While some reports show the number of ransomware attacks actually fell in 2022, no one inside the industry is declaring victory. Cybercriminals are notoriously nimble, and they’re shifting their strategies, making them harder to spot and harder to outmaneuver. While cyber professionals must constantly look for every security hole, cybercriminals need only find one.

This year, security leaders are seeing threat actors focus principally on two sets of tactics — specialization and the deployment of new ransomware techniques aimed at avoiding detection. No matter how quickly MDR and XDR providers innovate detection methods and flag threats, cybercriminals will continue to hone their skills at the same, if not quicker, speeds.

Specialization of crime

First, specialization. Since ransomware first took root in the mid-2000s, perpetrators built out large, vertically integrated cybercrime organizations, giving the necessary resources to carry out big jobs. But that’s changing. Now, cybergangs are following the ransomware as a service (RaaS) model — outsourcing many of the functions and stages of a typical ransomware attack, giving only a small portion of the ransom to the original structure designers.

This is changing the makeup of the cybercrime business. The fact that organizations are slimming down and creating networks of specialist partners makes them more resilient to law enforcement takedowns and more difficult to track. That’s a given. What it also has done is create a market where smaller groups — or even individual contractors — can develop deep, targeted sets of skills that can elevate the effectiveness of a ransomware attack. Similar to how a specialist in safe cracking contributes to a successful bank robbery. 

Rather than carry out a ransomware attack from beginning to end, one group may target the victim and then hand off to a series of contractors to perform a whole string of tasks. One sets ransomware demands, a second maximizes the infection, a third executes the ransomware, a fourth negotiates with victims, and so on. Each of these functions require specialized skills, and each one reinforces recent demand for advanced threat detection and response across a businesses’ entire footprint, not just the endpoints.

But it doesn’t end there. Ransomware initiators are contracting with specialists of all kinds, opening up opportunities for talent from a variety of disciplines. Skilled negotiators are contracting with cyber outfits, arguing that they can bring in 20% premiums on specific jobs. As cyber gangs compete with each other for work, they hire marketers to perform competitive intelligence. Cybergroups don’t tend to completely trust one another, so each brings in its own crypto currency experts to help them move their money. Developers provide code for non-malicious back-end tasks. And some outfits are even bringing in business and people managers to optimize their resources.

This is creating a budding, adaptable ransomware ecosystem.

But an ecosystem alone won’t stop cybercriminals from getting caught. The stakes are high, so thieves are trying out new ways to avoid detection targeting businesses deemed soft targets and potential gateway to a larger organization.

Some are shifting away from conventional programming languages onto lesser used platforms like Rust, Go and Swift. They do this for several reasons. More exotic languages that aren’t commonly used can evade endpoint solutions and hinder researchers’ analyses. If thieves are harder to spot once they’re in the network, they can stay longer and do more damage. Some programming languages enable thieves to write code for multiple operating systems, allowing them to target more environments and more systems.  

Exploring new avenues of ransom

Another worrying development is that undetectable malicious bootloading tools are now becoming widely available for sale on the black market to just about anyone. Some were previously used only by experienced cyber gangs while others, such as Black Lotus, have anti-hacking features that had been reserved for nation state APT groups and military operation. Because the malware loads when a user boots up a computer, it embeds itself in the system’s firmware, allowing it to skate past antivirus software security checks and remain undetected.

Additionally, security leaders are seeing instances of AI’s influence through the expanded use of automated phishing attacks, impersonation attacks and social engineering attacks. And anyone who dislikes chatbots now may dislike them even more when fake chatbots set up to phish bank details from victims grow more sophisticated.

How do end users protect themselves against the evolving wave of ransomware tactics? The usual ways. While counter tactics will evolve, recommendations and best practices are roughly the same as they were years ago. No matter the size of the business — even if security leaders cannot build a full-time security operations center — having dedicated tools to hunt threats and flag potential hazards will make all the difference as RaaS models gain more popularity and widen the door to ransomware. Having multiple layers of security, building on traditional endpoint detection and response (EDR) capabilities with extended detection and response (XDR) and making security part of their overall business strategy are the best defenses against emerging threats.