Your browser is out of date.

You are currently using Internet Explorer 7/8/9, which is not supported by our site. For the best experience, please use one of the latest browsers.

Request a Consultation

Responding to Ransomware Series Part II : The (next) 4 Ransomware Trends You Were Hoping Never to See

Kerry McQuarrie serves as Senior Incident Response Engineer at TRUE and is a 20 year veteran of enterprise IT and Security. She is a certified forensics investigator, and every day Kerry mitigates live versions of the attacks you read about in news headlines.

It seems to finally be dawning on people that the American economy is threatened every time another U.S. organization of any size or vertical is hit with ransomware. Unplanned expenses for ransom negotiations, legal fees, compliance fines, and post-incident recovery mean less available cash on hand to grow your business. Even if your cyber insurance policy pays out, the insurance underwriter becomes yet another downstream business that’s being negatively impacted, and it's not hard to predict what effect that will have on future premiums for all of us. Being robbed is just expensive, period. This kind of financial loss has an impact on all of us, particularly when we are talking about hundreds of businesses across the country being hit at the same time. Our goal with this series is to give you a clear, updated picture of what’s happening on the front lines, so you can evaluate your current security strategies and ensure you are truly prepared. In last week’s installation, Part I of our Responding to Ransomware series, we interviewed Kerry McQuarrie to learn the first four (4) trends in ransomware: the corporatization of cybercartels, a decrease in home ransomware, the return of spearphishing, and RAT/RDP attacks. This week, we are diving into trends 5-8.

Trend #5: Shift from Commodity Style to Hands-On, “Human-Based” Ransomware

In traditional ransomware attacks such as WannaCry, we saw auto-spreading functions. As mentioned above, this approach casts a very wide net, and attackers never knew exactly where malware would end up, or exactly how much they would profit until it was all said and done. Automated strains are definitely still floating around, but McQuarrie points out, “What we are seeing more of now are attacks where a human operator is at the wheel, guiding it around resistance and towards the most valuable assets. In the old trend, ransomware followed a defined pathway and would fail if it encountered unexpected resistance.” In this model, the human simply sidesteps your security layers the same way a penetration tester does– only they aren’t going to stop.

According to McQuarrie, the danger in a human operated ransomware attack is that you are more likely to have longer running downtime. The reason for these long stretches of downtime is that shutting down your systems isn’t the only goal. In addition to encrypting systems, the thieves will have stolen your most sensitive data and will extort money from you to keep them from publishing that data. So, even if you negotiate access with a ransom, or if you have a stellar continuous backup plan that enables you to quickly restore operations, you still have to deal with extortion. As discussed last week, cybercartels have to ensure accurate financial returns for their investors, who are very scary people one would not want to disappoint or owe money. Therefore, the bad actors are determined to get their money from you one way or another. That leads us to Trend #6.

Trend #6: Disclosing and Selling Your Sensitive Data

“Many groups, like darksupp (a Russian actor offering DarkSide ransomware), publicize their victims on blogs and threaten to leak information if they don't pay the ransom – extortion,” says McQuarrie. This trend also fits nicely with the new criminal corporate strategy, because it gives attackers one more avenue to ensure they can deliver the ROI they promised to criminal investors up front. Also, if cybercartels like darksupp or DarkSide always played nice, giving you access to your systems as soon as you pay, the fear element behind their success eventually gets lost. That would be like a band of pirates who never made anyone walk the plank. Eventually, they have to make good on threats to publish your data, forcing you to reckon with potentially devastating legal and compliance quagmires and making you more likely to cough up their ask.

Trend #7: Healthcare & Public Market Seeing Surge in Ransomware, Data Leaks

The surge in Healthcare and Public Market attacks has been building for some time, but the 2021 version is more serious, because in most cases, victim data is leaked. According to a recent report from the Health Sector Cybersecurity Coordination Center, HC3, Conti and Avaddon were the two biggest ransomware groups playing in this space. Others observed include Pespinoza/Pysa, Astro, and REvil/Sodinokibi. The report notes that the “vast majority of global ransomware incidents targeting the HPH sector so far this year impacted organizations in the Health or Medical Clinic industry, or the Healthcare Industry Services sector.”

Half of all compromised hospitals around the globe tracked by this study were located in the US. Looking back at a total of 48 ransomware incidents in the United States healthcare sector tracked by HC3 this year, for at least 72% of the ransomware incidents, victim data was leaked. This involved either full file dumps, screenshots, or samples. Based on HC3 observations of ransomware blogs, data leaks ranged from just a few screenshots to as large as Terabytes of data from the victims.

Trend #8: Bad Actors Leveraging Your Cyber Insurance Policies

In the first 7 trends, we see a layout of tactics being used by attackers to navigate around your defenses and access key business intelligence. Two gems they seem to be mining from systems are 1) who your cyber insurance provider is and 2) how much your policy pays. This information could be scraped from a phishing and recon effort on your insurance provider, or simply by getting into your emails and files to find what they need to know. “Once this information is known,” McQuarrie says, “they will uncover and capitalize on exactly how much the victim’s policy will pay out.” This is a trend all insurance providers, including local branches, are probably paying close attention to. This is all bad news for insurance underwriters, because it cuts into their profitability and could drive your rates up in years to come. In the coming year, we may start seeing even more stringent requirements from providers around your security and compliance validations, or particular technologies they want you to have in-place before insuring your organization.

In Conclusion

There really isn’t a business too large or too small to evade the impact of these next-level ransomware attacks. Even if your organization is able to avoid being hit directly, the downstream impact of higher cyber insurance premiums across the board, or the risk of being part of a targeted supply chain, are still there. Also, it’s good to start taking the mindset that if our neighbor loses, we lose. If we want to put an end to this, we each have to not only better protect ourselves, but share threat intelligence and cybersecurity education more freely. We need to help one another mitigate risk. We have an opportunity to support local efforts to build up IT and cybersecurity education in schools. Is there a chance to sponsor a coding club or a Cyber Patriot group? Your business can help. As a matter of principal and self-preservation, we will always be stronger together than we are apart.

In Part III of the Responding to Ransomware series, we will dig into What You Can Do to Protect Yourself.

For more reading on mitigating the risk of ransomware, you can access our Ransomware Prevention White Paper. Or, if you would like help to speed up an ongoing IT security project, monitor endpoints or your network, test what you have in-place, or build an updated security roadmap, please know we are available and here to help: Request a Consultation.


If you need help, you can reach our teams at anytime to discuss a potential incident.

Ask A Question