Endpoint Security

Interview: Ransomware Is Surging. Here’s What You Need To Know To Protect Your Team

Zscaler’s Global CISO and Head of Security Research & Operations, Deepen Desai, discusses the latest ransomware trends.


Ransomware is one of the defining cyber-crimes facing organizations today. It’s hard to think of an industry or sector that has not been targeted by ransomware: businesses of all sizes and industries, schools, universities, governments, even hospitals have all fallen victim to targeted, ruthless and efficient ransomware attacks. 

Zscaler’s ThreatLabz 2023 State of Ransomware Report reveals that ransomware attacks are up by nearly 40% compared to last year, with a staggering average ransom demand of $5.3 million USD to restore corrupted data. Nearly half of all ransomware attacks target US-based companies, with the manufacturing services and construction sectors being most heavily targeted.

“Some folks are saying the number of ransomware attacks have plateaued,” Deepen Desai, Global CISO and Head of Security Research & Operations tells Expert Insights. “Based on what we are seeing, it’s a 38% year-on-year growth in ransomware attacks and a 37% increase in double extortion attacks. And more and more ransomware operators are moving to a Ransomware-as-a-Service model. That is how they are able to launch large scale, sophisticated attacks.” 

Listen To Deepen Desai On The Expert Insights Podcast

Ransomware With A Twist

Zscaler’s report tracks a number of key trends emerging in the ransomware space, including a fundamental shift in ransomware tactics. In a traditional ransomware attack, the main goal for the attackers is to encrypt critical data and force their victim to make a payment in order to resume business functionality. But increasingly, ransomware gangs are shifting their goal to outright stealing huge volumes of data – as much as 24 terabytes in one recent case seen by the Zscaler team.

The goal here is to avoid any kind of public detection. When company networks are disrupted, it’s unavoidable that public statements have to be made, which brings unwanted attention to ransomware gangs. When data is quietly stolen, the blackmail can take place in a much more subtle, under-the-table way, hidden from public view. 

“I would even go to the extent that [ransomware gangs] are moving toward customer service,” Desai says. “They want to avoid disruption for their customers, by not bringing down their operations. Some are even going to the extent of calling these attacks ’post-exploitation pen testing exercises.’ It’s as if they’re doing a favor, a security assessment. But it’s still a ransomware attack.” 

Ransomware gangs are even providing detailed reports to their victims after the ransom is paid, detailing how they got in, how they moved around, and what steps security teams should take to prevent future attacks. If the ransom is paid, they will go to great efforts to prove the data has actually been deleted, and in some cases will even give the victim access to the data on their systems, so they can delete it themselves. “I wouldn’t be surprised if they can even give you a reference chart from a previous victim, saying that they keep their word on removing the data,” Desai says. 

This improves the “credibility” of the ransomware company in the eyes of future victims and increases the likelihood of a successful ransom payout – all the more important as the average demand for a ransomware payment has hit an eye-wateringly high $5.3 million USD. 

When negotiating a ransomware payment, attackers do a lot of research into an organization’s liquid assets, insurance coverage, and accounts to get a good idea of what a company can pay before making a demand. “We’ve seen [ransomware gangs] refusing ransoms,” Desai explains.

“There was a victim where they were asking for $8 million. The victim engaged a ransom negotiation agency, and they tried to bring it down to north of $2 million. And the negotiation failed. The ransomware operator basically said: ‘We know you have this much cash in your account, we know you are able to pay this much.’ And the data was leaked in this case.”

Evolving Ransomware Strategies

Ransomware gangs are also evolving their ransomware methodologies to target vulnerabilities more effectively. “We’re seeing more and more attackers weaponizing vulnerability exploits into the payloads,” Desai explains. When software vulnerabilities are discovered, ransomware gangs are highly adept at incorporating exploitation modules into their ransomware payloads.

While organizations often patch vulnerabilities quickly in internet-facing applications, internal applications are often deprioritized, giving ransomware gangs the opportunity to strike. “That unpatched server becomes one of the beachheads for the bad guys to pop the server, escalate privilege, and steal sensitive information,” Desai says. “We will continue to see that as a trend going forward.”

In order to protect against these advanced ransomware attacks, organizations need to build out a comprehensive zero trust strategy, Desai explains. “The fundamentals of zero trust architecture are going to significantly help organizations in defending against these types of ransomware attacks.”

The first goal for any ransomware group is to identify an initial entry point into a corporate network. Cloud-based zero trust architecture, such as a cloud-native proxy solution, can help to minimize your attack surface while providing secure access to resources, no matter where you or your assets are. 

But the most important step in protecting against ransomware, and particularly protecting against the weaponized vulnerability exploits mentioned earlier, is by implementing user-to-app segmentation, which can limit the blast radius in the event a breach does occur. 

“Assume that one of your assets were to get compromised because of a poor choice, or there was a vulnerable asset. If the bad guy is contained to that asset, they will not be able to move laterally in the environment. They’re not able to get to your crown jewel applications, they’re not able to steal that sensitive data, they’re not able to establish network-wide persistence in your environment,” Desai explains. 

“I see a lot of organizations say they have zero trust implemented, but they’re just using virtualized versions of legacy architecture devices, like virtualized VPNs or VPNs running in the cloud. But it’s still providing that flat network, which is where they fall flat. Having that false sense of security is also dangerous.”

The final step organizations should take to defend against ransomware is to implement data loss inspection strategies. These tools can identify where large amounts of data are being exported from your network and can help teams to quickly detect data being stolen, either by ransomware groups or by other insider risks. “You need to apply custom dictionaries and DLP rules that are looking for data sensitive to your environment,” says Desai.

The Future Of Ransomware

There have been “some good, positive developments,” in the global fight against ransomware, Desai says. Zscaler is directly working with the JCDC (Joint Cyber Defender Collaborative), established by the US Cybersecurity and Infrastructure Security Agency (CISA) to lead the development and implementation of cyber defense strategies. 

“There are several law enforcement agencies that are going after specific ransomware gangs. And I’m not just talking about taking down the infrastructure, but actually going after the humans that are behind these operations. That has a more lasting effect, because [gangs] will always come back with a new infrastructure.”

In terms of evolution, Zscaler anticipates more and more encryption-less ransomware attacks will take place, in no small part due to the increased attention on ransomware gangs from law enforcement agencies, Desai explains. They also expect to see more “supply chain” attacks, in which ransomware gangs target service providers in order to move laterally across their vendors and customers with affected software installed. 

The third evolution Zscaler is tracking – and something Desai will be hosting a talk about at BlackHat 2023 – is changes at the code level of ransomware tech. “They’re using specific programming languages like Rust and Golang, and they’re moving away from C++, in an attempt to make it difficult to analyze and flag these payloads. But also to optimize, to make them quick, and to make them fast in the operations they’re designed to do- whether that’s encrypting the file, or stealing data.”

You can listen to our full interview with Deepen Desai on the Expert Insights podcast:

Listen On Spotify:

Listen On Apple Podcasts:

About Expert Insights

Expert Insights provides leading research, reviews, and interviews to help organizations make the right IT purchasing decisions. You can find all of our podcasts here.