Ransomware is one of the most virulent and difficult security challenges organizations face. Cybersecurity experts predict ransomware will attack a business, consumer, or device every two seconds and will cost victims $265 billion annually by 2031.
WHAT IS RANSOMWARE?
Ransomware is a malware variant designed to deny a user access to their files or systems and is roughly separated into crypto and locker types — although many ransomware families today combine these capabilities and more.
Once ransomware has successfully infected a target machine or network, its operators attempt to extort their victims. Individuals were once most at risk from ransomware hidden within malicious attachments to emails, suspicious links, and drive-by downloads, but now, organizations are, by far, the most lucrative and appealing targets to criminals.
Today’s threat actors will use the lure of a decryption key (which may or may not work) to pressure the target into paying. Furthermore, businesses may find themselves subject to data theft-related extortion.
Ransomware families come in a variety of programming languages ranging from C++ to Rust and Golang (Go).
Well-known ransomware variants and operators include Alphv/BlackCat, WannaCry, CryptoLocker, Conti, Evil Corp, Grief Group, and Lace Tempest.
Ransomware gangs are, in almost every case, financially motivated. These cybercriminals stop at nothing to be paid — whether this means locking up your personal information or grinding the operations of a Fortune 500 company to a halt.
Victims will be directed to websites on the Dark Web and secure chat platforms to make a payment or negotiate a ransom. To disguise their tracks, ransom demands are made in cryptocurrency, most often in Bitcoin (BTC) — although other virtual coins including Ethereum (ETH) and Monero (XMR) occasionally make an appearance.
TO DATE, THE LARGEST RANSOMWARE PAYOUT
was reportedly made by CNA Financial, a major U.S. insurance company. The firm paid $40 million USD in an attempt to regain access to its systems following an attack by a ransomware group.
Another notable ransom payout was made by Caesars in September, that of $15 million USD, after a ransomware gang compromised the Caesar’s Rewards loyalty program database. The cybercriminals agreed not to publish user data if a payment was made — although it remains to be seen if they keep their promise.
There were 2,085 significant business-related ransomware incidents between January and June 2023, a 67% year-on-year increase, according to NCC Group data.
Ransom demands frequently reach millions of dollars, with many others falling within the range of five to six figures. If victims refuse, they may find themselves publicly “named and shamed” on leak sites and their confidential information may be leaked or sold.
Ransomware is a thriving cybercrime economy. While ransomware infections were once considered a consequence of visiting illicit websites or downloading illegal, cracked software, it is now a weapon of choice for cybercriminals indiscriminately attacking individuals, SMBs, and Fortune 500 organizations alike.
Ransomware continues to evolve for one reason: reaching greater heights in financial extortion. Despite CISOs and cybersecurity teams pouring resources into ransomware protection, and law enforcement cracking down on the lucrative, illegal industry worldwide, ransomware showed no signs of stopping this year.
The U.S. Financial Crimes Enforcement Network (FinCEN) says that ransomware poses a significant threat to businesses and the public. FinCen analysts claim that Russian cybercriminals are at the heart of many ransomware variants used today, accounting for 75% of ransomware-related incidents. Furthermore, the five highest-grossing ransomware variants are said to be connected to Russian threat actors.
Cybersecurity Ventures predicts that by 2031, ransomware will cost its victims approximately $265 billion, based on a 30% year-over-year growth over the next decade.
The costs include ransom payments, damage and destruction of data, lost productivity, theft of intellectual property, personal and financial data exposure, post-attack disruption to the ordinary course of business, forensic investigation, restoration and deletion of hacked data and systems, and reputational harm.
Cybersecurity Ventures predicts that a ransomware attack will strike a consumer or business every two seconds by 2031.
Ransomware operations can take many forms. Unsophisticated gangs might rely on phishing and spam, whereas other more advanced groups may take the time to perform reconnaissance first and select their targets carefully and quietly.
In some cases, groups buy commercially available ransomware licenses, a practice known as Ransomware-as-a-Service (RaaS), whereas others may develop custom digital weaponry and guard their creations for exclusive use.
What should be remembered is that many ransomware operations have evolved to the point they are structured in a similar way to businesses today.
Ransomware gangs may hire professionals to perform different roles, provide customer service and support, collaborate with other cybercriminals, or take “commissions” when a client using their ransomware strain successfully extorts payment from a victim.
Many ransomware gangs specifically target what is known as “Big Game.” Big Game are high-profile, high-value enterprise firms with large annual revenue streams — as well as a lot to lose if they experience downtime. Theoretical examples of Big Game targets would be Apple, Microsoft, Okta, Amtrak, or Sony.
The motive behind targeting Big Game is the possibility of higher payouts, often reaching millions of dollars.
Heidrick & Struggles’ 2023 Chief Information Security Officer (CISO) survey revealed that artificial intelligence, geopolitical challenges, and cyberattacks — including ransomware and state-sponsored threats — are considered the most significant organizational risks today.
Some of the most high-profile ransomware attacks this year include:
- ROYAL MAIL: The U.K. national mail service, Royal Mail, was struck by LockBit in January. The ransomware attack resulted in domestic and international shipments being delayed, with employees locked out of crucial operational files and systems. LockBit demanded an $80 million ransom. Royal Mail officials refused and branded the demand “absurd”
- DISH NETWORK: In Feb. 2023, breach notification letters sent by Dish Network revealed that a ransomware attack exposed confidential records and sensitive information belonging to current and past employees. Reports suggest a ransom was paid as the company “received confirmation that the extracted data has been deleted.”
- REDDIT: Also in Feb. 2023, employees of the popular online forum fell for a phishing campaign, granting attackers access to internal information. Alphv/BlackCatthreat actors demanded $4.5 million in ransom.
- CAESARS: The Caesars Entertainment casino chain paid out$15 million to cybercriminals following a ransomware attack that led to the theft of customer data from its loyalty program database, taking place in Sep. 2023.
- MGM RESORTS:MGM Resorts was subject to a ransomware attack on the heels of Caesars. Two ransomware groups claimed responsibility — Alphv/BlackCat and Scattered Spider — but in either case, MGM properties faced check-in system failures, digital key cards becoming unresponsive, and a return to cash-only payments for over a week.
- JOHNSON CONTROLS: In late Sep. 2023, Johnson Controls International suffered a severe ransomware attack with company devices and VMware ESXi servers becoming encrypted. The industrial giant, and its subsidiaries, have been severely impacted because of technical outages which have also spilled out into customer portals.
The tactics utilized by today’s cyberattackers are as varied as their targets. Ransomware groups may conduct an attack from start to finish themselves, or they may choose to hire other criminals to streamline the process. For example, it is possible to purchase initial access to networks on the Dark Web, and many of these brokers specialize in finding entry points suitable for cyberespionage and malware deployment.
Methods used by ransomware groups to compromise their victims are below:
- SPAM & PHISHING: A common way ransomware spreads is through mass generic spam emails and social media links, leading to the download of malicious attachments or drive-by downloads. However, attacks may be more likely to succeed when social engineering is involved.
- BRUTE FORCE ATTACKS: Automated brute force attacks are used to try and obtain user account credentials and gain a foothold in a target network.
- INITIAL ACCESS BROKERS: Also known as IABs, initial access brokers are traders on the Dark Web who sell initial access points to companies, including stolen credentials or working RDP tunnels. By purchasing initial access, ransomware gangs can avoid a time-consuming stage of the attack chain and go straight into network reconnaissance or infection.
- RECONNAISSANCE, SOCIAL ENGINEERING: Sophisticated ransomware groups will often perform surveillance on a target to learn about them and any related business connections, friends, or family members.
They may also conduct Open Source Intelligence (OSINT) activities to gather public knowledge about their targets. Armed with this information, attackers may masquerade as trusted contacts to lure victims into unwittingly executing ransomware. As in case with the recent MGM Resorts hack, it can take mere minutes to obtain the right credentials for a victim network with the right preliminary research.
- REMOTE DESKTOP PROTOCOL: Exploitation of the remote desktop protocol (RDP) is a common way for ransomware operators to intrude on your network. RDP is exploitable through software vulnerabilities and hijacking user accounts, logged in through off-site locations.
- EXPLOIT KITS: Exploit kits, such as Angler, RIG, and Blackhole may all bundle ransomware into a malicious package, combining it with software exploits to gain access to a vulnerable computer.
- INSIDERS: If a cyber gang can find a disgruntled employee, they may become an insider threat. The employee may be offered cash or a percentage of a ransom to deploy a malicious payload from inside a company’s network or “fall” for a phishing attempt. Employees may also become unwitting, accidental insiders if they make mistakes.
- DOUBLE EXTORTION: Double extortion consists of two tactics to extort payment. Confidential data is stolen before encryption, and then cybercriminals threaten to publish this information online unless they are paid.
- TRIPLE EXTORTION: A new, concerning trend is that of triple extortion. As noted by the World Economic Forum, some ransomware operators are now attempting data theft and extortion of the victim organization, and should the entity refuse, they will contact individuals involved in the breach to demand payment in return for their data staying confidential.
- LEAK SITES: Leak sites are hosted on both the Clear and Dark web. These websites act as name-and-shame portals for ransomware victims, who are threatened with their data being published if a ransomware payment is not made by a specific date or time.
There are many ways to protect yourself and your organization against ransomware, but for businesses today, it’s not a case of if, but rather when, a cyberattack or breach occurs.
Organizations can adopt a variety of practices to increase their security hygiene. Microsoft says that 98% of attacks can be avoided by implementing basic cyber resilience practices, including:
- Keeping operating systems and software up-to-date
- Analyzing the risk of new vulnerabilities and patching promptly
- Being aware of, and providing training for employees to recognize phishing and social engineering attempts
- Enabling multi-factor authentication on user accounts.
- Avoiding suspicious websites and implementing firewalls
- Implementing zero-trust policies in user management
- Maintaining regular, offline backups separate from your main systems
- Creating an incident response plan considering damage limitation, forensics, and legal aspects
Source: Cybersecurity Ventures