Ransomware Shifts Tactics as Payouts Drop: Critical Infrastructure in the Crosshairs

Analysis of threats detected in the latter half of 2024, demonstrates that attackers evolve rather than abandon their primary targets and tactics.

A study by researchers at Ontinue describes four major evolutionary trends: malware delivery via browser extensions and malvertising; more advanced phishing and vishing techniques; increasing attacks against IoT and OT devices; and the continuing evolution of ransomware.

Ransomware is noteworthy. Ontinue explains (PDF) that ransom payments decreased: from $1.25 billion in 2023 to $813.5 million in 2024. But while the payments received by criminals went down, the number of reported breaches went up. “This could indicate that ransomware groups are conducting more attacks to compensate for lower ransom success rates,” suggests Ontinue.

The primary motivating factor for ransomware is the money it generates. Apparently, more victims are declining to pay – but it is equally apparent that criminals are not ready to abandon this type of attack. “The decrease in payments might also push attackers to diversify their methods further. For example, we could see more focus on supply chain attacks or targeting critical infrastructure, where the stakes – and the potential payouts – are higher,” comments Casey Ellis, Founder at Bugcrowd.

The critical infrastructure may be unable to refuse payment. Ngoc Bui, cybersecurity expert at Menlo Security, adds, “While paying ransoms might incentivize threat actors, the reality is not paying could be more damaging – especially for organizations involved in critical infrastructure. The disruption from ransomware can be catastrophic, and organizations must prioritize protecting operations and stakeholders.”

And while all this is happening, the ransomware gangs are fine-tuning their tactics, “to include interactions with IT teams to elicit information to improve access, SaaS-based attacks, and even studying file-transfer technology for rapid exploitation and double extortion methods,” says Nathaniel Jones, VP of threat research at Darktrace.

So, while ransom payments may have decreased last year, the ransomware threat is not decreasing, just evolving.

Malware delivery via the browser is a trend also noted by Menlo Security. Ontinue highlights the threat of infection via browser extensions, which are being exploited to deliver information-stealing malware. “This method is particularly effective,” warn the researchers, “because the malicious extensions can persist even after a system is reimaged. Users often unknowingly reintroduce the threat by reimporting their browser profiles, including the infected extensions, during the recovery process.”

Advertisement. Scroll to continue reading.

Phishing and vishing are increasing in both volume and sophistication. This has been expected once criminals learn to understand and use gen-AI, which is almost tailor-made for social engineering.

On phishing, Ontinue has detected three trends: using legitimate sites for the first landing page, which then redirect the victims to a malicious domain; using ‘no reply’ sender addresses to hide the attacker from security checks; and using obscure variations of big name domains (such as those from google.com, apple.com and bing.com) to redirect victims to AiTM sites.

Vishing attacks are becoming more prevalent, growing by 1,633%. Vishing bypasses the automated security filters that email phishing needs to navigate – and has been given a huge boost by AI. “By utilizing AI-driven voice cloning technologies,” explain the Ontinue researchers, “cybercriminals can create highly realistic audio deepfakes, impersonating trusted individuals to deceive victims into divulging sensitive information or transferring funds.”

It’s down to the individual user to counter the vishing threat in conformance with strict user policies. Absent such formal policies, J Stephen Kowski, field CTO at SlashNext, adds, “Individuals should never share personal information during unexpected calls, even if the caller seems legitimate. Always verify the caller’s identity by hanging up and calling back through official numbers found on websites or statements.”

Increasing attacks against IoT and OT devices are primarily because they are traditionally less well defended than pure IT devices, and because of their potential to provide both ransomware and nation state attackers access to much of the critical infrastructure.

“When IoT devices are built down to a price, their firmware is often built down to a price, too,” say the researchers. “IoT web services, for example, often rely on stripped-down networking software that runs with root privilege and performs its configuration operations simply by passing user-supplied data to the system via a command shell.”

This, they add, “makes IoT devices notoriously vulnerable to command injection, remote code execution, and privilege escalation attacks.” IoT devices are often built for consumers, but the growing practice of working from home, either full-time or part-time, brings these devices into close contact with the means to cross over into company systems.

At the same time, all OT devices lack the depth of security offered to IT devices, and often lag in patching. Concerns over water facilities illustrate the issues. “The U.S. government warned of misconfigured infrastructure control systems in water facilities,” comments the report. “Pro-Russian actors were reportedly able to alter pumping parameters, disable alarms, and lock operators out of their systems.”

An OIG report in November 2024 found 97 water systems serving about 27 million people contained critical and high severity issues.

In December 2024, CISA and the EPA urged water companies to ensure their OT HMI systems were properly secured. “Threat actors have demonstrated the capability to find and exploit internet-exposed HMIs with cybersecurity weaknesses easily. For example, in 2024, pro-Russia hacktivists manipulated HMIs at water and wastewater systems, causing water pumps and blower equipment to exceed their normal operating parameters,” the two agencies said.

The Ontinue threat report demonstrates that cyberattacks ebb and flow – the ebb is generally while new tactics and methods and technologies are explored, while the flow is the continuous, and generally increasing, nature of cybercriminality. The threats themselves change very little, but the tactics used are continually revised to maximize the criminals’ return on investment and effort.