SecurityBrief UK - Technology news for CISOs & cybersecurity decision-makers
Story image
One billion dollars in funding for even more ransomware
Fri, 23rd Feb 2024

The profits are huge - According to blockchain analyst Chainalysis, ransomware gangs took more than 1.1 billion dollars from their victims in 2023. Does this figure say more about a sophisticated adversary, or is it an indictment of our resilience to cyber attacks? Well, it's actually a bit of both.

The ransomware - or digital extortion - business is thriving globally and gaining the kind of funds that attract new players and pay for new techniques and resources. Neither the US government's attempts at sanctions last year nor investigative successes against a number of ransomware groups have been able to prevent record payouts. 

Company managers must expect that ransomware gangs will continue to adapt their extortion techniques. It all began with the encryption of files; the origin of the ransom idea can be traced back to the AIDS Trojan from 1989, which demanded the transfer of a modest $189 US dollars to a post office box in Panama in order to receive the decryption key. Until 2010, these kinds of attacks were largely a niche because ransom payments couldn't be scaled easily. All this changed with the invention of cryptocurrencies at the beginning of 2010, making it much easier for ransomware gangs to collect ransoms. Today, we see ransomware gangs blackmailing their victims twice over: first, the victim's data is encrypted, and if they don't pay the ransom to decrypt it, then the data is exfiltrated from the company network, and they're threatened again that it will be published online. 

Inhumane scams create even more pressure

In the meantime, cybercriminals have found new ways to put even more pressure on victims. Another scam: triple blackmail. Here, the data is not only encrypted and then threatened with publication, but in a third attempt to extract cash, the criminals target everyone whose data has been stolen and harass them in order to exert even more pressure on the victim organisation. 

Several cases in the USA in which hospitals were blackmailed show just how ruthless the groups are. The hackers used stolen patient data to threaten these people with swatting. Swatting involves reporting a serious crime with weapons to the police at the target's place of residence so that police SWAT teams travel to the alleged crime scene heavily armed. People have been killed in swatting operations in the USA. 

Recently, ransomware groups have even involved authorities in their tactics. To promote transparency in cyber incident reporting, regulators are introducing much stricter breach notification rules, one example being the US Securities and Exchange Commission (SEC). Shortly after the new reporting requirement was published, the first case of quadruple extortion occurred. After the usual encryption, extortion and threats to publish data, the ransomware gang involved then threatened to denounce the victim organisation to the regulator for failing to comply with the reporting requirement for successful cyber-attacks!

All these new developments have massively increased the pressure on organisations to pay ransoms. However, they are by no means the most worrying trend in ransomware. The use of generative AI by ransomware gangs has made the detection of phishing by trained users and technical means much more difficult. And the evolution of the entire ransomware business to a ransomware-as-a-service (RaaS) model is disruptive.  

Thanks to the economies of scale of the RaaS platform and its thousands of paying subscribers, its operators can now afford to exploit vulnerabilities much faster than even organisations with the most efficient vulnerability management system can. This has led to several highly effective campaigns targeting file transfer services and internet fraud infrastructures over the past year. Such RasS platforms also have resulted in a huge amount of new entities conducting ransomware attacks, as these "affiliates" no longer need to have the prerequisite technical expertise to conduct the attacks.

Neglected stress tests at companies

And then there's the other side of the equation, which is the state of organisations to respond to and recover from ransomware. Many IT operations teams and backup administrators prepare for cyber incidents as they would for a business continuity or disaster recovery scenario. The problem is that BC/DR incidents have a limited number of root causes that can be quickly identified, so for those types of incidents, we can largely orchestrate and automate the response and recovery efforts. 

In cyber incidents, we are dealing with an adversary that is constantly adapting, and we need to fully understand the incident first before we can take the appropriate steps to mitigate the risk of further attack before we bring the systems back online: what are my regulatory obligations to notify data subjects and regulators based on data exfiltrated; what controls were missing,  failed to stop or detect the attack or were circumvented; the persistence mechanisms added by the attacker to re-propagate the ransomware; the malicious accounts added and other artifacts. Taking these investigatory steps when your communications, collaboration, security tools and backups have been compromised by the ransomware is a challenge. Trying to use endpoint security agents for investigation when you have quarantined your network to contain the spread of the ransomware or trying to classify impacted data to determine reporting requirements after it has been encrypted is impossible. Many organisations think their RTO to a cyber incident is down to the speed of disk, pipe and recovery solution - yet they often fail to factor in the time the response process will take.

Ransomware preparedness is the single most important success factor any organisation can take to increase their cyber resilience by ensuring both their response and recovery processes are effective and efficient. There are invaluable lessons from taking part in a realistic tabletop exercise conducted by resources who have actually dealt with ransomware outbreaks, such as those Cohesity is running, that give business decision-makers the opportunity to go through a simulated ransomware attack and allow them to find out whether they are well prepared, where they have gaps and what suitable practices exist to close these gaps.