2021 saw threat actors turn the dial-up on ransomware, with several high-profile attacks against major corporations and critical infrastructure. Overall, there were five standout trends that shed light on the emerging tactics and strategies hackers are using to gain access to company networks.

1. Ransomware-as-a-Service became the model of choice

Ransomware-as-a-Service (RaaS), which enables threat actors to use pre-developed ransomware tools to execute specific parts of their attack, became the go-to model for ransomware attacks in 2021.

With a plethora of RaaS offerings now available on the black market, less-sophisticated hackers are more than capable of delivering successful attacks.

RaaS often operates using a subscription model, where hackers pay a fee to access malware applications. Other RaaS offerings operate under a 'profit-sharing' model, with the aim of building an underground network of affiliates and sub-groups who each specialise in different attacks.

One example of this profit-sharing model is 'initial access brokers' (IAB), who use mass-scanning tools to probe thousands of organisations and find vulnerable targets. After accessing company networks, IABs then sell the access details on the black market, with the sale price determined by the size and value of the victim.

IABs often become affiliates, partners or subcontractors of other ransomware networks and receive a cut of the ransom in exchange for their services, presenting them with additional revenue streams.

However, increased profit share also leads to more risk, as partners and affiliates perform most of the dirty work. Any mishap or failure could easily lead to them being identified by investigators and reprimanded with heavy penalties.

2. The rise of custom-made ransomware

Many ransomware groups now use bespoke ransomware, which is customised based on a certain victim's network structure and, therefore, more difficult to detect than generic ransomware.

Generally, most ransomware threats fall into the category of executable files, which target Windows OS. However, as threat actors have gained more knowledge of modern enterprise environments, they have introduced new threats capable of targeting Linux-based hosts, including those used for file storage and virtualisation, such as VMware ESX.

As soon as new vulnerabilities emerge, threat actors will quickly add these to their arsenal and prey on any organisations that haven't swiftly patched their systems.

Once attackers have gained access to a victim's network, their goal is to remain undetected for as long as possible. They frequently adopt a "low and slow" approach to data theft to avoid detection by cybersecurity teams while they exfiltrate data.

Many ransomware groups will also review a victim's financial records to locate details of cyber insurance policies and determine the maximum ransom that will be paid under it.

3. Big-game hunters extort victims

As ransomware groups have become more sophisticated, their targets have also grown more ambitious. In 2021, hackers turned their attention to "big game hunting" – that is, stealing data from bigger companies who are more likely to pay the ransom than smaller organisations and individuals who don't have the means to do this.

Ransomware groups have realised that they don't even need to encrypt data to succeed; they just need to threaten to make it public. Many large corporations with highly sensitive data are willing to pay the ransom to keep it confidential.

For example, the exposure of personal identifiable information (PII) such as ID cards and account details can result in hefty fines and reputational damage. In contrast, the leaking of intellectual property (IP) can result in loss of competitive advantage and wasted research costs. The bigger the target, the more likely they will pay the ransom.

Ransomware groups are constantly evolving their extortion methods – for example, they often contact an organisation's customers, employees and even the media to alert them of the compromised network.

Some won't work without third-party negotiators, while others tell their victims to pay quietly without alerting the relevant authorities or face additional consequences.

4. Targeting the weakest links in the supply chain

One very notable tactic used by threat actors in 2021 (particularly those from nation-states) was software supply chain attacks, where hackers only require a single entry point to gain access to higher-value corporate networks throughout the supply chain.

For example, organisations across every continent held their breath as news of the infamous Kaseya attack spread, with over 1,000 victims.

Unlike the traditional tactic of choosing a target organisation and deploying ransomware to gain access into their network, ransomware groups sought to compromise a widely used software supplier instead, giving them access to all of an organisation's customers as well---drastically increasing the scale of the attack.

This type of attack became more common in 2021 and will continue to do so in the next few years.

5. Commodity malware

In 2021, deploying ransomware became almost as easy as ordering takeaway online. Commodity malware is essentially an application that hackers can purchase or download freely online and continues to be widely adopted by everyone from organised cybercriminal groups targeting major corporations to script kiddies looking to make a few bucks online.

Some key examples of popular commodity malware include njRAT, Formbook, NanoCore, Lokibot, Remcos, AZORult, Netwire, Danabot and Emotet.

Article by Varonis APJ vice president, Scott Leach.