How to bolster cybersecurity against the ransomware evolution

Organizations face new cybersecurity challenges as ransomware groups raise the stakes by exploiting unconventional programming languages.

In brief

• Ransomware threat actors are evading detection and targeting a wider group of victims by using unconventional programming languages.
• The disturbing emergence of the ransomware as a service business model has increased the potential for more ransomware attacks.
• To mitigate these threats, organizations need to take proactive measures, such as managing user permissions and training employees in cybersecurity awareness.  

Ransomware has been a persistent and evolving threat in the cybersecurity landscape. Over time, threat actors behind ransomware attacks have been adapting and devising new techniques in a bid to stay undetected and maximize their impact. According to the EY 2023 Global Cybersecurity Leadership Insights Study, organizations face an average of 44 significant cyber incidents a year and take an average of six months or longer to detect and respond to an incident. Advanced adversaries are harnessing cutting-edge technology to amplify the pace and scope of their assaults, leading to mounting financial, regulatory and reputational consequences.

Another significant development in the evolution of ransomware is the emergence of the ransomware as a service (RaaS) business model. This model allows threat actors to offer ready-to-use ransomware software and tool kits to individuals who lack the technical skills to develop their own. This service model has several implications. Firstly, it enables broader participation in ransomware attacks as anyone can access and use the ransomware software. Secondly, it increases the frequency of attacks, amplifying the overall threat of ransomware.

BlackCat and Black Basta were the most frequently detected variants of ransomware worldwide in the second quarter of 2023, followed by Royal and LockBit 3.0.1 The notorious BlackCat ransomware group has capitalized on the aforementioned trends, targeting high-profile companies with considerable success.

Sophisticated and customizable attacks

BlackCat — also known as ALPHV — is one of the first major ransomware families to be written in Rust, with the ability to target systems on multiple operating systems beyond Windows, such as Linux and VMware ESXi.  

The BlackCat ransomware group operates on the RaaS model, taking a percentage of ransom payments. It employs a triple extortion tactic — which includes data encryption, the threat of data publication and possible distributed denial-of-service attacks — to coerce victims for payment.

By leveraging Rust’s capabilities, BlackCat ransomware facilitates sophisticated, customizable attacks across multiple platforms, posing significant challenges for analyses in sandbox environments. It uses an access token to decode the ransomware’s configuration. Once the correct token is provided, the ransomware decrypts a runtime configuration file dictating its behavior, including encryption methods, credentials and processes to block. If it’s not initially granted administrative permissions, the ransomware exploits Windows User Account Control to gain these privileges. Once these are secured, the ransomware creates child processes to perform various operations. These include deleting volume shadow copies, modifying registry keys and clearing event logs while trying to spread by logging into other device accounts or mounting hidden partitions.

Regular updates of all software — including operating systems and applications — are crucial to patch vulnerabilities. Another key action is the management of user permissions by limiting user access rights and using strong, unique passwords with multifactor authentication.

Emerging ransomware trends and major threat actors like BlackCat have raised the stakes for organizations as they threaten organizational data, reputation and competitiveness like never before. Therefore, the importance of proactive, comprehensive measures that mitigate their impact based on an understanding of the modus operandi of threat actors and employee education in cybersecurity awareness cannot be understated.