Sergey Nivens - stock.adobe.com

2021 the year of commodity ransomware, says Sophos

Sophos researchers anticipate a trickle-down effect in the cyber criminal underground

Small-time cyber criminals with access to commoditised, menu-driven, ransomware-as-a-service (RaaS) type tools such as Dharma will become a more dangerous threat in the next 12 months as the tools and techniques pioneered by big game hunting gangs trickle down through the underground ecosystem, according to research produced by SophosLabs security researchers, threat hunters and rapid responders.

In the Sophos 2021 threat report, the firm’s stable of experts cast their eyes over the coming year in cyber security, and given the volume of high-profile ransomware attacks that have taken place in 2020, it should not come as a surprise to learn that they believe this is one trend that is not going away.

The report states that groups such as Ryuk and Ragnar Locker – and possibly Maze if, as believed, it has not really shut down, merely evolved – that target large enterprises with multimillion-dollar ransom demands and double extortion attacks would continue their work, but entry-level, apprentice-type attackers targeting high volumes of smaller prey will become a live threat.

“The ransomware business model is dynamic and complex. During 2020, Sophos saw a clear trend towards adversaries differentiating themselves in terms of their skills and targets. However, we’ve also seen ransomware families sharing best-of-breed tools and forming self-styled collaborative ‘cartels’,” said Chester Wisniewski, principal research scientist at Sophos.

“Some, like Maze, appeared to pack their bags and head for a life of leisure, except that some of their tools and techniques have resurfaced under the guise of a newcomer, Egregor. The cyber threat landscape abhors a vacuum. If one threat disappears, another one will quickly take its place. In many ways, it is almost impossible to predict where ransomware will go next, but the attack trends discussed in Sophos’s threat report this year are likely to continue into 2021.”

Sophos said it can be useful for defenders to think of “successful” malware and ransomware gangs as somewhat akin to successful software startups – scrappy to begin with, but eventually earning a loyal following and either selling or licensing their tools. It refers to this as crimeware-as-a-service (CaaS) and believes it is poised to be a “new normal” in cyber crime next year.

One of the more notorious examples of CaaS malware could be considered to be Emotet, which exists mainly to deliver other malware to its target’s systems and “seems to be centred around a smooth experience for the would-be criminal”.

“Any infection can lead to every infection. Many security teams will feel that once malware has been blocked or removed and the compromised machine cleaned, the incident has been prevented. They may not realise that the attack was likely against more than one machine”
Chester Wisniewski, Sophos

Dharma also fits into this bracket. Described by Sophos as “ransomware with training wheels on” and pitched at aspiring cyber criminals who are learning the ropes, its users pay a subscription fee to get their mitts on the payloads, and split the proceeds of attacks with them. Dharma maintains a “fixed, small ransom” noted Sophos.

“As attackers branch out into specialties and sub-specialties, it seems the business model in which criminals work with independent contractors, freelancers and affiliates is one that doesn’t seem to be going away any time soon,” said the researchers.

Some users of commodity malware, loaders and botnets will demand additional attention in 2021, as some operators will not hesitate to sell access to compromised systems to a larger and more “professional” ransomware operation such as Ryuk. Although such threats can be termed as low-level, everyday noise, Wisniewski said it was increasingly clear that defenders need to take them seriously if they spot them.

“Any infection can lead to every infection. Many security teams will feel that once malware has been blocked or removed and the compromised machine cleaned, the incident has been prevented,” said Wisniewski.

“They may not realise that the attack was likely against more than one machine and that seemingly common malware like Emotet and Buer Loader can lead to Ryuk, Netwalker and other advanced attacks, which IT may not notice until the ransomware deploys, possibly in the middle of the night or on the weekend. Underestimating ‘minor’ infections could prove very costly.”

The full Sophos report, which is now available for download, analyses a number of trends likely to be important in the coming months, including more detail on some of the security challenges likely to continue to face cloud environments next year as they continue to bear the brunt of high volumes of remote workers, as well as the wider impact of the Covid-19 pandemic on security, which is not set to diminish any time soon.

Read more about ransomware

Read more on Hackers and cybercrime prevention