How Ransomware Attacks Are Changing

There are a lot of different types of malicious software (malware). Viruses and worms directly infect systems for a specific purpose. This can be stealing data or credentials, but it could be to perform any kind of unauthorized tasks. Older malware could hijack a system to try to mine for cryptocurrency; one highly specific virus was spread benignly across the world until it hit Iranian uranium centrifuges and caused them to malfunction.

Ransomware functions a little differently. Unlike passive attacks, ransomware targets a specific organization (usually through stolen credentials) and then plants an executable that begins disabling security systems and encrypting data. They then follow up with a ransom demand in exchange for access to the data.

Changing Targets and Goals

As with all technology, ransomware is evolving. The first generations of ransomware were specialized and sophisticated pieces of software and required both skilled developers and skilled hackers to take advantage of access. Because of the effort of creating ransomware, early attacks were done by closed, organized groups. Attacks were focused on large enterprise or high-value organizations such as hospitals, government departments, and banks – organizations with large amounts of sensitive data and very deep pockets to pay substantial ransoms.

That trend is definitely shifting. Looking at Thrive’s customer base and incidents over the past year, manufacturing and logistics companies are 7.5 times more likely to be attacked by ransomware than financial services or health care organizations.

On one hand, large enterprises remain a major target because of the likelihood of getting a large payout. The average ransomware demand in 2020 was $200,000; in 2024, it had skyrocketed to over $5 million. However, midmarket organizations typically face smaller payouts, both from slightly smaller demands and from being more likely to try negotiations. In 2020, they were paying as little as $5,000 on average; in 2024, it was over half a million dollars.

There has also been a shift in the different ways that attacker groups extort money.

• The original extortion tactic was to encrypt key databases or servers and then demand payment for decryption information or access.
• Increasingly, groups are extorting to prevent the release of sensitive information, from employee and client data to patents and confidential information.

And of course, most groups want payments for both.

Changing Technology

The tactics of ransomware attacks are changing because the technology of ransomware is changing. Over the past five years or so, ransomware has shifted from custom, installed software created by underground groups into software-as-a-service. Relatively unsophisticated criminal organizations can part with ransomware providers to run attacks – frequently working on a commission basis.

New types of ransomware emerges routinely, but there are three ransomware groups that have consistently been at the heart of most ransomware attacks since 2022, at least looking at our Thrive customer base.

Retro Groove: Akira

The main hallmark of Akira is its intentionally retro styling: it has an 80s-style command-line interface (CLI) which appears on affected systems.

Akira tries to avoid detection by using legitimate tools to run processes. It uses different encryption methods for keys and files to make it harder to decrypt, and it stops itself from running in analysis tools to make it harder to reverse engineer. Stolen data files are uploaded to torrent sites.

Unlike other types of ransomware, Akira targets almost exclusively small and medium-sized businesses. It presents demands for both file access and to prevent leaking stolen data (double extortion) and usually has high ransom demands.

Akira usually exploits known vulnerabilities in VPNs to steal credentials for user accounts not using multi-factor authentication.

Game’s On: Play

Play ransomware is some of the oldest running, having emerged in June 2022. Unlike Akira or RansomHub, it is a closed model rather than ransomware-as-a-service.

Part of what makes Play so ominous is that it uses very personal methods to communicate. Play attacks use a unique email address to communicate demands and are usually followed up with a phone call.

Play attacks can occur relatively quickly because it uses intermittent encryption to process files very quickly. Its executables usually boot into safe mode or use similar system tools to avoid endpoint detection and response (EDR) agents.

Play also makes it hard to identify binaries by using unique filehashes and names for every attack.

Convenient Affiliate Program: RansomHub

RansomHub is one of the newer ransomware attacks, emerging in early 2024. One of the “coolest” things about RansomHub is its financial model. RansomHub is a ransomware-as-a-service that runs a user-friendly affiliate program. Users can prepay for advanced support or customization and can select different levels for commission rates. As with other types of ransomware attacks, RansomHub has the double-extortion model, both for data files and for preventing data leaks.

RansomHub borrows some of the techniques of other ransomware, such as intermittent encryption and disabling EDR and security services. It uses simple but effective ways to cover its tracks, like password-encrypting its configuration files and erasing Windows events logs. RansomHub isn’t selective in what systems it hits – anything on the network, from mainframes to laptops – can be affected.

RansomHub uses malicious plugins in browsers to deliver its payload, and from there, it exploits unpatched systems.

What Makes You Vulnerable

One attack type, years ago, involved a group that would hack a user account at a bank, but then go and physically watch that person performing their duties. They would figure out that person’s normal processes and access, imitate that, and then slowly ramp up until they had admin access and they would dump money from an ATM. This was usually never caught by IT; it would come out after auditing the cash reserves in the ATMs.

That’s not a “ransomware” attack, but it perfectly lays out the same pattern of account exploitation and privilege escalation.

Many customers don’t think they’re big enough or public enough to catch the attention of attack groups, and that leads them to be lax in their typical system maintenance. I consistently see the same pathways to an attack:

• Bruteforcing VPN or firewall access
• Exploiting unpatched vulnerabilities on hardware and systems
• Taking advantage of weak credential requirements for accounts
• Escalating privileges through poor domain and permissions management for applications and processes

And that’s really the moral of security: security starts with good system administration practices. After that, the key areas for security process planning are:

• Defining an incident response plan
• Managing data security
• User security policies and training