Your browser is out of date.

You are currently using Internet Explorer 7/8/9, which is not supported by our site. For the best experience, please use one of the latest browsers.

Request a Consultation

Responding to Ransomware Series, Part I : 8 New Ransomware Trends You Need to Know About - An Interview with Kerry McQuarrie, Incident Response Engineer

Kerry McQuarrie serves as Senior Incident Response Engineer at TRUE and is a 20 year veteran of enterprise IT and Security. She is a certified forensics investigator, and every day Kerry mitigates live versions of the attacks you read about in news headlines.

Coming off the heels of a global pandemic, you would think the businesses who made it through 2020 would be due a moment’s respite. If you read the news at all, however, you already know that cyber criminals are doubling their efforts to take advantage of our economic recovery. They know the money is there for the taking. They’ve upped their game, and sadly, our Incident Response Team at TRUE is as busy as they have ever been with new clients who have fallen prey to attack. The fact is, this year’s ransomware attacks have made it clear that what you are facing is next level, and the criminal organizations behind them are, too. Forget the image of a 14 year old building a ransomware strain from his mom’s basement and sending it into the wild to see what sticks. Today’s criminal hackers are professionals who have done their homework. They know exactly which people in your organization are east prey, precisely what your cyber insurance policy will pay, and the perfect time to hit you for the best impact. They are coming at you with layered, targeted attacks like the REvil Kaseya attack.

Kerry McQuarrie serves as Senior Incident Response Engineer at TRUE and is a 20 year veteran of In fact, today’s cartel-style hacking groups probably look more like a Silicon Valley tech startup than a gang of wily teens. We are talking about corporate business models, hierarchical structures, defined processes, growth plans, secure communications strategies, and even tech support to help you decrypt your systems when they feel like honoring a ransom. Like startups, cybercartels are also now seeking investors to help them hire talent with specialized skillsets and backgrounds. So, what do these changes mean for IT and security leaders? I caught up with Senior Incident Response Engineer, Kerry McQuarrie, to get the details you need, straight off the front lines: What key attack strategy changes have we seen over the last year? What factors are driving these changes? How can people prepare for these attacks?

Trend #1: The Reasoning Behind High-Profile Attacks

With the new, businesslike structure of cybercartel ransomware groups, we should not be surprised that each of these cells/organizations has to prove itself with a headline-grabbing attack in order to gain the attention of new investors. This is in the same vein as a tech startup’s needing to demonstrate proof of concept and viability of product. Shocked that criminals have investors too? Don’t be. Anyone who wants to get ahead in business – whether above or below board – needs mindshare, and mindshare takes money. As anyone who has tried to hire cybersecurity talent lately knows, technical expertise is particularly pricey. For these groups, high-profile hacks are the best way to get the attention of big-time mafia investors.

Case in point, REvil pushed out the JBS Foods attack just a few months before they leveled the widespread, particularly dangerous Kaseya attack that sought a record $70m. It would appear they may have followed the Attack-Investment-Bigger Attack model, looking at it from the outside. If this was the case, the JBL attack put them in a position to take on more investment from major organized crime syndicates– and potentially support from nation states who stand to gain from their attacks, according to McQuarrie. It will be interesting to see if US or international intelligence organizations release information confirming or challenging this hypothesis. Until then, it’s safest to assume that one attack is never the end, and be sure you are not in a position where your only option is to pay a ransom and fund criminal enterprise. The last thing we need is a recruiting season that will beef up the cybercartels’ staff, innovation, research and reconnaissance work, and fuel the next big attack.

McQuarrie points out that many attacks are the result of a multi-year effort, which explains how bad actors are able to come in so prepared out of the gate, with all the reconnaissance and intel needed to circumnavigate standard cybersecurity layers and responses. What that means for organizations who want to protect themselves is that if your attacker is willing to spend years improving their strategy to ensure a successful attack, it would be wise to spend an equal or greater amount of effort on your own cybersecurity strategy. It might be time to up the ante on improving your security-IT collaborations, as well as coordination, efficiency, and measured improvement rates within your internal security program. For example, if you are still on the fence about adding MDR/XDR to your arsenal, or you aren’t sure if you should schedule tabletop testing for your organization’s Incident Response Plan, maybe lean in the direction of YES.

Trend: #2 Decrease in Home Ransomware

Certainly, you still want to lock down those IoT devices and apps at home, but for a different reason than you may think. Attackers are not interested in locking you out of your home automation until you pony up $500 or $1000 anymore. What they’re after are the keys to your organization’s systems. You’ll be a target if you have any level of company access, especially because so many people are working from home now. You don’t want to be a conduit for attacks. Home firewalls, MFA, secure wifi, and any other security measures your organization has available are still recommended. The point is that you are not the end goal. Your organization is.

Trend #3: Spearphishing is Back

Spearphishing is not new, but it remains at the top of the list of most effective attack vectors. This is not a situation where your organization sees an obvious email sent to many people at once, asking them to log back into systems or confirm passwords. That’s more of a wide-net approach. In spearphishing, attackers know exactly who they are going after, using a combination of publicly available information and information recovered from past breach data dumps to create very believable emails sure to make your executives click.

Consider this from the perspective of a tech startup model. Attackers are accountable to boards, leadership, and investors for predictable results. To ensure their time spent yields the predicted payoff within the predicted amount of time, they are going to work smarter, not harder, at every turn. This approach allows attackers to begin observing your users unseen, quickly learning what data or systems are most important to you, as well as enabling them to lift access credentials in the process.

Trend #4: RAT and RDP-Based Distributions On the Rise

RAT, or Remote Access Trojans, are a means of watching everything you do on your computer from a safe distance, typically unnoticed. McQuarrie explains, “In the same way you can remote into your desktop, they are essentially doing the same thing. During this observational time, a sort of hands-on reconnaissance, they can gather your passwords, see where your most sensitive data is, basically any kind of stealthy actions a criminal mind could conceive of with total access to your desktop.”

Again, Remote Desktop Protocol (RDP)–Based Attacks have become especially relevant due to the vast majority of our workforce who transitioned to remote working scenarios last year. The troubling trend here is not that bad actors can deliver malware and ransomware via an RDP server, but how quickly attackers pivoted to adjust their methodology to accommodate the way most people are working now. In most cases, they are evolving faster than organizations are able to complete the planned, secure, digital transformation projects that would protect them.

Whereas it might take you a year or more to complete a project that would offer more efficient, more secure remote connections for your employees who will be staying remote, attackers can simply change their methodology overnight and attack you where you are most vulnerable in the meantime. The City of Oldsmar, FL water plant attack was a perfect example of this danger. Attackers remotely tampered with chemical levels, raising amount of sodium hydroxide to be released into the town’s water supply. Fortunately, a supervisor caught the attack and was able to return levels to normal before any damage could be done. This illustrates, however, the increased risk during a worldwide work-from-home scenario, and the need for around-the-clock security.

The drastic uptick in these attack types make sense in conjunction with longer running, more targeted attacks. When criminals were simply writing code and sending it out into the, it was anybody’s guess who would get hit and when. Now, criminals want to figure out who is most vulnerable, and exactly where to hit them to get the most out of their efforts, before doing anything in your environment that will trigger your awareness of their presence.

In Conclusion

The first thing many organizations do when entering a new space is to review competitors. Who do you have to equal or surpass to gain a share of the market? In this case, you want to look at who is on the other side of the cybersecurity chess board. As you see how seriously criminals are taking you, as a target, you may want to adjust your strategies and defenses accordingly. We are always here to support you in that effort, or if it’s too late, help you remediate an incident, then help you get to a better position going forward.

Next week in our series, we will explore trends 5-8 from Kerry McQuarrie. For more reading on mitigating the risk of ransomware, you can access our Ransomware Prevention White Paper. Or, if you would like help to speed up an ongoing IT security project, monitor endpoints or your network, test what you have in-place, or build an updated security roadmap, please know we are available and here to help: Request a Consultation.


Incident Response Hotline: For cybersecurity emergencies, you can reach us at  or 918-524-9455.

Ask A Question