Industry insights

The ransomware paper (part 3): New trends and future concerns

January 28, 2022 by Keatron Evans

Welcome to the last part of this ransomware series (see Part one: What is ransomware?, and Part two: Real-life scenarios). As we wrap up, I want to focus on a few attacks that haven’t been discussed much in the media as well as some trends we may see in the future.

When those in the industry talk about ransomware protection and prevention, most of it is geared towards businesses. However, we’re seeing several trends involving attack scenarios directed at end-users, specifically in personal digital environments. 

Ransomware demonstration: How ransomware infects a system

Instagram, Twitter and TikTok, oh my!

Lately, I’ve seen a trend of people’s social media accounts — like Twitter, TikTok and Instagram — being taken over and ransomed the same way a corporation’s data is being ransomed. 

It is worth noting that social media accounts and emails have been a target for takeover for a while, and it’s mostly been a flat rate cost to get access back. The traditional scenario is based on a scheme of convincing the victim they are paying money to Microsoft or Facebook support. Typically, the attackers would only charge the victim’s card the designated rate to “restore” access, but sometimes they would max out the victim’s credit or debit card. That was pretty much it.  

Now they are asking for a ransom. They also appear to be doing some basic recon on the victims so they can match the ransom amount with what they think the victim might pay.


Download Keatron’s free paper, “The ransomware paper: Real-life insights and predictions from the trenches.”

I have a cousin who was a victim of this very attack. Her ransom demand was only $150, however, she is 17 years old and has about 1,800 followers. If you are an influencer with four million followers, that ransom will be considerably higher. 

Take another person who contacted me: a pastor of a church with about 3,500 active members and about 15,000 followers on Instagram and Facebook. His Instagram and Facebook were both compromised. Getting the Facebook account back was relatively easy, but the Instagram account proved more difficult. The attacker wanted $5,000. They also added a threat along the lines of: “You’re a popular pastor. How would you like your Instagram account to start posting inappropriate adult content?”  

It left him and his small IT team terrified and flustered. 

Yet another history lesson, kind of

This trend is akin to what happened with computers. They were initially reserved for large organizations as they were too expensive for most to personally operate. Then the cost of production went down and mass production and distribution became possible. Thanks to Microsoft, Apple and others, personal computers were feasible seemingly overnight — and the rest is history.

One mistake we continue to make in this industry is failing to look at ransomware as an economic vehicle for cybercriminals. There is now enough profitability in these individual ransomware attacks to justify upward-trending projections.

Paying ransoms has gotten much easier

As I pointed out in the first part of this article, ransomware — and even ransomware against individuals — is not something new. When personal computers first began to get hit with ransomware, most individuals were given a choice: pay $200 to $500 to get their computer unlocked or have a local computer repair shop reinstall Windows from scratch. 

When these personal ransomware attacks were trending upward eight or so years ago, it was not easy to set up a bitcoin account and make a payment. Now, it’s much easier. Heck, ransomware operators appear to have hired technical writers as the quality of their modern payment tutorials is quite impressive. 

Huge growth of micro-businesses

Additionally, social media and the whole influencer movement have created millions of micro-businesses generating billions of dollars — all the while blending more of people’s personal lives with their business. In fact, for many influencers, their personal lives are their business. 

This is how ransomware actors justify asking an individual for a large payment — assuming they have a large following. It’s just one example of where the changing times has taken a market once considered low profit by ransomware operators and created millions of high-profit opportunities within it. 

I personally know five people who have been hit with this kind of attack in the last year.

More ransomware opportunities

A few months ago, I contributed to a Breaking Defense article related to hacking smart cars. While researching, I discovered some military bases are considering banning these vehicles. Why would entire countries consider such drastic actions against smart cars? It’s mostly due to the susceptibility of those cars being compromised to digitally spy on intelligence and defense organizations.

Imagine you are in Chicago parked downtown near Lake Michigan. It’s minus 10 degrees with a minus 20 windchill.  You try to unlock your smart car as you always do and find that the door is not unlocking. At that instant, you get a text message from an unknown number saying, “We’ve taken over the app that controls your car. Send us $500 in bitcoin within the next five minutes or we will start your car and rev the engine until it’s destroyed.”  

That might sound like a stretch, but we are not that far away. I regularly use an app to start my SUV, lock and unlock the doors, turn on one of its many cameras and more. 

Importance of mobile phones

We also have to consider how important phones have become to the average consumer. Most of us care more about our phone data than we do our computer data. If the ransomware enterprise shifts some of its energy to this “emerging” consumer market, mobile phones may replace computers and networks as the focus of attacks.

For context, I dropped my phone from the metro train platform at Reagan Airport as I was about to depart on a flight. The phone was destroyed. I could not access anything on it. The amount of stress that put me through for the following eight or so hours is embarrassing. I had my electronic boarding pass on there. I couldn’t get a Uber when I landed in Chicago. I couldn’t even call someone to pick me up. I had to resort to that thing we call a taxi. Yes, they still exist. And to be fair, I’m not as addicted to my phone as I believe most Americans are. 

Ransomware that can instantly lock and encrypt a person’s phone will likely be very profitable for these groups. Especially if they’re able to harvest zero-click exploits similar to the ones disclosed in 2021 related to the NSO group. 

Rise of remote work

Also, with more people working from home, successful phishing and ransomware against an employee may not have a direct impact on an employer’s network.  These trends in our new work-from-home economy make it more likely that the ransomware focus will shift.

End-users and regular consumers will not have access to the budget, knowledge base or resources to recover from these types of ransomware attacks. As a result, they will be more likely to pay the ransom. 

In addition, many employees have moved from behind the veil of protection provided by corporate firewalls, SOCs, security engineers and other impressive security gear and knowledge. This is one area of concern that has not yet been fully addressed. 

Importance of education

It helps to look at the ransomware market the same way we would look at legitimate non-criminal markets and economic systems.  The consumer ransomware market is largely untapped, but I don’t suspect it will stay that way for long. It would be great if I could look back in three years and say I was wrong. But right now, I’m not convinced that will be the case. 

It is our responsibility as leaders to start educating end-users more frequently on these types of threats and their impact. Everyone will have to become more diligent about protecting their devices and their data  — and that starts with cybersecurity leaders making education accessible, practical and memorable.

I don’t want to live in a future where my refrigerator, Wi-Fi, thermostat and work devices are hijacked and used to collect ransom from me to get control back. So let’s educate ourselves and others!

Posted: January 28, 2022
Keatron Evans
View Profile

Keatron Evans is regularly engaged in training, consulting, penetration testing and incident response for government, Fortune 50 and small businesses. In addition to being the lead author of the best-selling book, Chained Exploits: Advanced Hacking Attacks from Start to Finish, you will see Keatron on major news outlets such as CNN, Fox News and others on a regular basis as a featured analyst concerning cybersecurity events and issues. For years, Keatron has worked regularly as both an employee and consultant for several intelligence community organizations on breaches and offensive cybersecurity and attack development. Keatron also provides world-class training for the top training organizations in the industry, including Infosec Skills live boot camps and on-demand training.