Ransomware payments spiked to a new high of $1.1 billion in 2023—and that is only the payments that were reported. With attacks evolving quickly due to the advances in AI, the ransomware prevention best practices you currently use may no longer be enough. In this blog, we’ll dive into today’s ransomware trends and provide a step-by-step guide to current ransomware attack tactics with real-life images and a checklist of today’s best practices to prevent an attack.
Changes in Ransomware Trends
One of the big trends changing ransomware attack patterns is the addition of AI into attack planning and execution. AI has made it quicker, easier, and cheaper for inexperienced hackers to create convincing and difficult-to-detect phishing campaigns, get detailed directions on how to perform each step of a ransomware attack, and receive guidance on how to use individual tools to optimize their attacks. While attackers continue to leverage Ransomware as a Service (RaaS) kits and playbooks to streamline the attack process, as AI advances it will be interesting to see if it impacts the popularity of RaaS and the hacker franchise model. We’ll share more on this trend later in this blog when we describe the different phases of today’s ransomware attacks.
Another top ransomware trend is an increased emphasis on “Big Game Hunting.” Attackers are increasingly focused on ransoms over $1 million. So, while the number of ransomware attacks has decreased, as you can see in the Chainalysis chart below the amount of the ransoms have gone up significantly.
One recent example of this trend is the Change Healthcare breach from February of 2024 who admitted to paying a $22 million ransom. Ransom aside, the ripple effects of this attack caused disruptions throughout the healthcare ecosystem. Some offices closed for the week and had to furlough their staff, and it is estimated that one in three Americans’ sensitive health care information was leaked. Sadly, this attack likely could have been prevented at several key inflection points if Change Healthcare had followed today’s ransomware prevention best practices.
Change Healthcare, a subsidiary of UnitedHealth, was attributed to ALPHAV/BlackCat ransomware group, who reportedly broke into the Change Healthcare system by leveraging compromised Citrix credentials on an account that did not have Multi-Factor Authentication (MFA) enabled. Like many ransomware attacks, ALPHAV/BlackCat initially breached the network nine days before it launched the ransomware attack. If Change Healthcare had followed today’s ransomware prevention best practices, they may have been able to detect and thwart the attack before ALPHAV/BlackCat deployed the ransomware.
How Hackers Break in: AI is Making the Process Quicker and Easier
Let’s look at the steps an inexperienced attacker often takes when deploying ransomware. As we go through the steps, we’ll also point out how these attacks are evolving.
Preparing for an Attack
The biggest change in ransomware execution is that criminals are using “Evil AI” such as WormGPT to simplify attacks. WormGPT has been built to facilitate cybercrime and it is similar to ChatGPT with few safety guardrails. This AI technology enables even minimally skilled hackers to launch sophisticated ransomware attacks, create difficult-to-detect phishing emails, and more. A lifetime membership to WormGPT is currently on sale for $200, so this affordable investment can provide attackers with detailed directions to launch million-dollar ransomware attacks.
Hackers also often want an exploit builder and a Remote Access Trojan (RAT) to launch an attack. Our team found an exploit builder for $7 and a RAT for $10 on the dark web. Finally, an inexperienced attacker will likely want to buy a ransomware program with good reviews (yes, the dark web marketplaces have reviews and ratings!). We found such a program for $63. For less than $300, an inexperienced attacker can buy the user-friendly, automated tools needed to launch an attack.
Once the tools are assembled, today’s attackers usually follow the steps LMG Security’s Sherri Davidoff, Karen Sprenger, and Matt Durrin detailed in their book Ransomware and Cyber Extortion: Response and Prevention.
The stages of a ransomware attack
Here’s an overview of each step.
Step 1: Entry
Email is still the most popular initial entry point for an attack with 90% of data breaches starting with a phishing email. The biggest trend we are seeing in the entry stage of attack is that phishing emails are getting MUCH harder to detect. Criminals are using AI to create realistic, grammatically correct emails as you can see in the WormGPT-generated example below. They can even ask WormGPT for tips to increase the odds a victim clicks their link.
Next up, the criminal can use the exploit builder program they purchased to create the RAT by simply checking boxes for their desired attributes and customizing the payload by enabling features such as “Bypass Firewall Windows” and “DisableTaskMgr.”
The attacker can now build a malicious PDF dropper (a file that drops and executes document files) by entering the link to the malware they just generated, and the program will create the infected file that can be added to a phishing email.
All it takes is for one user to click the link or download the attachment and the attacker can access their network. Using today’s RAT programs, the attacker can enable a remote desktop program and take full control of the compromised computer.
At this time, many attackers also add a second access method like installing a standard remote access management tool like AnyDesk which can operate discreetly in privacy mode so security teams may not notice it.
Step 2: Expansion. In bad news for defenders, the prevalence of malware-free attack activity is skyrocketing. CrowdStrike estimates that in 2023, 75% of activity they see during investigations does not include malware and just uses tools already on the computer to complete malicious actions. This gives attackers time to expand access and gather information. They may:
Step 3: Priming. During this stage, the attackers will prep the network for ransomware. If the attacker was able to gain domain admin access, they can give themselves access to any folders they want and try to stealthily exfiltrate data. They will also turn off security software and controls, like Windows Defender and real-time protection, for all devices.
Step 4: Leverage. Now that the attacker has gathered all the information they want and primed the network, with a simple command they can deploy the ransomware on a shared folder, so it infiltrates and encrypts any connect files.
The attacker can select the ransomware menu and deploy the malware with a few clicks.
Step 6: Extortion. The attacker usually leaves a ransomware note in a folder, and these days they frequently issue a public disclosure of the breach on a “name and shame” ransomware site to pressure you to pay. You will then need to decide whether you will negotiate and pay the ransom or recover without the ransomware decryption key.
LMG Security’s Ransomware Prevention Best Practices Checklist
Now that you know how a ransomware attack happens, let’s review today’s ransomware prevention best practices.
By employing these updated best practices, you can dramatically reduce your risk of a ransomware attack.
We hope you found this information helpful. If you would like support implementing any of these best practices, please contact us. Our expert LMG Security team is ready to help!
This blog is distributed with the permission of LMG Security
LMG Security is a full-service cybersecurity firm, providing one stop shopping for a wide array of cybersecurity services. Whether you need virtual CISO or regulatory compliance consulting services, testing, solution integration, training or one of our many other services – our expert team has you covered. Our team of recognized cybersecurity experts have been covered on the Today Show and NBC News, as well as quoted in the New York Times, Wall Street Journal, and many other publications. In addition to online cybersecurity training, LMG Security provides world-class cybersecurity services to a diverse client base located around the United States and internationally.