The evolution of ransomware strategies

Welcome to the new 132 cyber warriors who joined us last week. Each week, we'll be sharing insights from the Black Hat MEA community. Read exclusive interviews with industry experts and key findings from the #BHMEA stages.

Keep up with our weekly newsletters on LinkedIn — subscribe here.

Your weekly delivery of interviews and insights from the global Black Hat MEA community. 

This week we’re focused on…

How ransomware attack strategies have changed over time. 

Why? 

Because we interviewed Stuart Seymour (CISO at Virgin Media), and when we asked him how his perspective on security has changed over the course of his career, he pointed out that it has had to change – because threats and threat actors have evolved significantly.

“You need only to look at ransomware,” he said, “originally it was, ‘I will encrypt your data and hold you to ransom for the keys’. That evolved to ‘I will encrypt and exfiltrate’, and then ‘I will encrypt, exfiltrate and put pressure (publicly) for you to comply with my demands’.” 

Shifts in the social engineering strategies used by ransomware groups have happened in conjunction with advancements in the technology available to those threat actors. 

But today, it’s the social engineering tactics that drive the most urgency for ransomware targets – who come under immense pressure to respond, or risk public (and potentially permanent) reputational damage. 

Ransomware has been a persistent threat for decades

In the late 1980s, an early form of ransomware called the AIDS Trojan (or the PC Cyborg) was distributed to targets via floppy disks, which then encrypted file names on the infected system – with the assurance that file names would be decrypted if the victim paid a ransom. 

Moving into the mid 2000s, ransomware including Gpcode and Archiveus leveraged more sophisticated encryption methods that made it more difficult for files to be decrypted without the victim paying the ransom. 

In 2013, the emergence of CryptoLocker marked an important advancement in ransomware techniques; with military-grade encryption that was distributed via email attachments and botnets. It proved the efficacy of phishing for victims, and launched a new wave of ransomware strains across the internet. 

Three years later in 2016, Petya became one of the first ransomware variations to take a new approach: overwriting victims’ Master Boot Record so that operating systems couldn’t boot until the ransom was paid. It was a more extreme approach than the standard (up to then) practice of encrypting files on a system, rather than holding the system itself to ransom. 

More recently in 2021, we saw the emergence of Ransomware-as-a-service (Raas). 

And then last year in 2023, threat groups including BlackCat/ALPHV and AvosLocker leveraged the potential of RaaS even further – with triple extortion RaaS. This means that RaaS services are able to not only encrypt data and threaten to release it, but also apply additional extortion tactics to form a comprehensive service for attackers. 

Attacks are becoming more complex – and harder to mitigate 

Developments in ransomware technologies are one thing, and the evolution of social engineering strategies that increase pressure on victims is another thing. But together, they form an overall advancement in ransomware that makes it very difficult to defend compromised victims. 

In the field of cybersecurity, research, education and tooling has to take into account both aspects of advancement. We can’t just improve cyber awareness, and we can’t just improve cybersecurity tooling. 

Threat actors are innovating both in the technological factor and the human factor all the time. 

So to stay ahead, the cybersecurity sector must do the same: ensuring that both tech and people are working to increase cyber resilience and mitigate the threat of ransomware for organisations across industries. 

Join the conversation

We want to know about the ransomware advancements that have struck you as the most influential (or dangerous) in recent years. Open this newsletter on LinkedIn and tell us in the comment section. We might get in touch to feature your opinion in a future newsletter. 

Read our full interview with Stuart Seymour: A journey towards leadership in cybersecurity

Do you have an idea for a topic you'd like us to cover? We're eager to hear it! Drop us a message and share your thoughts. Our next newsletter is scheduled for 24 July 2024.

Catch you next week,
Steve Durning
Exhibition Director

Join us at Black Hat MEA 2024 to grow your network, expand your knowledge, and build your business.