The surge in ransomware attacks on cities, municipalities, schools, and healthcare organizations this year is just a foretaste of what is likely come in 2020.

Threat actors have sensed a very real opportunity to make big returns attacking enterprise organizations using ransomware and are refining their tools and techniques to increase their chances for success, say worried security experts.

Some recent developments include growing collaboration between threat groups on ransomware campaigns; the use of more sophisticated evasion mechanisms; elaborate multi-phase attacks involving reconnaissance and network scoping; and human-guided automated attack techniques.

IT and security groups that are already under pressure to respond will be challenged even more by the growing sophistication of the ransomware threat, experts note. While municipal governments, schools, and other perceived "soft" targets will continue to bear the brunt of the attacks, no organization will really be safe.

"We would assume that the larger and more important an organization is, the more attractive a target it poses for extortionists," says Fedor Sinitsyn, senior malware analyst at Kaspersky. But "any company or organization should be aware of [the] threat and plan accordingly," he notes.

With the current reliance on digital infrastructure, any network disruption equals loss of money. Taking into account the disastrous effects of ransomware, the recovery period for some organizations could end up being long and painful, Sinitsyn says.

Going From Bad to Worse

2019 turned out to be a far more active year for ransomware than many might have anticipated given the declining overall volume in attacks last year.

Emsisoft recently estimated that ransomware attacks have cost US government agencies, educational establishments, and healthcare providers alone more than $7.5 billion this year. According to the security vendor, up to December 2019, at least 759 healthcare providers, 103 state and municipal governments and agencies, and 86 universities, colleges, and school districts have been hit in ransomware attacks.

In addition to financial losses the attacks have resulted in emergency patients being redirected to other hospitals, medical records being lost, property transactions being halted, surveillance systems going offline, and other very real-world consequences, Emsisoft said.

Several developments suggest that the situation in 2020 is likely going to be at least as bad, if not actually worse.

One troubling trend is the growth in instances of threat groups collaborating with each other to enable easier delivery of malware. Security firm SentinelOne recently reported on how the operators of the TrickBot banking Trojan have begun selling access to networks it has previously compromised to other threat groups including those seeking to distribute ransomware.

Such collaboration is allowing threat groups to distribute ransomware more easily without having to do any initial breaching of a network on their own.

Carl Wearn, head of e-crime at Mimecast, describes the advent of collaboration across criminal groups with differing specialties as one of the most significant ransomware developments in 2019. "Malware threat actors are increasingly trading their work," he says. "This leads to hackers selling access to already compromised networks."

The highly targeted use of ransomware via precursor infections to ascertain a suitable ransom payment is another big issue, Wearn says.

In many attacks, threat actors have first infected a target network with malware like Emotet and Trickbot to try and gather as much information about systems on the network as possible. The goal is to find the high-value systems and encrypt data on it so victims are more likely to pay.

"If we look at the big picture, we will discover that what is changing is the threat actors' approach to distributing the Trojans and selecting their victims," Sinitsyn says. If five years ago almost all ransomware was mass-scale and the main distribution vector was via spam, nowadays many criminals are using targeted attacks instead.

"Threat actors carry out a reconnaissance in order to find a large corporation or a governmental entity or a municipal network and try to breach their defenses," Sinitsyn says. Since the criminals know with whom they are dealing, they tend to set the ransom amount significantly high.

Another trend to note is the increase in incidents where criminals not only encrypt the victim's data, but also exfiltrate some of it during the infection, Sinitsyn says. It gives the threat actors additional leverage for extorting money. "In case the victim is reluctant to pay up — [because] for example, they have consistent backups offsite — the criminals will threaten to release some of the stolen data into public," he adds. One example of ranomware being used in this way is Maze, a tool that some believe was used in a recent attack on Pensacola, where threat actors are demanding a $1 milion ransom.

Growing Malware Sophistication

A majority of ransomware families deployed in the wild is of the cookie-cutter variety. Even ransomware that uses obfuscation to get around some kind of detection usually ends up being detectable when it starts to actually encrypt files. However, some threat actors are using very sophisticated tools, says Andrew Brandt, principal researcher at Sophos. As one example, he points to ransomware that use "kill lists" to try and terminate anti-malware tools.

Another example is ransomware that sets itself up as a service running in Windows' built-in Safe Mode, then reboots the system into Safe Mode before beginning to encrypt the hard drive, he says. "Booting into Safe Mode effectively terminates nearly all endpoint protection tools," Brandt says. Sophos recently spotted the Safe Boot feature added to Snatch, a ransomware sample used in targeted attacks that the security vendor has been tracking for a year.

"Among the most notable advancements is an increase in ransomware attackers employing automated active attack techniques," Brandt says. These are attacks where threat-actors use automated malware to quickly profile an infected environment and laterally spread within a targeted network or trigger simultaneous infections across multiple machines within the same environment, Brandt says.

Many of the most troublesome recent ransomware campaigns — including those involving Ryuk, Lockergoga, Robbinhood, and Sodinokibi — have involved the use of active attack techniques, according to Sophos.

Kaspersky researchers in December also reported identifying a new type of ransomware targeting Network Attached Storage (NAS) devices that organizations use to back up data. The vendor described the malware as posing new risks for organizations because NAS devices are generally perceived as secure technology.

Going Mobile

If all this wasn't enough, some believe that mobile devices could start getting targeted as well.

Joel Windels, chief marketing officer at NetMotion Software, points to data from the 2019 Verizon Data Breach Investigations Report showing users as more susceptible to phishing attacks on mobile devices, and another report about Chinese hackers breaching 10 global cellular providers. "All of the pieces are in place for an increase in mobile ransomware in 2020," Windels says.

"We expect to see the first concerted ransomware attacks target mobile applications running on Android," he says.

The same combination of factors - unsupported, outdated, and unpatched systems - that led to the surge in ransomware attacks on local governments and others will drive attacks on mobile devices. "As OS fragmentation becomes a bigger issue for Android devices, in particular, many devices are being left unsupported with older software and less frequent security patches," Windels notes.

Related Comments:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "How to Manage API Security."