Ransomware Is Changing: Why Threat Intelligence is Essential

Posted: 13th June 2023
By: Chad Knipschild
Ransomware Is Changing: Why Threat Intelligence is Essential

The threat of ransomware is persistent: a staggering 49% of organizations reportedly falling victim to ransomware attacks in the past two years according to Splunk’s State of Security. Ransomware is also prolific: Recorded Future’s Insikt Group discovered over 100 new variants thus far this year. The constant evolution of ransomware has left a trail of financial losses, data breaches, and operational disruptions in its wake, underscoring the urgent need for robust defenses and threat intelligence capabilities.

While it's easy to delve into the perils of ransomware, I want to shift our focus to how this malicious threat emphasizes the crucial role of effectively employing threat intelligence as part of your defensive strategy. Government policies are not sufficient to safeguard against these relentless attacks. It is the responsibility of individuals and organizations alike to take proactive measures to protect themselves. By staying abreast of the latest ransomware trends and investing in comprehensive threat intelligence, organizations can fortify their defenses, outmaneuver attackers, and minimize ransomware’s operational risks.

Recent Trends in Ransomware

In recent years, there has been an increase in ransomware-as-a-service (RaaS) offerings by threat actors. This makes it possible for less technically capable cybercriminals to conduct attacks as they don’t need the expertise required to develop software, maintain infrastructure, and in some cases have technical support.

However, our Insikt Group has recently observed a shift away from RaaS towards independent actors. Allan Liska, a ransomware expert with over 20 years of experience in information security, often refers to this trend as "Franken-ransomware" – leaked code that is repurposed by independent actors, as seen in the ESXi campaign. This shift increases the ability for individuals to develop malware strains with slight modifications, making the landscape of actors even more diverse. Thereby making the tracking and detection of new ransomware way more difficult.

Government Policies are Not Enough

While governments have made efforts to combat ransomware, including enacting laws and regulations and increasing law enforcement resources, these measures have not been enough to stem the tide of attacks. The takedowns of the Hive's infrastructure and the Genesis marketspace early this year, have likely assisted in preventing some ransomware attacks and made it clear to the ransomware community, the US and the international community are making efforts to protect organizations around the world as discussed in Allan Liska’s podcast with Dark Mode.

Recorded Future’s 2022 Adversary Infrastructure report supports also the thesis that ransomware attackers are constantly evolving the infrastructure they use, thereby making it difficult for policymakers and law enforcement to keep up. As a result, it's up to individuals and organizations to take steps to protect themselves and respond effectively to attacks.

The Need for Threat Intelligence

Real-time threat intelligence provides proactive protection against ransomware attacks by delivering information on threat actors, their tactics, and targets. This enables organizations to mitigate operational risks and safeguard their assets.

Threat intelligence from Recorded Future ”lets us see trends, like ransomware-as-a-service groups like REvil coming up again and again, and that they tend to use the same kinds of mechanisms to access,” describes an Information Security Manager from Elexon, a utility company. Elexon specifically uses Recorded Future to help them prioritize risk and keep pace with ransomware actors as “hackers keep getting smarter and more professional” the manager continued.

Through the use of Recorded Future’s modules, specifically, Threat Intelligence and Identity Intelligence, you can begin to understand the operational risk ransomware poses and the actions you can take to stay ahead of it. The Threat Intelligence module provides access to threat actor and malware maps, which show and prioritze threats in real-time that are most relevant to you. From there, you can pivot into intelligence cards to identify and implement blocks or alerts for the indicators or behaviors of ransomware and the threat actors who use them. With our threat hunting playbooks, you can also be proactive, hunting for indicators across your network before you’re attacked.

ransomware-changing-why-threat-intelligence-essential-001.jpg Malware threat map, visualizing the malware that is most prevalent based to your unique threat landscape

Combined with the Identity Intelligence module, you gain additional visibility into compromised credentials for your employees and customers. This allows you to block access and reset credentials to prevent initial access of ransomware actors.

ransomware-changing-why-threat-intelligence-essential-002.jpg Identity Intelligence dashboard, surfacing critical identity compromises related to employees and customers

With Recorded Future, you can stay one step ahead of ransomware threats, protecting your data, systems, and reputation from the devastating impact of these attacks. Try our free products including:

Or schedule a demo today to learn more about how Recorded Future can reduce operational risk, protecting you against ransomware.