How can we help?
Published: 25th August 2022 | In: Insights
There’s no doubt that ransomware attacks are a significant threat to organisations around the world today. Both the number of attacks attempted and the amount of money demanded has increased in the past few years, with criminals, who are mostly motivated by money, becoming greedier and more confident of succeeding without being caught.
A survey by analyst company International Data Corporation (IDC) revealed that “more than a third of organisations worldwide experienced a ransomware attack or breach that blocked access to systems or data” in the 12 months to August 2021, and many industry observers report that figures across the board have gone up since then.
A brief history of ransomware
Only ten or so years ago, ransomware attacks were mostly automated. Cybercriminals looked for potential targets, developed the tools to break in, and infiltrated organisations’ networks to deploy the ransomware payload that they had also most likely built themselves. They would typically attack one system of one company at a time.
This required many different skills, so their success rate was moderate, as was the ransom amount they demanded. They typically communicated by SMS and wanted payment via e-wallets. Their actions left a trail of evidence for security researchers to analyse, and they built up a good picture of the distinct methods different groups used to more easily identify them at the next crime scene.
Roll on a few years and the cybercriminals switched to encrypted messaging platforms, ramped up their demands and, of course: they wanted to be paid in hard-to-trace bitcoin.
Fast forward to 2022 and the cybercriminal world has evolved into an ecosystem made up of three different types of groups:
- The access broker focuses on finding organisations with vulnerabilities, compromising networks and probing for the easiest way into them – all to sell this as a package to other groups
- The developers build the ransomware-as-a-service (RaaS) tools to hire out
- After purchasing the access information and hiring the RaaS tools, a third group will move into the network, steal or encrypt data, execute the ransomware payload and make the ransom demand.
In short, it’s become an industry. Groups have taken on different specialist roles, splitting the profits depending on their skillsets and the risks involved in completing their part of the deal. This business model makes it harder for researchers to identify precisely which cybercriminal gangs were involved in each cybercrime.
Another consequence of this industrialisation is that the groups that deploy the ransomware payload are not as sophisticated as they might have been years ago – there’s a lower barrier to entry because their part is now simpler and requires less skill than ever before. However, on the whole the entire ecosystem is more advanced because each group needs to concentrate only on its part of the cyber-attack.
With huge amounts of money at stake, there’s also competition for talent, just like in any other industry. It’s been reported that some cybercriminal gangs even have HR and recruitment managers. And RaaS groups might well be marketing their services in competition with rivals.
Who are the ransomware gangs?
Microsoft Security has been monitoring and tracking cybercriminal gangs for years. It claims to actively follow more than 35 unique ransomware families and 250 unique threat actors, including those linked or run by nation-states, around the world. This takes a lot of time, expertise and resources because groups break up, reform and join others depending on the ebb and flow of the criminal world. However, when gangs become very adept with specific tactics, techniques & procedures (TTPs) it’s not easy for them to disappear at will and later resurface without relying on their tried and tested TTPs – that researchers identified them by previously.
Groups you might have read about in cyber security news website headlines include AlphV (also known as BlackCat, and previously known as BlackMatter or DarkSide), AvosLocker, Babuk, BlackBasta, BlackByte, Carbon Spider, Clop, Conti, Doppelpaymer, FIN7, GOLD NIAGARA, HelloKitty/FiveHands, Hive, ITG14, Karakurt (part of Conti), Lapsu$, LockBit, Ragnar, REvil and Ryuk.
Several of these have only emerged in the past few years, some as recently as 2021. And some are synonymous with the ransomware or other software they are infamous for, such as LockBit, which is known as a fast encryption tool.
Illustrating the lack of experience required to launch ransomware attacks, seven people involved in the Lapsus$ gang were arrested in the UK this year. They were aged between 16 and 21.
Who do they target?
While many cybercriminal groups aren’t fussy about who they attack as long as they make a profit, some do seem to focus on certain sectors and/or geographies. For example, FIN7 has a record of targeting the US retail, restaurant and hospitality sectors. Others seem to have a preference for health and medical centres or higher education institutions, perhaps because organisations in the same industry often use similar IT infrastructure and software. However, research has suggested that occasionally these ‘target areas’ can be a red herring as groups just got lucky with two targets in the same sector or country in a short space of time.
Although the majority of cybercriminals are believed not to be politically motivated, there are signs that since the Russian invasion of Ukraine cyber-attacks have actually decreased in frequency. While the jury is still out on the exact reasons for this, many industry analysts think the conflict has disrupted their operations. There are exceptions to the political motivation, of course, with one gang, Conti, publicly stating its support for Russia. However, in their case this led to a Ukraine-supporting member then leaking years’ worth of information about them, resulting in their breakup.
Two major trends
Almost everything about cybercrime is fluid and fast-changing, making it tricky to track patterns. One thing for certain, though, is that cybercriminals have taken more control over their attack methods. Another change of tactics has been the use of double extortion to maximise profits.
Firstly, more ransomware campaigns are now human-operated. Coined by Microsoft, this basically means that people make the decisions at every step of the ransomware attack based on which defences they come up against. This differs to the method used years ago when criminals developed the ransomware code, found a route into an organisation and released the software to do its damage without any human intervention. WannaCry and NotPetya are two infamous examples.
Until recently, once cybercriminals broke inside a network, they encrypted key data and held the organisation to ransom with the promise of sending a decryption key to free the data upon payment. Many organisations paid up. Plenty haven’t disclosed that they have done so in order to protect their reputations. But even when they paid, they weren’t guaranteed to get access to their data again, they might have had to wait a long time, and they had no way of knowing if that data had been sold on, or even if the cybercriminals remained in their network, perhaps to strike again at a later date. Different gangs employed different tactics, some keeping their word and others selling the stolen data anyway.
Double extortion tactic
Today, the most dominant approach is the double extortion tactic. Once inside a network, the criminals copy the data they want and store it elsewhere. Then they encrypt that data inside the organisation’s network, and demand a payment for the decryption key. They commonly demand contact and payment within a set number of days, perhaps providing evidence of the stolen data and a threat to release all the information on a dedicated website if they aren’t paid in full.
Variations on this approach include a sliding scale of ransom payments that rise over time. So the quicker the business pays up, the less money it needs to hand over. And reports have been published this year about another emerging trend: rather than go to the effort of encrypting data (this takes work and therefore costs money) some groups are simply copying the data they want and threatening to publish it online. Perhaps they see this as the most effective method of getting their victims to pay, depending on the type of business and the nature of the data. Either way, this is potentially extremely damaging to the company’s reputation with its customers, business partners and industry regulators.
Economic damage and government action
One estimate put the total costs to the UK’s businesses at £365 million in 2021 alone, although it’s not clear how much of this is made of ransom payments, recovery costs and lost revenue. But when criminals hit the jackpot it only incentivises them to repeat their crime elsewhere, or even hit the same company again for more money later.
In some countries, governments have indicated that they might take decisive action to prevent ransom payments being made at all. Gartner predicts that 30% of nation states will pass legislation to regulate ransomware payments, fines and negotiations by 2025.
It’s already begun in some sectors. This month in the UK, the National Cyber Security Centre (NCSC) and the Information Commissioner’s Office (ICO) wrote a joint letter to the Law Society to remind its members not to advise any of their clients to pay ransomware demands. They also stressed that there would be no discount to any fine handed out by the ICO to companies that had paid a ransom.
As we’ve seen, the ransomware business model is extremely fluid and every component, from the types of cybercriminal groups and the skillsets they contribute, through to the methods they employ, is constantly changing.
The good news is that the cyber security industry is growing in strength every year. This is thanks to government agencies, researchers and analysts, big technology companies and many independent cyber security companies all working together to keep organisations safe.