How Ransomware Threats Are Evolving & How to Spot Them

A series of new reports explains how ransomware attackers are changing techniques and how organizations can spot stealthy criminals.

Modern ransomware operators are adopting techniques similar to those of advanced nation-state actors, researchers report. Their attacks are quieter and more long-term as they sit on target networks and search for the exact information they need to bring down their victims.
Sophos researchers today published a series of reports detailing the evolution of ransomware and how attackers are finding new ways to extort more money from large enterprise victims. While the range of ransomware still spans low-level to high-level attacks, their analysis mainly focuses on advanced threats like
WastedLocker
and Maze ransomware.
In the old days, everybody was hitting desktops for $400, and there were successful groups doing that and nonsuccessful groups doing that, says Sophos principal research scientist Chet Wisniewski. Now the successful people arent bothering with that — theyve moved on to more targeted, specific [attacks], either extortion or just incredibly sophisticated enterprise ransomware.
Sophos focused on WastedLocker. In a
report
, director of engineering Mark Loman and principal threat researcher Anand Ajjan explain how it uses Windows Cache Manager via memory-mapped I/O to evade monitoring by behavior-based tools. This allows the ransomware to transparently encrypt cached documents in memory, without causing additional disk I/O. Tools used to monitor disk writes may not notice the malware is accessing a cached document.
The cleverness, the creativity, and the intimate knowledge of these very, very miniscule technical details to craft a bypass like that is almost unseen in criminal malware, says Wisniewski. Its the kind of thing we expect to see in espionage-style attacks, not in criminal attacks.
Some attackers bypass technical tools by living off the land, or using legitimate admin tools to achieve goals. Some use software deployment tools to roll out ransomware instead of delivering patches to Windows machines, Wisniewski says as an example. They may abuse PowerShell, other Microsoft tools, or so-called gray hat tools like Metasploit or Cobalt Strike.
This behavior isnt new, Wisniewski says. What is new is that may be the only indication youre going to get that theyre in your network. Organizations may notice small, unusual things once in a while, remedy them, and close the ticket without realizing theyre part of a larger incident. By the time they do, an attacker has been in their network for weeks. WastedLocker and Maze will sit there for a month to figure out the thing that will shut down their
enterprise victim
.
I want to make sure I get the most critical asset they own, and I completely incapacitate it to destroy their business, he says of the attacker mindset. Theyre willing to take time to figure out the business model, which databases have the crown jewels, and how to steal data from them.
Attackers dont need these techniques to target all companies, Wisniewski notes, but they are necessary for top-tier companies with larger cash reserves and better defenses. He points to SamSam, which represents the midtier level of ransomware. The groups dwell time was far shorter at about 72 hours, and it didnt need to identify every asset to achieve its goals. It went for firms with lower defenses, hit their servers, and charged $100,000–$800,000 per victim.
While the motivation is different for each advanced ransomware group, the techniques are similar. WastedLocker is more focused on technical exploitation; threats like Maze rely on double extortion: They charge victims to get their data back, and to stop them from publishing it. Theyre focused on the
more social aspect
of how they can manipulate their victims, he adds. Maze has invited other groups to publish on its website and in doing so, boost its marketing.
None of these groups are technically inept, but the special sauce they bring to the table is different, Wisniewski continues. Each one of these groups has their own signature.
How to Know If Youve Been Compromised
While it may tough to know when an advanced attacker is on your network, its still possible. Peter Mackenzie, global malware escalations manager at Sophos, shares a
few key indicators
that could tip off businesses to suspicious activity.
One is a network scanner, especially on a server. Attackers usually start recon by accessing one machine and searching for information like domain and company name, the devices admin rights, etc. They then scan the network to see what else they can access. If the business detects a network scanner like AngryIP or Advanced Port Scanner, question admin staff. If theyre not using it, an intruder may be.
Businesses should also watch for tools designed to disable antivirus software, which attackers may use to bypass detection. Mackenzie points to Process Hacker, IOBit Uninstaller, GMER, and PC Hunter as examples of legitimate tools that could point to nefarious activity if they suddenly appear. Further, he says, any detection of MimiKatz should be investigated.
If no one on an admin team can vouch for using MimiKatz, this is a red flag because it is one of the most commonly used hacking tools for credential theft, he writes. Attackers may also use Microsoft Process Explorer, a legitimate tool that can dump LSASS[.]exe from memory.
Even if malicious files have been detected and removed, businesses should watch for any detection that happens at the same time every day, or in another repeating pattern. This could indicate something is happening but hasnt yet been identified.
An attacker may make themselves known in test attacks, which are smaller intrusions done on a few computers to see if their deployment method will work. If security tools stop the attack, they may shift strategies before trying again.
It is often a matter of hours before a much larger attack is launched, Mackenzie says.
Related Content:
Lazarus Group Shifts Gears with Custom Ransomware
Retooling the SOC for a Post-COVID World
11 Hot Startups to Watch at Black Hat USA
Special Report: Computings New Normal, a Dark Reading Perspective

Register now for this years fully virtual Black Hat USA, scheduled to take place August 1–6, and get more information about the event on the Black Hat website. Click for details on
conference information
and
to register
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
How Ransomware Threats Are Evolving & How to Spot Them