Ransomware groups are expected to tweak their tactics, techniques and procedures (TTPs) and shift their business models as organizations strengthen their cybersecurity measures, law enforcement gets better at tracking down threat actors and governments tighten regulations on cryptocurrencies, according to Trend Micro’s latest research paper.
In the report, published on 15 December and titled The Near and Far Future of Ransomware Business Models, Trend Micro highlighted 10 potential evolutions of ransomware groups’ TTPs.
Those include increased use of zero-day vulnerabilities to get initial access to the targets’ networks.
“Current ransomware teams explore options for access such as having separate teams to pen test entry vectors to potential victims’ networks, purchase legitimate credentials from sellers in the underground, or use known exploits for vulnerabilities in any of the software being used by the target. One possible track is for these ransomware groups to allocate resources in developing their own vulnerability research and exploitation teams,” the report reads.
“Moreover, considering the availability of these skills are scarce, another possible income source is when these groups also offer “first to refuse” agreements with known exploit developers: interested parties will pay to have a first look at the exploit and get the right to buy them first before the ‘product’ is offered to the developer’s other clients.”
Another possible evolution in ransomware attacks involves an increasing focus on targeting cloud infrastructure.
“We see these groups potentially diverting in two phases: first, criminals will adapt their current business models to work in cloud environments, treating instances as standard data to be encrypted. Second, they will gain maturity in understanding their targets and cloud environments and create more cloud-specific ransomware families designed specifically with unique cloud services in mind, creating new forms of ransomware attacks.”
Aside from these tweaks, which Trend Micro called ‘evolutions’, the firm also analyzed deeper changes – or ‘revolutions’ – in how ransomware groups monetize their craft, with more threat actors either working for governments or crossing paths with traditional organized crime groups, sometimes at the same time, or shifting towards “other criminal business models that monetize initial access, such as short and distort (stocks fraud), business email compromise (BEC), and cryptocurrency theft.