Ransomware Business Models: Future Pivots and Trends

RDP port 3389 continues to be a popular service abused by ransomware actors to gain initial access to systems located and connected to on-premises infrastructure. However, as more organizations move to cloud services for file storage and Active Directory systems, ransomware groups will look for more opportunities to develop and/or exploit vulnerabilities that have not yet been extensively exploited.


The gradual evolution of current state-of-the-art ransomware models as we know them is expected to be fine-tuned to adapt to the triggers that drive them. From a business perspective, these are “naturally occurring” movements that encourage movement from the current state. In this section, we list two gradual evolutions of her that ransomware attackers are likely to undergo to adapt to upcoming triggers in the short term. For a complete list of evolutions and a discussion of each, you can download the paper here.

Evolution 1: Targeted Endpoint Change – Internet of Things (IoT)/Linux

The emergence of the Mirai botnet in 2016 was a crucial point in realizing its potential to extend its reach to Linux devices and the cloud. Although not ransomware, the availability of the botnet’s source code allows interested parties and skill sets to download the code, recompile it, infect Linux-based routers, and create their own bots. I was able to create a net. These correspond to his two points in this particular evolution.

  • It has code ready to target Linux based devices and can be easily recoded for other similar devices.
  • They are ready to use this feature as soon as there is a visible target with security gaps facing the internet.

From these two points, ransomware groups can find new Linux-based targets or tweak current threats at hand to target new platforms such as cloud infrastructure, thus increasing their potential for development. urge.

  • Ransomware groups set their sights on regular Linux servers
  • Ransomware Group Begins Targeting Backup Servers
  • Ransomware Group Begins Targeting Other IoT Linux-Based Devices

With the increasing use of Linux-based servers, the cloud, and the Internet of Things (IoT) as another entry point, ransomware groups have realized an attack opportunity against these devices as endpoints. This could be a favorable shift for the following reasons:

  • They are powerful enough to support advanced features.
  • They are almost always connected to the internet.
  • They host large amounts of personal or other valuable information.
  • Often fragile and unsupported.

Relatedly, reports of attacks and exploits against network-attached storage (NAS) devices are well-documented examples of this expansion, but it would be an understatement to think that threat groups will stop there.

Evolution 2: Scale up through increased professionalism and automation

As the RaaS group gained notoriety for the chaos and losses it caused to organizations and users, some ransomware actors were interviewing the media. Unbeknownst to them, the interviewee’s RaaS infrastructure had already been compromised and was being monitored by security researchers while these ransomware actors spoke to journalists.

Many RaaS groups have websites on servers hidden by Tor, but security researchers and law enforcement have uncovered distinct web IP addresses for these attacks. This can mean that unencrypted data stored on these backend servers is an easy target for law enforcement.

In contrast to these notorious players, other ransomware actors have better OpSec, no media involvement, minimal interaction with victims, and undocumented network intrusions. Hmm. Allowing these notorious ransomware attackers to follow the example of their lesser-known colleagues and work with a higher level of professionalism while keeping a low profile can extend the life of RaaS programs.

Similarly, automating ransomware attacks not only reduces risk, but also enables gang scalability. Coordinated, manual attacks are more likely to succeed, but the more manual work, the higher the risk, because more people are required for the task. Aside from the risk of human error in criminal activity, there are also instances of disgruntled cybercriminals revealing the identities of other cybercriminals or leaking information about them on the internet.

Automation then allows ransomware groups to calculate and weigh which channels bring in more revenue. Increasing automation can reduce revenue per ransomware victim, but can also increase total revenue as far as the volume of targeted deployments is concerned. Affiliates responsible for initial access and lateral movement can also achieve lower costs and faster operations as they are subsequently removed from the model through automation such as the use of large-scale exploits and worm-like features. Another possible alternative is to replace ransom negotiators with automated chatbots. For example, reduce communication between perpetrators and victims. As big game hunters realize the benefits of automation in terms of risks and rewards, they may become more drawn to implementing automation.


A stack of small evolutions can lead to big changes between ransomware groups. Security researchers have moved from profit-oriented attacks to becoming part of the objectives of nation-state attackers, benefiting nations and their leaders, and using ransomware as a smokescreen for their real objectives. We have already documented some of the other RaaS groups may be driven by the evolution of cloud adoption, or by the evolution of exploits and vulnerabilities. Still others are driven by the promise of higher profits to further change their criminal business model. This section describes two of his revolutions that ransomware attackers are likely to employ in the long term. For a complete list of revolutions and their respective arguments, download Insights and Research here.

Revolution 1: Hacking cryptocurrency exchanges/stealing cryptocurrencies

Source link

Leave a Reply

Your email address will not be published. Required fields are marked *