How Ransomware's Industrialization Impacts SOC Operational Tempo

promotion

One way we can better prepare for the future of ransomware is to examine its past. From the late 1980s (when the first ransomware attack was carried out via floppy disk) through the early 2010s, ransomware remained a largely fringe (and unprofitable) activity. As cryptocurrencies like Bitcoin made anonymous, cross-border payments easier to facilitate, it was only a matter of time before modern ransomware emerged.

While CryptoLocker’s meteoric rise, delivered via the Gameover Zeus banking trojan botnet, only lasted for a few months in 2013, it served as a sign of things to come.

From there, we were off to the races. Every major innovation in internet technology and consumer behavior, from the rise of smartphones and cryptocurrency to remote work, has been leveraged by increasingly capable ransomware actors to further their mission. Infamous attacks like WannaCry and Notpetya in 2017 and the 2021 Colonial Pipeline attack have demonstrated the impact that big game ransomware can have. The billions extorted from businesses have fueled a robust cybercriminal ecosystem.

We now find ourselves witnessing the ‘industrialization’ of ransomware. Today, well-funded groups like LockBit have customer support teams, affiliate networks, and a robust “supply chain” of initial access brokers and malware distributors. 

Perhaps most important to security leaders is the fact that the new crop of ransomware attackers are very loud, and very quick.

It’s in the interest of many ransomware organizations to publicize successful attacks to accelerate ransom payments. Leak sites, proof of attack documents, and update boards listing the enterprises they have compromised have become the norm among major ransomware organizations. 

Meanwhile, CISA reported a record number of zero-day exploits in 2023, and initial data shows that things didn’t slow down in 2024. The rise of “living off the land” exploits–finding ways to leverage legitimate software implemented by businesses for malicious intent–has further accelerated the speed and efficiency of attacks: Mandiant has found that ransomware attackers now need three to five days within a system to achieve their objectives - less than half the time of other types of attacks.

There’s an old military adage that if your adversary can respond quicker than you, they’ll win. One key to combating modern ransomware attacks is focusing on operational tempo - the speed at which operations within security are conducted. It doesn’t just pertain to the threat response, but also to the ability to adjust to changes in circumstance, decision-making processes, and resource management. 

A major pillar of maintaining an effective operational tempo is investing in the right technology, and this is where we’re seeing a sea change within security. The past ten years have been largely defined by platform approaches to security IT investments, eschewing best-in-breed point solutions for one-size-fits-all technologies. For many reasons, this made sense: Historically, more tools meant more potential security vulnerabilities, and in terms of resource and financial investments, it was often economically sound to oversee fewer larger technologies than attempting to patch together many smaller ones.

But ransomware “publicity campaigns” (for lack of a better term) have poked major holes in this approach. In fact, perhaps no set of stakeholders in the cybersecurity ecosystem have more to lose in the rise of loud ransomware players than legacy security tech platforms. Due to their desire to publicize and disclose attacks, ransomware organizations are exposing those that have long been seen as leaders in the technology space. Major tech suppliers are coming under increased scrutiny for their inability to secure mission-critical network edge devices against compromise and provide patches promptly. 

We’re now seeing a turn back towards a best-of-breed approach. VC funding of cybersecurity startups jumped 43% in 2024, totaling $11.6 billion. These tools are more modern and often overseen by smaller, more agile teams involved in ensuring the most stringent security protocols within the software.

But even if point solutions are more secure in a vacuum, there’s still the issue of interoperability and opening up vulnerabilities through multi-tool integrations. There has been rapid progress made on this front too. Recent innovations in workflow orchestration and AI make this kind of transformation possible, ensuring that organizations can seamlessly integrate tech stacks that are much more agile and equally or more powerful and cost-efficient as these platforms, while offering higher levels of customization and better security by design. 

We’re just at the beginning of this sea change, but it has the potential to be one of the defining trends in how large enterprises approach security IT investments. In the short term, CISOs must be stringent in vetting their technology vendors, especially long-standing partners.

They also need to ensure they’re approaching their technology strategy with operational tempo in mind. And now, in the "industrialization of ransomware” era, that may mean prioritizing strong, powerful integrations and workflows over any perceived efficiencies that come via large-scale platforms. 

Matt Muller is Field CISO at Tines

You Might Also Read: 

Security Performance Metrics Fall Short: