Ransomware Attacks are Evolving: What You Need to Know

One look at all the ransomware attacks from the past few years, and it’s clear that crypto-malware actors are attempting to maximize their financial gain. activereach is an authorised partner of Cybereason who have observed these threat groups using multiple techniques to profit even more off their victims than in years past. Here are a few tactics that stood out to them.


Digital attackers are increasingly asking more from their victims. Take the recent attack involving CNA as an example. Indeed, the insurance company’s payment of $40 million was the highest ransomware demand met by a company to date.

It’s not the highest amount ever asked by a crypto-malware group. CNA talked down its own ransom demand from an initial ask of $60 million, reported Bloomberg. A couple of months before that, REvil/Sodinokibi’s ransomware operators asked for more from two of its recent victims.

The issue here is that ransomware actors know that victims will attempt to talk down a ransom payment. They also are aware how many larger companies have cyber insurance policies that will help to cover at least some of a ransom payment. But they still want their money. That explains why these attackers are demanding $50 million to $70 million on average. They aim big, according to Bloomberg, even when they might not receive it in the end.


Ransomware actors are attempting to further increase their gains by conducting their attacks in multiple stages. Our ICS honeypot environment picked up on this in H1 2020 when it observed ransomware using publicly accessible remote administration interfaces to gain initial access. This involved brute forcing an admin’s account credentials and logging in remotely.

At that point in time, the attackers used a PowerShell script to create a backdoor user called “admin.” This action gave the attackers a means of maintaining persistence while evading detection. With that persistence, the malicious actors logged back into the compromised server and used PowerShell to upload additional attack tools. Those utilities included Mimikatz, a tool which enabled the attackers to steal user credentials and move laterally to the domain controllers. It’s then that the campaign detonated its ransomware.

“This activity points to an interesting trend in ransomware attacks,” we explained at the time that we spotted this operation. “Instead of focusing on a single stage, deploy and detonate approach to ransomware, attackers are using multiple stages to ensure as much financial gain as possible. They not only deploy ransomware, but they also move laterally to affect as many machines as possible and steal credentials before ultimately detonating the ransomware.”


Finally, malicious actors are complicating the ransomware recovery process to force victims into paying. Take double extortion, for example. The operators of many ransomware strains are using this technique to steal a victim’s information before launching their encryption routine. The attackers then threaten to release the sensitive data publicly if the ransom demand is not met. Backups can help nullify the need for a decryptor, but they can’t prevent an attacker from publishing a victim’s information on the web. In response, the victim needs to pay some sort of ransom.

Some ransomware attackers have taken this a step further with triple extortion. It’s where those responsible for an infection not only demand something from their victim but also ask for smaller sums from a victim’s customers. Nefarious individuals try to extort these individuals by threatening to publish their information, or they use DDoS attacks and/or media reports to scare them into submission. All of this is designed to put even greater pressure on a company to pay up.

And then there are instances where digital attackers use more than one ransomware strain to encrypt a victim’s data. This usually takes one of two forms: In the first scenario, a malicious actor uses one ransomware strain to encrypt a victim’s data before applying yet another ransomware strain to that encrypted data; the second scenario involves splitting up some data or systems between two different ransomware strains. Either situation makes recovery difficult, especially when victims are forced to use multiple attacker-provided tools that might not function properly. It also makes it costly, as victims must pay for more than one Decrypter.


The developments discussed above highlight the need for organisations to prevent financial loss and defend against a ransomware attack. They can’t do this with any old tool, however. Traditional prevention strategies are less effective against the threat of modern, multi-stage ransomware.

Next-gen ransomware has evolved to better evade standard defences, and when deployed as a component of a targeted attack, adversaries stand a high chance of success against underprepared environments.

A behaviour-based approach to prevention, detection and response is required for success against ransomware attacks. Specifically, organisations need a mode of ransomware defence that turns away from Indicators of Compromise (IOCs) to Indicators of Behaviour (IOBs) as a means of visualising the entire attack chain.

Cybereason delivers fearless ransomware protection via multi-layered prevention, detection and response, including:

  • Anti-Ransomware and Deception: Cybereason uses a combination of behavioural detections and proprietary deception techniques surface the most complex ransomware threats and end the attack before any critical data can be encrypted.
  • Intelligence Based-Antivirus: Cybereason block known ransomware variants leveraging an ever-growing pool of threat intelligence based on previously detected attacks.
  • NGAV: (Next Generation Anti-Virus) Cybereason NGAV is powered by machine learning and recognises malicious components in code to block unknown ransomware variants prior to execution.
  • Fileless Ransomware Protection: Cybereason disrupts attacks utilising fileless and MBR-based ransomware that traditional antivirus tools miss.
  • Endpoint Controls: Cybereason hardens endpoints against attacks by managing security policies, maintaining device controls, implementing personal firewalls and enforcing whole-disk encryption across a range of device types, both fixed and mobile.
  • Behavioural Document Protection: Cybereason detects and blocks ransomware hidden in the most common business document formats, including those that leverage malicious macros and other stealthy attack vectors.

Cybereason and activereach are dedicated to teaming with defenders to end cyber attacks from endpoints to the enterprise to everywhere – including modern ransomware. Schedule a demo today to learn how your organisation can benefit from an operation-centric approach to security or call 0845 625 9025 to speak to the team.

This article was shared from the original posted in June 2021 written by the Cybereason Security Team.