Ransomware Has Evolved: Updated Ransomware Prevention Best Practices for 2024

Ransomware payments spiked to a new high of $1.1 billion in 2023 – and that is just the payments that were reported. With attacks evolving quickly due to the advances in AI, the ransomware prevention best practices you currently use may no longer be enough. In this blog, we’ll dive into today’s ransomware trends and provide a step-by-step guide to current ransomware attack tactics with real-life images and a checklist of today’s ransomware prevention best practices.

Changes in Ransomware Trends

One of the big trends changing ransomware attack patterns is the addition of AI into attack planning and execution. AI has made it quicker, easier, and cheaper for inexperienced hackers to create convincing and difficult-to-detect phishing campaigns, get detailed directions on how to perform each step of a ransomware attack, and receive guidance on how to use individual tools to optimize their attacks. While attackers continue to leverage Ransomware as a Service (RaaS) kits and playbooks to streamline the attack process, as AI advances it will be interesting to see if it impacts the popularity of RaaS and the hacker franchise model. We’ll share more on this trend later in this blog when we describe the different phases of today’s ransomware attacks.

Another top ransomware trend is an increased emphasis on “Big Game Hunting.” Attackers are increasingly focused on ransoms over $1 million. So, while the number of ransomware attacks has decreased, as you can see in the Chainalysis chart below, the amount of the ransoms have gone up significantly.

One recent example of this trend is the Change Healthcare breach from February of 2024 that resulted in the organization paying a $22 million ransom. Ransom aside, the ripple effects of this attack caused disruptions throughout the healthcare ecosystem. Some offices closed for the week and had to furlough their staff, and it is estimated that one in three Americans’ sensitive healthcare information was leaked. Sadly, this attack likely could have been prevented at several key inflection points if Change Healthcare had followed today’s ransomware prevention best practices.

Change Healthcare, a subsidiary of UnitedHealth, attributes the attack to ALPHAV/BlackCat ransomware group, who reportedly broke into their system by leveraging compromised Citrix credentials on an account that did not have Multi-Factor Authentication (MFA) enabled. Like many ransomware attacks, ALPHAV/BlackCat initially breached the network nine days before it launched the ransomware attack. If Change Healthcare had followed today’s ransomware prevention best practices, they may have been able to detect and thwart the attack before ALPHAV/BlackCat deployed the ransomware.

How Hackers Break in: AI is Making the Process Quicker and Easier

Let’s look at the steps an inexperienced attacker often takes when deploying ransomware. As we go through the steps, we’ll also point out how these attacks are evolving.

Preparing for an Attack

The biggest change in ransomware execution is that criminals are using “Evil AI” such as WormGPT to simplify attacks. WormGPT has been built to facilitate cybercrime and it is similar to ChatGPT with few safety guardrails. This AI technology enables even minimally skilled hackers to launch sophisticated ransomware attacks, create difficult-to-detect phishing emails, and more. A lifetime membership to WormGPT is currently on sale for $200, so this affordable investment can provide attackers with detailed directions to launch million-dollar ransomware attacks.

Hackers also often want an exploit builder and a Remote Access Trojan (RAT) to launch an attack. Our team found an exploit builder for $7 and a RAT for $10 on the dark web. Finally, an inexperienced attacker will likely want to buy a ransomware program with good reviews (yes, the dark web marketplaces have reviews and ratings!). We found such a program for $63. So for less than $300, an inexperienced attacker can buy the user-friendly, automated tools needed to launch an attack.

Once the tools are assembled, today’s attackers usually follow the steps LMG Security’s Sherri Davidoff, Karen Sprenger, and Matt Durrin detailed in their book Ransomware and Cyber Extortion: Response and Prevention.

The stages of a ransomware attack

Here’s an overview of each step.

Step 1: Entry

Email is still the most popular initial entry point for an attack with 90% of data breaches starting with a phishing email. “The biggest trend we are seeing in the entry stage of attack is that phishing emails are getting MUCH harder to detect,” stated Matt Durrin, director of training and research at LMG Security. “Criminals are using AI to create realistic, grammatically correct emails as you can see in the WormGPT-generated example below. They can even ask WormGPT for tips to increase the odds a victim clicks their link.”

An example of a phishing email created by WormGPT

Next up, the criminal can use the exploit builder program they purchased to create the RAT by simply checking boxes for their desired attributes and customizing the payload by enabling features such as “Bypass Firewall Windows” and “DisableTaskMgr.”

A screenshot of a user-friendly and fully featured exploit builder program.

The attacker can now build a malicious PDF dropper (a file that drops and executes a document file) by entering the link to the malware they just generated, and the program will create the infected file that can be added to a phishing email.

All it takes is for one user to click the link or download the attachment and the attacker can access their network. Using today’s RAT programs, the attacker can then enable a remote desktop program and take full control of the compromised computer.

At this time, many attackers also add a second access method like installing a standard remote access management tool like AnyDesk which can operate discreetly in privacy mode so security teams may not notice it.

Step 2 & 3: Expansion and Appraisal. In bad news for defenders, the prevalence of malware-free attack activity is skyrocketing. CrowdStrike estimates that in 2023, 75% of activity they see during investigations does not include malware and just uses tools already on the computer to complete malicious actions. This gives attackers time to expand access and gather information. They may:

• Scan the network to identify live hosts and shared folders and map out where they want to go on the network.
• Scrape credentials. If the hacker is not sure how to scrape credentials, they can simply ask WormGPT, and it will give them directions.
• Attack the Domain Controller. Their goal is to download all user information (so they can work on decrypting this later for future attacks), gain full remote access to the network, and create their own domain admin account.

Step 4: Priming. During this stage, the attackers will prep the network for ransomware. If the attacker was able to gain domain admin access, they can give themselves access to any folders they want and try to stealthily exfiltrate data. They will also turn off security software and controls, like Windows Defender and real-time protection, for all devices.

Step 5: Leverage. Now that the attacker has gathered all the information they want and primed the network, with a simple command they can deploy the ransomware on a shared folder so it infiltrates and encrypts any connect files.

The attacker can select the ransomware menu and deploy the malware with a few clicks

Step 6: Extortion. The attacker usually leaves a ransomware note in a folder, and these days they frequently issue a public disclosure of the breach on a “name and shame” ransomware site to pressure the victim to pay. The victim will then need to decide whether to negotiate and pay the ransom or recover without the ransomware decryption key.

LMG Security’s Ransomware Prevention Best Practices Checklist

Now that you know how a ransomware attack happens, let’s review today’s ransomware prevention best practices.

1. Conduct monthly Cybersecurity Awareness training. As tactics change and criminals find ways to bypass security solutions, training every employee to be the first line of defense against a phishing attack is still one of the best means of prevention. Ensure your training program includes training videos, phishing simulations, segments on deepfakes, and more. IBM’s research report found that a good employee cybersecurity training program can reduce your costs by $232,867 if you are breached.
2. Add specialized cybersecurity training. Remember that your executive, finance, HR, sales, help desk, and IT teams require additional advanced training (read our cybersecurity training recommendations blog for more details). Organizations with established, trained incident response (IR) teams that regularly test their IR plans can reduce their average cost of a data breach by $232,008. Our on-demand Ransomware Response and Cyber First Responder classes and tabletop exercises are popular, affordable ways to reduce your risk.
3. Conduct regular penetration testing. A good offense is one of the best defenses—penetration testing finds security gaps that vulnerability scanning misses. It helps you identify and close gaps before the attackers leverage them for an attack. Read our blog on why penetration testing is a crucial security control.
4. Conduct a cloud configuration review. Security setting best practices change often, and misconfigurations frequently cause breaches. An expert cloud configuration review can identify and correct these issues. Read our cloud configuration and web app blog for more advice.
5. Implement continuous attack surface monitoring. This is one of the easiest ways to identify computers with unpatched vulnerabilities. You can also outsource this as a managed service to ensure experts are reviewing your reports, keeping your systems aligned with current best practices, and anticipating and stopping potential attack paths.
6. Deploy EDR/XDR. In addition to antivirus, EDR/XDR can defend against zero-day attacks, supply chain attacks, and other common cybersecurity threats.
7. Use strong MFA whenever and wherever possible. Read our MFA tip sheet for details.
8. Regularly look for signs of a breach and persistence. Defenders should regularly check the startup programs and running services to check for the addition of malware, as well as new auto-run keys in the registry. This can help you identify and remove malware and attackers before the attack is launched.
9. Create and maintain a data and asset inventory. You need to know what data and assets you have in order to protect them. Mapping your data is a crucial first step. Establishing a comprehensive inventory of data and technology assets, including cloud applications, helps you properly address risk and align security investments.
10. Use robust, immutable backups that include your cloud assets, and TEST those backups regularly.

By employing these ransomware prevention best practices, you can dramatically reduce your risk of a ransomware attack.

We hope you found this information helpful. If you would like support implementing any of the ransomware prevention best practices, please contact us. Our expert LMG Security team is ready to help!