Today’s columnist, Callie Guenther of Critical Start, offers five tips for mitigating ransomware. (Adobe Stock)
COMMENTARY: Despite ongoing law enforcement crackdowns on groups such as LockBit and Hive, ransomware operators have adapted and grown more sophisticated, with new groups entering the scene and established gangs refining their tactics.The dominance of certain ransomware groups has shifted, with newer actors gaining traction and legacy operators evolving their strategies. A significant development has been the emergence of RansomHub as a leading ransomware operation, surpassing previously dominant groups. This shift signals a diversification of threat actors and highlights the adaptive nature of ransomware groups.
We can attribute RansomHub's success to its efficient operational model, aggressive targeting, and innovative extortion tactics. The group employs multi-layered extortion, combining data encryption with threats of public exposure and legal repercussions for victims. This approach increases pressure on organizations to comply with ransom demands, often leading to higher payouts.
Additionally, groups such as BianLian have refined their methods, moving away from traditional encryption-based ransomware to a data theft extortion model. This tactic focuses on exfiltrating sensitive information and leveraging it as the primary means of coercion. By circumventing endpoint defenses designed to prevent encryption attacks, these actors maintain operational effectiveness and exploit gaps in existing security frameworks.[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts.Read more Perspectives here.]We’ve also seen the rise of AI-powered ransomware groups such as FunkSec. These AI-based actors use AI to enhance attack efficiency, automate reconnaissance, and personalize phishing lures to increase the likelihood of successful intrusions. AI-driven ransomware campaigns present a significant challenge for defenders, as they can adapt rapidly to evolving security measures and tailor attacks to specific environments.
The expanded ransomware ecosystem
The ransomware ecosystem has grown significantly, with an increasing number of groups entering the frey. Over the past year, dozens of new ransomware operations have been identified, further complicating the threat environment. This proliferation has been driven by the accessibility of Ransomware-as-a-Service (RaaS) platforms that let less sophisticated threat actors launch highly effective attacks with minimal technical expertise.The financial impact of ransomware attacks has also intensified, with ransom demands and payments reaching unprecedented levels. Median ransom payments have surged, reflecting the increasing sophistication and targeted nature of attacks. Organizations facing ransomware incidents are often left with little choice but to pay, particularly in sectors where downtime can result in critical disruptions.The reliance on double and even triple extortion tactics has contributed to the rising financial toll. Threat actors now employ a combination of data encryption, public exposure threats, and Distributed Denial-of-Service (DDoS) attacks to maximize pressure on victims. These multi-pronged extortion schemes have proven highly effective, making ransomware an even more lucrative criminal enterprise.
Sector-specific ransomware threats
While ransomware remains a pervasive threat across all industries, certain verticals are particularly vulnerable because of their operational dependencies and the sensitivity of their data. The healthcare sector remains a prime target, with hospitals, clinics, and healthcare providers facing persistent attacks. Ransomware incidents in healthcare settings can have life-threatening consequences, disrupting patient care and critical medical operations.The manufacturing sector has also experienced a surge in ransomware activity. As manufacturers rely on interconnected operational technology (OT) systems, attackers are targeting these environments to disrupt production processes and extort ransoms. The integration of IT and OT systems has created new attack surfaces, and ransomware operators are exploiting these vulnerabilities to cause maximum damage.The financial sector also remains a high-value target because of the wealth of sensitive information it handles. Ransomware attacks on financial institutions result in monetary losses, and also pose regulatory and reputational risks. Threat actors continue to refine their tactics, using highly-targeted phishing campaigns and exploiting vulnerabilities in financial transaction systems to gain access.
Trends shaping the ransomware business
Several trends are shaping the future of ransomware threats. The increasing use of initial access brokers (IABs) has streamlined the attack process, allowing ransomware operators to purchase pre-compromised access to networks. This trend has led to faster attack execution and reduced the time required to achieve objectives.The evolution of ransomware tactics also includes the adoption of wiper malware masquerading as ransomware. In these cases, attackers deploy destructive malware that permanently destroys data, while still demanding a ransom payment. This tactic adds an additional layer of complexity for defenders, as it undermines traditional data recovery strategies.Law enforcement actions have had a limited impact on curbing ransomware activity. While high-profile takedowns have disrupted individual operations, new groups quickly fill the void. Ransomware operators have become increasingly resilient, leveraging decentralized infrastructure and anonymized payment methods to evade detection and law enforcement efforts.
Defensive strategies to consider
Organizations looking to mitigate ransomware must adopt a proactive and multi-layered defense strategy. Defensive measures include:
Comprehensive backup strategies: Regularly backing up critical data and ensuring backups are stored offline can help organizations recover from ransomware attacks without paying a ransom.
Employee training and awareness: Phishing remains one of the primary infection vectors for ransomware. Regular training and awareness programs can help employees identify and report suspicious emails and links.
Zero-trust security models: Implementing a zero-trust architecture can limit the impact of ransomware by enforcing strict access controls and continuously monitoring network activity.
Proactive vulnerability management: Regularly scanning for and patching known vulnerabilities can help prevent ransomware actors from exploiting outdated systems. Teams must prioritize vulnerabilities based on exploitability and business impact.
Incident response planning: Having a well-defined incident response plan in place can help organizations respond quickly and effectively to ransomware incidents, minimizing downtime and financial losses.
Organizations must remain vigilant and adaptive in their defense strategies as ransomware evolves. The increasing sophistication of ransomware groups, coupled with the expanding attack surface, requires a proactive approach to cybersecurity. We’ll also need strong collaboration between the public and private sectors, along with continued investment in threat intelligence and response capabilities.Looking ahead, it’s essential for organizations to stay informed about emerging ransomware trends and continuously refine their security strategies. The security of our businesses depend on it.Callie Guenther, senior manager, cyber threat research, Critical StartSC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
An In-Depth Guide to Ransomware
Get essential knowledge and practical strategies to protect your organization from ransomware attacks.
Callie Guenther, senior manager of cyber threat research at Critical Start, has been tasked with both directorial and engineering responsibilities, guiding diverse functions, including data engineering, cyber threat intelligence, threat research, malware analysis, and reverse engineering, as well as detection development programs. Prior to Critical Start, Callie worked as a cyber security intelligence analyst and served as an information systems technician with the U.S. Navy, giving her a well-rounded understanding of the cyber threat landscape and the administration of secure networks.
The Dallas suburb noted in an online notice that the incident resulted in the compromise of names, addresses, Social Security numbers, credit card details, driver's license numbers, medical insurance data, and financial account details.
Information exposed by the incident included names, birthdates, email addresses, and employment history, said ICAO in an updated statement that emphasized the delivery of breach notices to impacted individuals.
