Ransomware gangs' continued success is well documented, from reports of substantial payouts and financial fallouts to prolonged disruptions. Each year, certain groups emerge in the top rankings, and what sets them apart is becoming clearer.
Success can be measured by a variety of factors including financial gains, brand reputation, victim downtime, activity, and for the ransomware-as-a-service (RaaS) model, the number of affiliates. Due to its effectiveness, highlighted by steady, alarming numbers recorded over the past five years, the threat continues to evolve to combat enterprise's defenses. However, research revealed what elements contribute to the top RaaS groups' success, which in turn can influence security strategies. The biggest hurdle is keeping pace with how quickly attackers' evolve.
Automation: A Need for Speed
Recent research from ReliaQuest measured ransomware success by the number of victims posted to a group's data leak site. Threat actors use data leak sites to publicly shame victims into paying a ransom, and the added pressures did pay off for groups. Based on those parameters, ReliaQuest discovered three facets of thriving ransomware groups. ReliaQuest crowned the Qilin ransomware as a "market leader" and warned that LockBit 5.0 is gaining traction by using the techniques listed below.
Related:Elusive Iranian APT Phishes Influential US Policy Wonks
"Ransomware platforms built on automation, customization, and advanced tooling likely attract the most skilled affiliates and appear to create the most successful ransomware-as-a-service (RaaS) groups, judging from data-leak site victim counts," ReliaQuest wrote in the report.
Automation comprised the most important component. Researchers found that 80% of RaaS groups they analyzed included some automation and artificial intelligence (AI) in their platforms. Automation contributed to effectiveness by ramping up the speed of attacks. The average breakout time is now 18 minutes, leaving defenders with significantly less time to react, the report warned.
How Are Ransomware Groups Using AI?
Additional researchers observed a similar trend. While groups increasingly use AI to further attack success, the tactic is still early-stage and unevenly adopted, explains Christiaan Beek, senior director of threat intelligence and analytics at Rapid7. Ransomware crews are experimenting with AI, mostly to speed up reconnaissance, craft more convincing phishing, or to automate parts of their operations. But what's evolving faster is the attackers' mindset, he adds.
"Attackers are starting to think in AI-driven workflows, blending automation and data-driven targeting," Beek tells Dark Reading. "It doesn't make them unstoppable, but it does make them faster, more adaptive, and harder to predict."
... continue reading