The 3 Trends Defining Ransomware in 2021

Credit: Getty Images

The explosion of ransomware in 2020 was not a one-off event. As cyber adversaries have only continued to refine their tactics, techniques, and procedures (TTPs) for holding organizations large and small to ransom, 2020 is shaping up to close out as just the appetizer for ransomware gangs before the main course of 2021.

Ransomware outfits like Ryuk, RagnarLocker, and Dharma dominated 2020 with attacks across healthcare facilities, school districts, and IT organizations, striking at the industries that have served as critical lynchpins during this year’s pandemic. Not only have the attacks been devastatingly effective against the victims and lucrative for the attackers, but they’ve also proven that when it comes to ransomware, shame is not part of the equation. IT security teams and managed service providers (MSPs) should expect ransomware gangs to become more shameless and more brutal as they ramp up into 2021 – and prepare accordingly.

Part of that preparation means knowing what to expect. The Sophos 2021 Threat Report has outlined three major ransomware trends that will get worse in the new year, and which MSPs need to take a concerted effort to defend against in order to adequately protect their clients.

1. A widening gap between the big-name and lower-level ransomware attackers

The ransomware business model can be defined by two polar opposites: the bigger name offenders like Ryuk and RagnarLocker on one end of the spectrum, and entry-level attackers like Dharma on the other. Rather than see ransomware offenses shift in favor of one of these ends, we’ll see both become more skilled, resourceful, and threatening in 2021.

The ransomware gangs hunting bigger game, like hospitals or billion-dollar enterprises, will continue honing their TTPs, becoming more evasive and sophisticated in their ability to leverage multimillion-dollar ransoms out of their victims. At the same time, the ransomware-as-a-service (Raas) operators like Dharma who are peddling a menu-driven model of attack methods will increasingly sell to cyber adversaries who are lower down the totem pole. But for what these entry-level groups lack in sophistication, they make up for with pure volume: these Dharma-backed attackers will continue ramping up their “spray and pray” tactic of spamming low-grade ransomware to huge quantities of targets, ultimately yielding just enough success to merit a return on a relatively paltry investment.

MSPs can’t afford to ignore either threat. Both the big-game families and the RaaS-backed gangs will remain persistent, dangerous cyber adversaries in 2021 and a ransomware defense strategy has to provide a bulwark against both.

2. Secondary extortion will become more prominent

Another ransomware trend that will grow even more prolific in the new year is secondary extortion. In these attacks, cyber adversaries aren’t just encrypting an organization’s data for ransom; they’re threatening to steal it outright and publish sensitive, confidential information in a public forum if their demands aren’t met.

A number of ransomware gangs, like RagnarLocker, Maze, Netwalker, and REvil, have all had success with this attack method. Adding another level of threat to the ransomware – not just the inability to access critical information but the fear of having it stolen and published elsewhere – only adds to the urgency among victims to pay ransoms. And because of that, MSPs should expect secondary extortion attacks to grow in frequency and severity, and plan accordingly.

3. Attackers leverage legitimate tools to fly under the radar

Legitimate and commonly used tools, utilities, and network destinations will be abused by cyber adversaries to evade intrusion detection and other security measures. This abuse of standard tools for more sinister purposes has a dual risk of impairing proper threat analysis and attribution as well, making it harder for security teams and MSPs to properly diagnose attacks and identify the attackers behind them.

These techniques are disturbingly effective at keeping attackers under the radar as they perform reconnaissance on a target’s network, tricking automated security systems into not flagging these tools as problematic (because, on the surface, they aren’t). So, it should perhaps be no surprise that attackers will continue to ramp up this method going into 2021.

A secure 2021 relies on MSPs deploying lightning-fast incident response

When it comes to thwarting big-game and low-level ransomware attackers, thwarting secondary extortion attempts, and flagging illegitimate uses of legitimate tools, MSPs need to deploy a combination of expert human-led threat hunting and lightning-fast incident response.

Sophos Managed Threat Response and Sophos Rapid Response provide exactly that. Sophos MTR goes beyond traditional endpoint detection and response measures by bringing human experts into the equation, who can spot the subtle anomalies and traces in a network that may hint at an attack on the horizon and determine whether legitimate tools are being used in the wrong places, at the wrong times.

Sophos Rapid Response complements MTR with its own, industry-first offering for quickly rebuffing attacks in progress, ejecting adversaries from an organization’s network, minimizing the level of damages or costs incurred, and speeding up overall recovery time – all to get an attacked organization back to normal as quickly as possible. With ransomware gangs ramping up the speed and severity of their attacks in the new year, MSPs need to be able to protect their clients with even faster and comprehensive incident response measures of their own.

Guest blog courtesy of at Sophos. Read more Sophos blogs here.