanism
  4. Attackers favored remote code execution (RCE) exploits as the ransomware delivery mechanism from the mid to late-2010s. This is an important trend to note: when RCEs are unavailable, phishing will become the “go-to” mechanism — attackers often rely on the factor of human mistakes. Cognitive biases can reliably be exploited through phishing and social engineering.

    This is cyclical in nature and is illustrated further based on the recent Microsoft Exchange series of vulnerabilities that saw a rise in Ransomware delivery through RCEs over Phishing. However, today, as this RCE has been patched and is less commonly found “in the wild,” cyber actors are returning to email phishing. (It is important to note that the ebb and flow between the use of RCEs and phishing does not signify a decrease in total number of threats. Threat actors switch between various tactics, and organizations must be prepared to defend against all types of attacks.)

    Several factors contribute to this change in tactics:

    – First, as detection methods became more sophisticated and more organizations patched systems, RCE exploits became easier to detect and less successful. This, in turn, made the development of exploits more expensive (and sometimes impossible) for attackers.

    – Further, availability of zero-day exploits became less common, while existing exploits did not always ensure the attackers would land on the systems of the organizations they intended to target.

    With phishing, attackers face less risk of losing “intellectual property” in the form of having their expensive exploits detected (which other security vendors will create signatures for and eventually broadly discover).

    Ransomware phishing emails typically deliver a first stage loader, such as Trickbot, a banking trojan increasingly used to spread ransomware. Ransomware is deployed at the final stage and only if all targeting conditions are met. By using commodity malware such as stageloaders, ransomware threat actors do not risk losing as much if their attacks are caught — all they stand to lose is some phishing infrastructure (e.g. lookalike email domains) and the fact that they are targeting a particular organization.

  5. Domain fronting is a popular tactic
  6. Domain Fronting uses well-known, legitimate infrastructure, domains and online entities (e.g. Microsoft, Google, etc.), and abuses the trust that is established between organizations and these entities. Cyber Actors use Domain Fronting to host malware of all kinds, from ransomware, to stageloaders, knowing that it provides for low-cost, high-trust, and reliable infrastructure to use against victims.

    A common example is a phishing email with a link to a Google Drive or Microsoft SharePoint domain that hosts a malicious document deploying ransomware. The link in the email pointing to the malicious document will have a Google or Microsoft-owned primary domain. This allows attackers to fool users — and sometimes even security systems — into thinking that the link and document are benign.

    These are very difficult attacks to sort from the legitimate. Consider the ramifications if your organization were to put in a firewall rule to block all of Microsoft or all Google Docs.

  7. Extortion is now the norm
  8. Most people are familiar with ransomware’s hallmark of encrypting data or making files inaccessible. In exchange for a monetary ransom, typically paid via cryptocurrency like Bitcoin, the attacker will purportedly provide a decryption key. Creative threat actors have come up with a second opportunity to get a payout, which is also used as leverage to ensure the ransom will be paid.

    In what is known as “double extortion” attacks, ransomware actors will threaten to put stolen data up for sale on the dark web if ransoms are not paid, putting additional pressure on victims. This can increase the chances that a ransom will be paid even by victim organizations who have backed up their data or have recovery plans.

    Further, the risk to organizations is not just that their data may be leaked, stolen and sold on the dark web; they may also face legal or government ramifications if the manner of their data storage is not in keeping with standards, HIPAA or other disclosure-based governmental standards.

    Some ransomware Cyber Actors have threatened to release information revealing an organization didn’t store data in compliance with HIPAA, and such information would be leaked to the authorities. The fines from such an oversight may outweigh those of the ransom and the data extortion alone.

    One such example can include the ramifications of paying a ransom to an organization that has been declared a terrorist organization or is on the U.S. Government’s list of sanctioned groups. Paying such an organization can result in civil and criminal punishment.

  9. Ransomware time-to-deployment has decreased

The time it takes for ransomware to be deployed on a network has exponentially decreased over time. Several years ago, it took several months for ransomware to be deployed. Today, it takes hours or less from the moment a network is compromised.

By the time most organizations realize they have been compromised, attackers have already exfiltrated large amounts of data. Again, keep in mind that the attacker has likely targeted the organization specifically and already performed reconnaissance on the network by the time a compromise is noticed.

How Area 1 Security preempts ransomware attacks

With ransomware’s increased targeting and sophistication, an organization’s best chance of surviving a ransomware attack is to prevent it from reaching the organization in the first place. In fact, analyst firm Gartner notes that the cost for recovery from ransomware can be nearly 10 times the ransom demand, once costs for downtime, recovery, increased cybersecurity insurance premiums, and credit monitoring for affected customers is taken into account.

Particularly with email phishing as the delivery mechanism of choice for ransomware groups, organizations need to focus on email security as a top means of preventing ransomware stage loaders from landing in inboxes.

Area 1 Security’s cloud-native platform, Area 1 Horizon™, offers comprehensive email security against ransomware and other advanced attacks. Through our massive-scale web crawling and threat indexing, we can discover malicious ransomware infrastructure 24 days before industry averages. We leverage small pattern analytics to detect even the most targeted ransomware without needing to rely on large volumes samples. Area 1 also uniquely uses deep payload scanning to detect ransomware hidden in links within attachments, nested links or archives, even if domain fronting tactics are used. Adept at detecting first stage loaders before ransomware is even deployed, Area 1 Security preemptively protects organizations from ransomware, business email compromise (BEC), and other advanced targeted attacks.

Here’s just one example of a Ryuk ransomware attack (which initially passed SPF, DKIM and DMARC email authentication standards) that the Area 1 platform preemptively stopped:

To find out more about how Area 1 Security preemptively detects and stops ransomware attacks, watch our “Proactive Protection Against Ransomware Attacks” on-demand webinar here, and download our Ransomware Solution Brief here.

Area 1 Security’s Dominic Yip, Director of Sales Engineering, brings over 15 years of networking and security systems engineering expertise, including key engineering roles for Cisco and IronPort. At Area 1, he ensures that some of the world’s most sophisticated organizations — including Fortune 500 banks, insurance companies, airlines and healthcare providers — are protected from targeted phishing attacks.

Bryan Allen is a Staff Security Researcher at Area 1, where he brings over 20 years of cybersecurity experience, including Penetration Testing, Vulnerability Assessment and Management, Network Security, Computer Forensics and Machine Learning applied to network traffic and email. Bryan is a U.S. Air Force Aircrew Veteran and served in high-pressure environments during wartime and peacekeeping operations.

Want to keep up to date with the latest phishing trends? 

Subscribe to our newsletter here!


How to replace your email gateway with Cloudflare Area 1

Leaders and practitioners responsible for email security are faced with a few truths every day. It’s likely true that their email is cloud-delivered and comes with some built-in protection that does an OK job of stopping spam and commodity malware.

Introducing email link isolation – Email gateway replacement playbook

This week was a big one for us at Cloudflare, one of our four innovation weeks which we hold annually, showcasing new developments, product news and reference architectures.

Superhero strategies for the Phish Fight

Today is National Superhero Day, and we would like to dedicate this day to you—the SOC teams and the security experts on the frontline of the phish fight.