Are you currently experiencing an attack?

Are you currently experiencing an attack?

Ransomware Attacks: The Worst Cybersecurity Threat Today, Part 1

“In the first 3 days of last week alone, I tracked 23 new ransomware and extortion victims, who are fighting attacks (most have not disclosed to the media). This Monday, I tracked 43 new organised ransomware gang incidents—before mid-day.”

That’s a recent warning from security researcher Kevin Beaumont. It highlights the critical (and still worsening) epidemic of ransomware attacks on the web today.

Many security insiders would agree that ransomware has become the most serious cybersecurity threat on the modern web. Not only that, it’s rapidly getting worse instead of better. In this article series, we’ll discuss:

  • The nature of the threat
  • The severity of the threat
  • Why this already-grave situation is getting even more dangerous
  • Why most organizations are addressing this threat in the wrong way
  • How to correctly defend against ransomware.

What is Ransomware?

Ransomware is malware that makes some or all of the victim’s IT resources unavailable until a ransom is paid. Usually this is done by encrypting important files on the targeted system, with the decryption key being offered as the reason to pay the ransom.

In addition to encrypting files, it’s becoming common for hostile actors to also threaten to publicly leak sensitive data if the ransom is not paid. To increase the pressure, some attackers today are even experimenting with including simultaneous DDoS attacks, although this tactic is still rare.

The Worst Cybersecurity Threat Today

The majority of high-profile security incidents today are due to ransomware. These attacks can cause severe damage, as seen recently in the Colonial Pipeline attack (which disrupted the gasoline supply for the US East Coast back in May), the JBS attack (which shut down 20 percent of the US meat market), and the Kaseya attack (which affected hundreds of businesses across the world).

Even the relatively “small” attacks can have a large impact on the victims. Coveware (which provides ransomware incident response services) reports that the average downtime from an attack is 21 days. Emsisoft (which assists victims in their recovery efforts) has found that businesses need an average of 287 days to fully recover from an attack.

In 2020, the FBI’s Internet Crime Complaint Center (IC3) received reports of 2,474 ransomware incidents, averaging more than six per day. Note too that of the attacks that occur each day, only a fraction of them are reported to the IC3.

Getting Worse: Profits as the Driver

When you consider the revenue being collected by ransomware gangs, it’s not difficult to understand why they have been scaling up their efforts.

According to the US government-sponsored Ransomware Task Force report, victims paid an estimated $350 million in ransoms in 2020. Recent payouts have included the University of California at San Francisco ($1.14 million), foreign currency exchange Travelex ($2.3 million), the Colonial Pipeline ($4.4 million), travel management firm CWT ($4.5 million), and CNA Financial Corp. ($40 million).

Think about that last one. Very few businesses today can afford to spend $1 million annually to defend themselves against cyberthreats. But one ransomware gang alone collected forty times that amount for a few days of effort.

Last October, the REvil ransomware gang (perpetrators of the JBS and Casey attacks) said they had made more than $100 million profit over the previous year. Their ultimate goal is to make $2 billion.

With this amount of money seemingly available for the taking, we can expect the current ransomware epidemic to become far worse.

Getting Worse: Organization and Efficiency

Many executives still think of hackers as being individuals, or perhaps small groups. This is a dangerous misconception, especially for ransomware.

As the potential profits have risen, ransomware has become dominated by large organized-crime enterprises, often known as gangs. Along with REvil, other prominent gangs include the operators of DarkSide (perpetrators of the Colonial Pipeline shutdown), Wizard Spider (operators of both Conti and Ryuk ransomware), and FIN7 (which has, according to the FBI, caused more than $100 million in damage to national chains such as Chipotle Mexican Grill, Arby’s, Chili’s, Red Robin Gourmet Burgers, Taco John’s, Sonic Drive-in, and Trump Hotels).

There is now a mature industry surrounding and supporting ransomware. There are specialized service providers: for example, initial access brokers find vulnerable systems, penetrate them, and then sell access to ransomware operators for financial exploitation. The operators themselves offer RaaS (Ransomware as a Service) in a performance-based framework; they develop the software platforms, and then affiliates use them to launch attacks against victims around the world. When a ransom is paid, the affiliate receives most of the money (typically 70-80 percent).

Many of these gangs operate openly in Russia and other CIS states. They advertise for affiliates, they recruit developers on job boards, and so on. Local authorities mostly ignore them and allow them to operate freely, because these groups forbid their affiliates from attacking any business or entity within the borders of the CIS. In fact, the US government has openly accused Russia of working with these gangs: “the FSB [Russia’s Federal Security Service] cultivates and co-opts criminal hackers… enabling them to engage in disruptive ransomware attacks and phishing campaigns.”

Due to the windfall revenues they receive, these gangs are very well-funded. REvil recently had a recruitment drive on a Russian-language hacker forum, and sought “skilled hackers at penetration testing.” To demonstrate their resolve and financial resources, they deposited $1 million in bitcoin to the forum’s electronic wallet.

It’s important to avoid underestimating not only their resources, but also the scope and organization of these gangs. For example, a Latvian woman was recently arrested and charged with being one of the developers of Trickbot, a sophisticated malware suite which is often used at the beginning stages of a ransomware attack. Her indictment reveals the group’s internal structure, and it sounds like a modern software startup. Trickbot managers advertise for talented developers on Russian freelancing and employment websites, and require candidates to demonstrate their abilities by solving programming challenges. They also function as the equivalents of COOs and CTOs. Meanwhile, Trickbot developers work in highly specialized roles; some develop the software itself, some work on encrypting it so it can evade detection, while others work on distribution. The organization uses false credentials to pay for and maintain its infrastructure, communicates via encrypted channels using multiple layers of proxies, and collects payments through money mules.

Another example is seen in the criminal complaint filed against Denys Iarmak, alleged to be part of FIN7. This prominent international gang has private Jabber servers for communication, used HipChat for interviewing and recruiting new members, and uses Jira for project management.

Getting Worse: The Rise of Extortionware

As ransomware gangs expand the capabilities of their attack tools, they also work continually on improving monetization and profitability.

Over the past year or so, many gangs have begun using a new tactic. Leaks from the Conti and Pysa operations show that many gangs do not immediately encrypt their victims’ data anymore. Instead, they now follow a three-step process:

  • Scan the victim’s system to find particular kinds of data
  • Exfiltrate it
  • Then encrypt everything.

Once the encryption attack has been completed, they send a ransom demand that contains both a carrot and a stick:

  • “If you pay the ransom, you’ll receive the decryption key and the incident will be over.
  • “If you don’t pay the ransom, you won’t receive the key, and we’ll also publicly leak all this data that we stole.”

To maximize revenue, the initial pre-encryption scan includes a search for keywords such as “insurance,” “underwriting,” and “claim.” The attackers want to know if the victims carry cybersecurity insurance, and if so, how much coverage they have. They can then demand the highest possible ransom.

The gangs also search for keywords that can maximize the possible harm from a data leak. Along with markers of PII (Personally Identifiable Information) such as “SSN” and “401K,” the hackers also look for potentially compromising information via keywords like “fraud,” “clandestine,” “disclosure,” “concealed,” and “illegal.”

An REvil representative has said that one out of three victims are willing to pay to prevent their data from being leaked, and the gang now makes more money from this extortion than they do from decryption ransoms. It’s not hard to see why.

Getting Worse, with No End in Sight

Today’s ransomware threat environment poses a clear danger to Internet-facing businesses, and there are several trends that will make it even worse than it already is.

Clearly, organizations need strong defenses against ransomware attacks. Unfortunately, many are addressing this threat incorrectly.

How they are doing this will be discussed in Part 2.

Get your price quote

Fill out your email below, and we will send you a price quote tailored to your needs

This website uses cookies to ensure you get the best experience on our website.