ey-how-to-bolster-cybersecurity-against-the-ransomware-evolution.jpg

How to bolster cybersecurity against the ransomware evolution

Organizations face new cybersecurity challenges as ransomware groups raise the stakes by exploiting unconventional programming languages.


In brief

  • Ransomware threat actors are evading detection and targeting a wider group of victims by using unconventional programming languages.
  • The disturbing emergence of the ransomware as a service business model has increased the potential for more ransomware attacks.
  • To mitigate these threats, organizations need to take proactive measures, such as managing user permissions and training employees in cybersecurity awareness.  

Ransomware has been a persistent and evolving threat in the cybersecurity landscape. Over time, threat actors behind ransomware attacks have been adapting and devising new techniques in a bid to stay undetected and maximize their impact. According to the EY 2023 Global Cybersecurity Leadership Insights Study, organizations face an average of 44 significant cyber incidents a year and take an average of six months or longer to detect and respond to an incident. Advanced adversaries are harnessing cutting-edge technology to amplify the pace and scope of their assaults, leading to mounting financial, regulatory and reputational consequences.

A significant trend is the adoption of unconventional programming languages —such as Rust and Golang — by ransomware groups. This shift complicates cybersecurity measures and enables the malware to be more versatile across different platforms. BlackCat is a notable example of an emerging ransomware group that has embraced the Rust programming language and gained notoriety for its successful targeting of high-profile companies. Built for performance and memory management, Rust allows the group’s ransomware to run efficiently and evade detection in sandbox environments. Additionally, Rust provides the group with customization opportunities, enabling the ransomware to perform more sophisticated techniques and have different encryption methods for different victims.

Another significant development in the evolution of ransomware is the emergence of the ransomware as a service (RaaS) business model. This model allows threat actors to offer ready-to-use ransomware software and tool kits to individuals who lack the technical skills to develop their own. This service model has several implications. Firstly, it enables broader participation in ransomware attacks as anyone can access and use the ransomware software. Secondly, it increases the frequency of attacks, amplifying the overall threat of ransomware.

BlackCat and Black Basta were the most frequently detected variants of ransomware worldwide in the second quarter of 2023, followed by Royal and LockBit 3.0.1 The notorious BlackCat ransomware group has capitalized on the aforementioned trends, targeting high-profile companies with considerable success.

Sophisticated and customizable attacks

BlackCat — also known as ALPHV — is one of the first major ransomware families to be written in Rust, with the ability to target systems on multiple operating systems beyond Windows, such as Linux and VMware ESXi.  

The BlackCat ransomware group operates on the RaaS model, taking a percentage of ransom payments. It employs a triple extortion tactic — which includes data encryption, the threat of data publication and possible distributed denial-of-service attacks — to coerce victims for payment.

By leveraging Rust’s capabilities, BlackCat ransomware facilitates sophisticated, customizable attacks across multiple platforms, posing significant challenges for analyses in sandbox environments. It uses an access token to decode the ransomware’s configuration. Once the correct token is provided, the ransomware decrypts a runtime configuration file dictating its behavior, including encryption methods, credentials and processes to block. If it’s not initially granted administrative permissions, the ransomware exploits Windows User Account Control to gain these privileges. Once these are secured, the ransomware creates child processes to perform various operations. These include deleting volume shadow copies, modifying registry keys and clearing event logs while trying to spread by logging into other device accounts or mounting hidden partitions.

Download the EY technical analysis of BlackCat ransomware

Mitigating the impact of ransomware threats

Given the evolving nature of ransomware threats, organizations must take proactive measures to mitigate their impact. They should avoid ransom payments as there is no guarantee of file recovery. In case of an attack, immediately isolate the affected system from the internet and notify relevant authorities for investigation and guidance.

They need to implement comprehensive security measures, which include enabling antivirus protection on all devices and allowing real-time scanning to detect and block ransomware installations automatically. It is important to schedule frequent backups of essential data and see to it that the data is easily recoverable in the event of loss.

Besides implementing robust data protection policies and recovery solutions, organizations should also train employees in cybersecurity awareness. This includes educating them on recognizing and frustrating phishing attempts and other malicious activities.

Regular updates of all software — including operating systems and applications — are crucial to patch vulnerabilities. Another key action is the management of user permissions by limiting user access rights and using strong, unique passwords with multifactor authentication.

Emerging ransomware trends and major threat actors like BlackCat have raised the stakes for organizations as they threaten organizational data, reputation and competitiveness like never before. Therefore, the importance of proactive, comprehensive measures that mitigate their impact based on an understanding of the modus operandi of threat actors and employee education in cybersecurity awareness cannot be understated.

Our related articles

Is your greatest risk the complexity of your cyber strategy?

Organizations face mounting cybersecurity challenges. The EY 2023 Global Cybersecurity Leadership Insights Study reveals how leaders respond. Read more.

Why cyber breach detection is a crucial part of your defense strategy

Companies cannot afford to focus only on incident prevention as more cybercriminals breach cyber defenses without the victims’ knowledge. Learn more.


    Summary

    Ransomware continues to evolve, with BlackCat using an unconventional  programming language to target a wider group of victims and evade detection. Implementing proactive security measures is pivotal in mitigating the impact of such threats. Besides avoiding ransom payments, organizations should also implement comprehensive security measures, robust data protection policies and recovery solutions. Scheduling frequent backups of essential data, training employees in cybersecurity awareness, regularly updating all software and managing user permissions are crucial as well.


    About this article

    Authors