5 minute read 26 Mar 2024

Organizations face new cybersecurity challenges as ransomware groups raise the stakes by exploiting unconventional programming languages.

Laptop with computer language in server room

How to bolster cybersecurity against the ransomware evolution

Authors
Steve Lam

EY Asean Cybersecurity Leader

Cybersecurity strategist. Trusted boardroom advisor. Early technology adopter. Creative problem-solver. Avid cyclist, reader and collector of mechanical keyboards.

Eric Lam

Partner, Technology Consulting — Cybersecurity, Ernst & Young Advisory Pte. Ltd.

Experienced cybersecurity consultant. Well-versed in cybersecurity strategies, risk management and associated compliance issues.

5 minute read 26 Mar 2024
Related topics Consulting Cybersecurity Technology Technology leader's agenda
Upvote

Show resources

  • BlackCat ransomware technical analysis

    Download 2 MB

Organizations face new cybersecurity challenges as ransomware groups raise the stakes by exploiting unconventional programming languages.

In brief
  • Ransomware threat actors are evading detection and targeting a wider group of victims by using unconventional programming languages.
  • The disturbing emergence of the ransomware as a service business model has increased the potential for more ransomware attacks.
  • To mitigate these threats, organizations need to take proactive measures, such as managing user permissions and training employees in cybersecurity awareness.  

Ransomware has been a persistent and evolving threat in the cybersecurity landscape. Over time, threat actors behind ransomware attacks have been adapting and devising new techniques in a bid to stay undetected and maximize their impact. According to the EY 2023 Global Cybersecurity Leadership Insights Study, organizations face an average of 44 significant cyber incidents a year and take an average of six months or longer to detect and respond to an incident. Advanced adversaries are harnessing cutting-edge technology to amplify the pace and scope of their assaults, leading to mounting financial, regulatory and reputational consequences.

  • About the EY 2023 Global Cybersecurity Leadership Insights Study

    In February and March 2023, the global EY organization conducted research to better understand how companies are approaching their cybersecurity function to prepare for the cybersecurity threats of today and tomorrow. The EY survey covered 500 C-suite and cybersecurity leaders across 19 different sectors and 25 countries in the Americas, the Asia-Pacific region, and Europe, the Middle East, India and Africa. Respondents represented organizations with over US$1 billion in annual revenue.

A significant trend is the adoption of unconventional programming languages —such as Rust and Golang — by ransomware groups. This shift complicates cybersecurity measures and enables the malware to be more versatile across different platforms. BlackCat is a notable example of an emerging ransomware group that has embraced the Rust programming language and gained notoriety for its successful targeting of high-profile companies. Built for performance and memory management, Rust allows the group’s ransomware to run efficiently and evade detection in sandbox environments. Additionally, Rust provides the group with customization opportunities, enabling the ransomware to perform more sophisticated techniques and have different encryption methods for different victims.

How EY can help

24-7 cyber incident response

The EY cyber incident response team helps organizations to act quickly as well as discern, isolate, contain and recover from security incidents and breaches. It helps manage valuable and relevant data in a safe and secure manner to facilitate investigations wherever they may lead.

Read more

Another significant development in the evolution of ransomware is the emergence of the ransomware as a service (RaaS) business model. This model allows threat actors to offer ready-to-use ransomware software and tool kits to individuals who lack the technical skills to develop their own. This service model has several implications. Firstly, it enables broader participation in ransomware attacks as anyone can access and use the ransomware software. Secondly, it increases the frequency of attacks, amplifying the overall threat of ransomware.

BlackCat and Black Basta were the most frequently detected variants of ransomware worldwide in the second quarter of 2023, followed by Royal and LockBit 3.0.1 The notorious BlackCat ransomware group has capitalized on the aforementioned trends, targeting high-profile companies with considerable success.

Sophisticated and customizable attacks

BlackCat — also known as ALPHV — is one of the first major ransomware families to be written in Rust, with the ability to target systems on multiple operating systems beyond Windows, such as Linux and VMware ESXi.  

The BlackCat ransomware group operates on the RaaS model, taking a percentage of ransom payments. It employs a triple extortion tactic — which includes data encryption, the threat of data publication and possible distributed denial-of-service attacks — to coerce victims for payment.

By leveraging Rust’s capabilities, BlackCat ransomware facilitates sophisticated, customizable attacks across multiple platforms, posing significant challenges for analyses in sandbox environments. It uses an access token to decode the ransomware’s configuration. Once the correct token is provided, the ransomware decrypts a runtime configuration file dictating its behavior, including encryption methods, credentials and processes to block. If it’s not initially granted administrative permissions, the ransomware exploits Windows User Account Control to gain these privileges. Once these are secured, the ransomware creates child processes to perform various operations. These include deleting volume shadow copies, modifying registry keys and clearing event logs while trying to spread by logging into other device accounts or mounting hidden partitions.

Show resources

  • Download the EY technical analysis of BlackCat ransomware

    pdf (2 MB)

Mitigating the impact of ransomware threats

Given the evolving nature of ransomware threats, organizations must take proactive measures to mitigate their impact. They should avoid ransom payments as there is no guarantee of file recovery. In case of an attack, immediately isolate the affected system from the internet and notify relevant authorities for investigation and guidance.

They need to implement comprehensive security measures, which include enabling antivirus protection on all devices and allowing real-time scanning to detect and block ransomware installations automatically. It is important to schedule frequent backups of essential data and see to it that the data is easily recoverable in the event of loss.

Besides implementing robust data protection policies and recovery solutions, organizations should also train employees in cybersecurity awareness. This includes educating them on recognizing and frustrating phishing attempts and other malicious activities.

Regular updates of all software — including operating systems and applications — are crucial to patch vulnerabilities. Another key action is the management of user permissions by limiting user access rights and using strong, unique passwords with multifactor authentication.

Emerging ransomware trends and major threat actors like BlackCat have raised the stakes for organizations as they threaten organizational data, reputation and competitiveness like never before. Therefore, the importance of proactive, comprehensive measures that mitigate their impact based on an understanding of the modus operandi of threat actors and employee education in cybersecurity awareness cannot be understated.

How EY can help

Cybersecurity Transformation

Design, deliver and maintain your cybersecurity programs at the enterprise-level by embedding security by design at every step of the way.

Read more

Summary

Ransomware continues to evolve, with BlackCat using an unconventional  programming language to target a wider group of victims and evade detection. Implementing proactive security measures is pivotal in mitigating the impact of such threats. Besides avoiding ransom payments, organizations should also implement comprehensive security measures, robust data protection policies and recovery solutions. Scheduling frequent backups of essential data, training employees in cybersecurity awareness, regularly updating all software and managing user permissions are crucial as well.

About this article

Authors
Steve Lam

EY Asean Cybersecurity Leader

Cybersecurity strategist. Trusted boardroom advisor. Early technology adopter. Creative problem-solver. Avid cyclist, reader and collector of mechanical keyboards.

Eric Lam

Partner, Technology Consulting — Cybersecurity, Ernst & Young Advisory Pte. Ltd.

Experienced cybersecurity consultant. Well-versed in cybersecurity strategies, risk management and associated compliance issues.

Related topics Consulting Cybersecurity Technology Technology leader's agenda
Upvote