Malware researcher speculates on the future of ransomware

Abhijit Mohanta, author of 'Preventing Ransomware,' opines on the future of ransomware and discusses why this attack is favored among cybercriminals.

Ransomware attacks constituted 81% of financially motivated cyber attacks in 2020 and cost more in damages than any other malicious attack, according to a report from Atlas VPN.

As attackers extort larger and more frequent ransoms from their victims, security researcher Abhijit Mohanta sees no sign of imminent ransomware declines. Since his start in malware analysis in 2007, he has witnessed the growing embrace of ransomware attack methods by cybercriminals and nation-states alike.

"The popularity of ransomware makes sense from an attacker's perspective," Mohanta said. It continues to be a financially rewarding attack, he said, and it's easy to program.

In the book Preventing Ransomware, published by Packt, Mohanta and co-authors Mounir Hahad and Kumaraguru Velmurugan explain how ransomware attacks work, what security measures can prevent them and how to respond when they occur.

Here, Mohanta discusses the future of ransomware, including research on cyber attack patterns and trends and why malware analysis is a rewarding career path.

Editor's note: This transcript has been edited for length and clarity.

Why did you and your co-authors write Preventing Ransomware?

Abhijit Mohanta: At the time of writing, ransomware was a hot topic, and there were not many books available on the subject. I wanted to compose a book that can help the public understand how ransomware works and how it has evolved. It's also written as a resource for people who are new to the field of cybersecurity to help them understand that evolution.

Will ransomware attacks continue to surge in the future?

Preventing Ransomware book coverClick to learn more about
Preventing Ransomware
by Abhijit Mohanta, Mounir
Hahad and Kumaraguru

Mohanta: I expect it to continue because ransomware can result in large payments and it is easier to program than other malware. After installing malware and encrypting system files, the attacker delivers the ransom message to the target. Other types of malware programs can be quite complex, such as a banking Trojan. Trojan attacks are more difficult because the program has to monitor activities in the browser and the entire system.

Additionally, ransomware is attractive to attackers because it does not have to be hidden like other malware varieties. Malware is often designed to evade detection, but ransomware is designed to be detected -- usually, in a pop-up message on a victim's machine -- after the files are encrypted.

What ransomware trends have you identified in your research?

Mohanta: In 2014, I was seeing very complex malware, including rootkits. But, since then, I slowly saw ransomware attacks increase, while complex malware attacks began to decrease. New ways of extorting ransom evolved, including bitcoin. Beforehand, there was only one primary payment method -- through a bank account or credit card. But, now, bitcoin payment and other payment provisions are possible.

What needs to happen to slow or stop the rise in the ransomware attacks?

Mohanta: This will depend on two things: security awareness and proper system configuration. Awareness is one of the most important factors, especially about how ransomware is identified. Security awareness training should teach the basics of identifying phishing emails. Everyone gets spam containing malicious links or attachments that can download ransomware. Use caution before clicking them. Check the sender to see if it is genuinely someone you know. Look for spelling errors. Preventing attacks this way doesn't require highly technical skills.

Also, make sure systems are regularly updated and security products are properly configured. For example, antivirus should always be enabled. However, antivirus alone might not be sufficient to detect ransomware threats. Organizations should use it in combination with other products, including intrusion detection, intrusion prevention and sandboxing, to analyze behavior.

How are nation-state ransomware attacks distinguishable from average cybercriminal attacks?

Mohanta: One difference is the target. Nation-state attacks are typically more sophisticated and highly targeted toward a particular organization or industry. They must bypass firewalls, sandboxes and other devices set up to secure the target's network. Unlike nation-state actors, average attackers may not pursue such high-profile organizations. For example, they may target an individual who doesn't have such sophisticated security measures in place. An attacker usually just needs to bypass the antivirus on the individual's desktop.

To plan for the future of ransomware, the focus needs to be on security at the development stage, not preventing cyber attacks.
Abhijit Mohanta

Preventing Ransomware discusses how the future of ransomware will target individuals -- via smart cars and even pacemakers. What other ransomware trends do you expect to see?

Mohanta: The malware industry has been going in this direction. Attackers try to target the latest technology, especially medical devices. These days, even hospitals are being victimized because all their records are stored in computers. Both of these targets make sense from an attacker's perspective.

The more devices are introduced, the more likely they are to be affected by malware or ransomware in the future. Development is one reason why. Many developers do not know about hardware security because they don't see it as their concern. To plan for the future of ransomware, the focus needs to be on security at the development stage, not preventing cyber attacks.

Many infosec experts warn against paying the ransom. Are you one of them?

Mohanta: Yes, I am. Ransomware authors are criminals, and you cannot trust them. Even if you pay the ransom, it doesn't mean attackers will give you back all your files. I worked with one finance company that was attacked right at the end of the financial year when they were calculating yearly totals. It was a random attack, and it came at a challenging time, so they paid the $500 ransom. It's possible the attackers did not know how valuable and time-sensitive the data was to the company. Fortunately, they got their data back, but that is not always the case -- they took a risk. In previous years, encryption used in ransomware attacks was much easier to crack, and researchers wrote decryption algorithms to help victims decrypt files. But, due to advancements in cryptography, it has become harder to get back data without paying the ransom. This may explain why some insurance companies encourage clients to pay the ransoms.

How has your career as a malware researcher and author been rewarding to you?

Mohanta: I love being a malware researcher; it's a great field. One of my responsibilities is to generate awareness among the general public and the security community on the subject. I feel happy when contributing to the conversation through my books or speaking engagements at conferences and colleges in India. It's rewarding to see more people gain an interest in the topic. By understanding and analyzing malware, people can develop better code, which can help the industry combat threats.

Abhijit MohantaAbhijit Mohanta

About the author

Abhijit Mohanta is the author of Malware Analysis and Detection Engineering, published by Apress, and Preventing Ransomware, published by Packt Publishing. He has worked in the security industry for more than 13 years. He is passionate about mentoring professionals in specialized areas of cybersecurity, including malware analysis, reverse-engineering, intrusion analysis, digital forensics and memory forensics. He has more than 13 years of experience in the antimalware field. Mohanta has worked in antimalware research labs at Uptycs, Symantec, McAfee and Juniper Networks. He has experience in reverse-engineering, malware analysis, and detection engine development and is a book reviewer for Packt Publishing. He holds multiple patents in the field of malware analysis and detection and gives talks at various security conferences and webinars.

Dig Deeper on Threats and vulnerabilities

Enterprise Desktop
  • Understanding how GPOs and Intune interact

    Group Policy and Microsoft Intune are both mature device management technologies with enterprise use cases. IT should know how to...

  • Comparing MSI vs. MSIX

    While MSI was the preferred method for distributing enterprise applications for decades, the MSIX format promises to improve upon...

  • How to install MSIX and msixbundle

    IT admins should know that one of the simplest ways to deploy Windows applications across a fleet of managed desktops is with an ...

Cloud Computing