In the past, cybercriminals often operated with the motive to “do it for lulz,” engaging in malicious activities purely for the sake of amusement or creating chaos. Today, they’re driven by profit, transforming into rational business entities seeking scalable, repeatable processes for a steady income. This change in motivation has made predicting their behavior somewhat easier, as their actions are now grounded in strategic objectives rather than unpredictable whims.

In 2024, we expect the ransomware threat will continue taking an opportunistic turn—a trend that we first highlighted in 2022, gained momentum throughout 2023 (marked by multiple advisories, culminating in the ongoing CitrixBleed exploitation), and is projected to reach maturity this year.

1. Acceleration of Opportunistic Ransomware with Zero-Day Exploits

In 2024, ransomware threat actors will continue adopting a more opportunistic mindset, rapidly weaponizing newly discovered vulnerabilities within 24 hours. After compromising many networks using automated scanners, they will manually triage them to determine the optimal monetization method and select the appropriate attack mode. As companies increasingly adopt prioritized patching and swift response, more sophisticated groups with substantial resources will begin investing in genuine zero-day vulnerabilities, bypassing the need to wait for proof-of-concept (PoC) code availability.

Ransomware groups will continue focusing on enterprise software. Both enterprise vendors and customers need to adapt to this trend. Beyond its widespread adoption, enterprise software stands out as a prime target due to its traditional maintenance cycles. In contrast to the fully automated and seamless update mechanisms prevalent in consumer software, such as browsers or office applications, enterprise software typically follows a more conservative, staged approach to patching. This creates a window of opportunity for threat actors, and their efforts will likely be directed toward expanding the duration of this window as much as possible. The traditional lifecycle approach of enterprise software may need to undergo a transformation to cope with escalating pressures imposed by threat actors.

Given the time required for this adjustment, a temporary imbalance between offensive and defensive capabilities may occur. Following a few high-profile attacks, companies are anticipated to focus on risk management solutions.

2. Streamlining Victim Assessment and Triage

Opportunistic attacks, executed by initial access brokers or ransomware affiliates, swiftly gain access to hundreds or thousands of networks. After this automated initial compromise, a manual triage process follows, requiring additional time. This dwell time provides defenders with an opportunity to detect and mitigate the threat, especially with effective detection and response capabilities (XDR or MDR).

Triage is crucial for determining the maximum ransom potential and the most effective method, considering factors such as industry or company size. Manufacturing and similar operation-dependent industries are susceptible to ransomware deployment, while sectors like healthcare or law offices are more prone to data theft. Ransomware groups are increasingly adept at understanding industry nuances. Gaming studios, in particular, need to stay alert as we expect attacks to rise in 2024.

Small or medium-sized businesses with limited ransom potential serve as sources for business connections to escalate attacks, often through VPN/VDI connections or business email compromise. In this scenario, the most valuable asset for ransomware affiliates might not be what you have, but who you know. The initial exploitation of a vulnerability can compromise a company through a supply chain, even if it doesn’t directly use the affected software.

3. Modernization of Ransomware Code

Ransomware developers are increasingly adopting Rust as their primary programming language. Rust allows developers to write more secure code, while making it harder for security researchers to reverse engineer and analyze. Additionally, it enables the development of code that can be compiled for different operating systems. While the development of actual ransomware for macOS is not anticipated, there is an increasing trend in targeting hypervisors and other server workloads.

Instead of fully encrypting files, ransomware code will favor intermittent encryption and gradually transition towards quantum-resilient encryption like NTRU Encryption. Intermittent encryption involves encrypting only a portion of a file at a time, offering two key advantages: first, it becomes more challenging for security tools to detect the attack due to the statistical similarity between the partially encrypted file and the original; and second, the encryption process is faster, enabling the ransomware to encrypt more files within a given timeframe.

In summary, high-quality ransomware code is becoming a commodity. Ransomware often impacts a large number of systems and vast amounts of data. However, despite professional development, the recovery of data remains challenging and is never guaranteed to be 100%. More ransomware groups are transitioning to data theft as a strategy, recognizing the persistent difficulties in data recovery, regardless of the code’s quality. 

4. Continuous Shift Towards Data Theft Over Ransomware Encryption

Data encryption will continue to be part of the arsenal for sophisticated ransomware groups, but it will take on a supplementary role. A shift towards data theft and exfiltration continues, moving away from the traditional focus on ransomware encryption (exceptions are industries where ensuring availability is prioritized over confidentiality, such as manufacturing). A few notable examples are CL0P, BianLian, Avos, BlackCat, Hunters International, and Rhysida.

Data exfiltration holds the potential for higher payouts compared to ransomware attacks. After successful data exfiltration, victims confront a binary decision: keep the data confidential or permit threat actors to publish it, in contrast to the more flexible outcomes of data encryption scenarios.

Unlike ransomware, data exfiltration avoids causing destruction, enabling ransomware groups to portray themselves as involuntary penetration testers. Data exfiltration allows victims to maintain the facade of data confidentiality, as threat actors offer to discreetly handle breaches. Cybercriminals exploit legislation and compliance knowledge to force victims into meeting increasing ransom demands, and some victims might opt to pay a ransom to evade fines or negative impact on the brand.

A screenshot of a computer Description automatically generated

Hunters International is one of the groups that prefer data exfiltration to data encryption.

Case in point, as shown in results from our “Bitdefender 2023 Cybersecurity Assessment” survey, more than 70% of USA respondents said they had been told to keep a breach under wraps, while 55% said they had kept a breach confidential when they knew it should have been reported. Law enforcement agencies often obtain access to leaked data from ransomware groups, which may contain information about security breaches that have not been reported. As the shift continues, we expect (and hope) to see heightened scrutiny from regulatory bodies.

5. Elevation of Ransomware Groups to Higher Sophistication

The shift from security generalists to increased specialization is fueled by the profit-sharing model of criminal groups, a more accurate term for the Ransomware-as-a-Service (RaaS) business model. These sophisticated groups actively recruit members with advanced skills and higher education.

 

Facing scalability challenges linked to opportunistic attacks, ransomware groups are expected to actively seek automation skills in the near future. To maximize ransom, a profound understanding of how businesses operate is crucial, leading to a greater emphasis on cyber insurance, compliance, and legislative expertise. This opens more opportunities for non-technical specialists to join the expanding criminal ecosystem.

For successful ransomware groups, a key factor is attracting the most talented and well-connected affiliates, and the competitive landscape among ransomware groups will intensify. Groups struggling with operational security challenges, exemplified by BlackCat (shut down recently by law enforcement and connected to previously failed BlackMatter and DarkSide groups), will likely rebrand but struggle to attract more sophisticated affiliates, especially after multiple failures. Some groups may opt to sell their remaining assets to other aspiring cybercriminals and vanish, as was the case with Hive and Hunters International (read our analysis). As ransomware groups increasingly rely on specialists, their brand and reputation are positioned to play a more substantial role—potentially becoming a vulnerability in their operations.

6. Disruption of State-Sponsored Techniques by Ransomware Groups

The increasing sophistication of ransomware groups in 2024 will lead to the widespread adoption of tools and techniques traditionally associated with state-sponsored threat actors. DLL sideloading will become a common practice, and “living off the land” techniques will remain mainstream. As companies of all sizes adopt effective defenses like MDR and XDR, it will become increasingly challenging for state-sponsored groups to conceal their activities, forcing them to shift towards custom sophisticated malware and complex attack vectors, including supply chain attacks.

Regimes that have tolerated the existence of these ransomware groups may need to set rules of engagement when these operations start causing conflicts with their allies or undermining their own interests.

Conclusion

In summary, 2024 is anticipated to be another year of ransomware. However, it’s critical to recognize that the ransomware business model has evolved significantly since 2017, and we are in the midst of one of these transitions. Staying informed about the latest trends is crucial, as is prioritizing fundamental strategies like defense-in-depth and multilayered security. The emphasis should be on acquiring capabilities rather than tools, covering prevention, protection, detection, and response capabilities.

These predictions are a result of the dedicated work put in by our security researchers at Bitdefender Labs and the practical insights of our security professionals in the Bitdefender MDR team. We would like to thank them for their hard work, especially their efforts in analyzing ransomware code to develop free decryptors.

Originally published on the Bitdefender blog, January 2, 2024, by Martin Zugec

Share