Threat actors know what malicious tools work and ransomware gangs, inspired by their competition, adapt their strategies for a more devastating impact. 

"The sophistication and diversity of attacks in 2020, especially the second half of the year, was and still is, alarming. We're seeing a lot of experimentation from the bad guys … that's why ransomware is such a huge deal right now for businesses," said Adam Kujawa, security evangelist, director at Malwarebytes Labs. 

Threat groups manipulate the tactics, techniques and procedures (TTPs) of other groups, making ransomware attacks more difficult to prevent. Enterprise detection teams may already have insights into highly prolific, and human-operated ransomware threats, including Maze (now Egregor), Ryuk, Conti, REvil and RagnarLocker. But their security tools have limits when up against human-operated malware.

Of those manual ransomware campaigns, the hackers seem more comfortable and familiar with an organization's networks than the organization itself. 

Ransomware operators learn the systems and technology of their targets. RagnarLocker evolved in 2020, changing how it encrypts files on endpoints with ransomware protection, according to Malwarebytes' 2021 State of Malware report. 

Maze adopted the tactic but didn't leverage Windows XP in the same way as RagnarLocker. Instead, Maze latched onto Windows 10 images. Either tactic means the ransomware operators understood victims' systems and technologies. 

Egregor became the poster child for "massive, devastating success," though it debuted late in 2020, according to Malwarebytes. Run by former Maze affiliates, the ransomware family is a product of evolution, sold as service-based ransomware to other gangs.

"These families that we've seen make corporate intrusion into an art," said Kujawa. Their tactics are copied by other groups who reinvest in them "so they become more dangerous, and just overall completely [change] the game."  

This evolving art form was the case for Trickbot. Trickbot's use dropped by 68% and Emotet decreased by 89%, despite continued use of each tool, according to Malwarebytes. Trickbot and Emotet detections fell because the families launched new infection and distribution methods. 

Malwarebytes believes the decline in Trickbot and Emotet detection came down to growing sophistication and a reduction in "throw away" malware the firm would typically find, said Kujawa. "What we've seen more of in 2020 from these families is fewer emails sent to more specific targets." 

Just prior to Europol's Emotet operational takedown in January, the botnet also began commandeering existing email chains to seamlessly blend the false legitimacy of phishing campaigns last year. 

It's likely the tactic will reappear in a different family or identity, according to Malwarebytes. Most malicious upgrades are "small increases in malware capabilities," but "rarely do they surprise," according to the report. 

Trickbot and Emotet had "an unprecedented season of evolution, followed by a hard push in the second half of the year," according to Malwarebytes. The pair of trojans underwent framework updates to improve distribution. 

"Many of these more sophisticated updates came during or right before the pandemic," said Kujawa. 

What's old is new and more dangerous

Cyberattacks run by humans can change their TTPs in real time to evade detection. It throws historical methods of detection out of the window.  

"In the old days, if a human was involved, it was usually a nation-state attack. And that meant, you were probably a defense contractor or government," said Chester Wisniewski, principal research scientist at Sophos. "There was always an assumption, if you found an intruder inside, that they probably have multiple ways to get in." Now everyone has to assume threat actors have multiple points of entry.

Manual attackers are good at wiping their fingerprints as they move through a system. Last year, Malwarebytes observed more malware samples "call home with reports about victim machines," and operators on the other end evaluated the data. 

It was people who then prioritized victims, "assigning special cases for a deeper dive, and performing manual recon and lateral propagation," said Malwarebytes. 

For example, the actors behind Conti adopted the double-extortion tactic — wherein data is encrypted and potentially leaked — originated by Maze and then REvil. The groups are able to scope out what data could cause the greatest amount of damage. 

And if they are so inspired to return, Conti operators will plant backdoors after an intrusion, according to Sophos. The backdoors are either used for beaconing or establishing Tor proxies for sending command and control traffic over Tor, which often evades detection.