Getting Into the Psyche of a Ransomware Hacker in 2024

What’s changed in the ransomware landscape in 2024? Chris Rogers considers the psyche of those writing the code and looks at new tactics, tools and the prevalence of double-extortion ransomware

The cybersecurity ecosystem moves at an extremely rapid pace. However, in the months ahead, it seems inevitable that organisations will be faced with even more dynamic challenges. For instance, attack velocity and sophistication are intensifying dramatically, with threat actors combining data theft and encryption, demanding a ransom to prevent the exposure of stolen data. Increasingly, they aggressively attack backup and disaster recovery systems to block remediation attempts. This puts security teams under enormous pressure, with the overall risks presented by ransomware arguably more acute this year than at any time previously.

The mindset behind the attacks

Among the many issues security teams must now deal with is the impact of the varied goals and mentalities of those delivering the ransomware payloads, which present a complex and constantly shifting challenge. When attackers have divergent and often unrelated objectives, and even different moral boundaries, the strategies and tactics they employ can vary widely, making it harder for security teams to anticipate and defend against attacks effectively.

“Remarkably, the attackers eventually released the data encryption keys – accompanied by an apology for the actions of its affiliate”

A fascinating example of this is the high-profile attack on the Children’s Hospital in Toronto last year, which was delivered via an affiliate of the LockBit gang using Ransomware-as-a-Service. This incident also exposed the broader impact of ransomware, particularly the ethical dilemmas posed by targeting healthcare institutions where patient data and services critical to life were put at risk. Remarkably, the attackers eventually released the data encryption keys – accompanied by an apology for the actions of its affiliate – in a move that sparked debate about the motivations behind cyber attacks and the moral responsibilities of cyber criminals. As it turns out, it is possible to get fired from a ransomware organisation by hitting the wrong targets.

As a result of this kind of disparity in mindset, cybersecurity strategies require a more adaptive and nuanced approach, where understanding the mindset and potential goals of attackers becomes as critical as the technical defences put in place. As such, cybersecurity strategies must evolve to counter the technical sophistication of attacks and consider the psychological and strategic aspects driving these threats, ensuring a comprehensive approach that is as flexible and diverse as the threats it seeks to neutralise.

The tools

The challenges facing security teams are made even more daunting by the emergence of new tactics and AI tools, such as WormGPT: ‘ChatGPT’s malicious cousin. WormGPT was announced early last summer, and it was immediately clear that this would be a powerful weapon for adversaries to utilise against organisations and individuals alike, especially when launching sophisticated phishing and BEC attacks.

“Using GPT-J LLM, the WormGPT offers a privacy-focused platform with unlimited characters”

Using GPT-J LLM, the WormGPT offers a privacy-focused platform with unlimited characters, different AI models, code formatting and more. As it stands, the key ‘selling point’ to WormGPT’s $300 service seems to be its “limitless” nature. Without pre-existing protections built in to stop people from misusing the technology as ChatGPT has, the tool offers a myriad of ways it can be used by cyber criminals to wreak havoc. However, it’s not just dark web tools that hackers can now use in 2024. It’s been shown that ‘safe’ applications such as ChatGPT can be tricked into producing malicious code if asked in the right way.

These AI tools are making it easier and faster for cyber criminals to carry out attacks and significantly lowering the bar of entry into cyber crime. This, coupled with the increasing prevalence of double-extortion ransomware, where attackers not only encrypt but also steal data, threatening its release unless a ransom is paid, marks a significant escalation in the threat landscape.

Protection strategies are key

Where does that leave those who want to maximise protection? One obvious method is to take out cyber insurance to mitigate the financial impact of an attack. Over the past few years, the global cyber insurance market has tripled to reach $13 billion in 2022, and insurers have tightened their underwriting criteria.

The emphasis on detection capabilities has never been more important. Where possible, organisations should adopt detection strategies that allow for the early identification of threats, employing advanced scanning for malicious software and analytics to trace the attack’s origin, method and precise nature. This proactive stance enables businesses to mitigate risks before they escalate into full-blown crises.

However, detection is just one piece of the puzzle. Investing in a comprehensive security stack and ensuring that no component, especially backup and recovery systems, becomes outdated is essential for maintaining a robust defence against cyber threats. This approach should also include regular reviews and updates of cybersecurity infrastructure to close any vulnerabilities that could be exploited.

Christopher Rogers has worked at Zerto, a Hewlett Packard Enterprise company, since 2019. Now, as a senior technology evangelist, he dedicates his time to raising awareness and educating others on cybersecurity issues and disaster recovery solutions.