For most enterprise cybersecurity pros, the major plotline of 2021 has been ransomware. There was Colonial Pipeline, JBS, and Kesaya, creating headlines spanning the gamut of sectors, business sizes, and infrastructural importance.
Yet at Black Hat, one of the premiere cybersecurity conferences of the year, there were zero talks with ransomware in the title.
Compare that with the bevy of motivations for attacks that were covered at Black Hat: stalkerware, surveillance, disinformation and espionage. The social aspects of cybercrime in general were covered, as were specific, notable, real-world campaigns of other kinds.
“For as big a problem as ransomware is, I'm surprised there's not a lot more focus on ransomware,” said Mick Baccio, global security adviser at Splunk.
There were a total of two main-stage talks about ransomware at DEF CON— the second of the two major cybersecurity conferences this week, both in Las Vegas — including a well-stocked panel about potential policy solutions. But for a year dominated by ransomware concerns, the major events were not.
While that may be counterintuitive to executives who spent the year panickedly steeling their company for the crime du jour, the researchers who would normally be submitting the talks said it makes sense.
“It would have been surprising to me, until I was asked about it for the last six months. ‘Victor, talk to me about your normal pentest methodology. Now talk to me how it would be different if we wanted a specific focus on ransomware,’” said Victor Wieczorek, vice president of application security and threat and attack simulation at GuidePoint Security. “I tried really hard to figure out what the differences are, and there's nothing, there's literally nothing different about what you do.”
His point, reiterated by others, is that ransomware brings nothing terribly unique except, in the end, victims may be coerced into paying ransoms. These are crimes of opportunity more than ingenuity. The ransomware operator might get into a network through phishing or a common vulnerability, They might encrypt files, but only by using common encryption techniques. They might launch a DDoS attack, but only using standard methods. They might exfiltrate files, but they leave the same markers as anyone who came to steal the files for any reason at all.
In other words, if you can solve phishing, or identify a new vulnerability, or break common encryption, you have done something that solves far more problems than just ransomware. The damage ransomware can cause is unique, but the back-to-basics technical approach to fighting it could not be more mundane.
“These are the fundamentals you have to do for security,” WieczorekI said.
The breakthroughs in ransomware, with one exception, were in the scope of the attacks. Colonial Pipeline, for example, interrupted the gas supply, but the attack was ultimately caused by a wayward password. The exception was Kaseya, where a REvil deployed a zero-day vulnerability. That is unprecedented for a ransomware attack. It is also, say most experts, unlikely to become much more common in the future than it is today.
“Typically attackers are going to use whatever resources are required to achieve that mission objective, and in most cases you're going to see adversaries operate in a way that allows them to achieve their mission objective as cheaply and quickly and easily as possible,” said Edmund Brumaghin, a research engineer with Cisco’s Talos group. “If there is a mechanism that they can use to achieve their mission objective that doesn't require [a significant] level of resources, you're going to continue to see those types of attacks.”
Just as ransomware is likely to revert to the cheapest methods of attack, ransomware organizations are likely to revert to attacks that do not make the front page of newspapers. Several ransomware groups have publicly announced they would no longer target infrastructure. For them, it may just be too much heat.
“You never want to be on the FBI top ten,” said Splunk distinguished security strategist Ryan Kovar. “You want to be number 11.”
But returning to attacks that are more low key, both in terms of technology and target size, does not mean that the complex economy of ransomware will not continue to evolve to something more dangerous. Ransomware groups have long been corporatized, professionally staffed and reliant on entire supply chains of similarly business-like criminals. There can be as many people involved in creating and deploying a single instance of ransomware as there are trying to defend it.
Add in the influx of capital, and you have a convergence of factors that may require more Black Hat or Defcon talks in 2025.
“What happens then, when you look to the future, is these exceptionally well-financed groups have bigger offense budgets than you've got defense budgets,” asked Alastair Paterson, CEO and co-founder of Digital Shadows.