Ransomware is on the rise again, and dramatically so. Reports on the increases year on year vary: Group-IB’s analysis of more than 500 attacks during their own incident response engagements estimated that increase to be 150% in 2020. Blockchain research firm Chainalysis found a 311% increase, year on year, to the end of 2020 in the number of actual ransomware attacks. Whatever the real figure is, it is a problem that is growing, and businesses and organizations of all shapes and sizes, public and private, are feeling it.
There are many reasons why ransomware is on the rise, and to say it is just down to COVID-19 and bored people working from home clicking on anything that looks interesting simply doesn’t do justice to the real situation.
Of course, the pandemic, subsequent lockdowns and promises of a vaccine have all contributed to the problem, but none of these explain the “commoditization” of ransomware as a threat.
Why Are Ransomware Attacks Increasingly Common?
According to PwC, (and, it has to be said, a little common sense), there are three key reasons behind the increase:
- Barriers to entry are dropping. Ransomware-as-a-Service is becoming increasingly popular, allowing relatively unskilled bad actors to access complex tools and the environment from which to run their campaigns. There are also, in a most enterprising fashion, affiliate and channel partner schemes being run. Operators such as Sodinokibi/REvil, NetWalker and Nefilim all provide access to partners in pre-agreed profit-sharing arrangements.
- Ransomware activities are scalable. A consequence of the dropping of barriers to entry is that ransomware activities are now more efficient and therefore scalable. The rise of RaaS has meant ransomware activities that were beyond the capabilities of certain bad actors are now inherently accessible, and vitally, profitable.
- Existing bad actors are professionalising. There has been an apparent surge of investment in many of the platforms themselves, upgrading their core ransomware systems in an attempt to stay ahead of the game and evade detection.
The Changing Nature of Ransomware…and Ransomware Operators
There are other elements to consider too. The recent FatFace breach exposed the bargaining tactics of both the attacker and victim, with the ransom being actively negotiated down from $8M to $2M USD. Interestingly the initial figure was determined by the attackers as they had identified that FatFace has cyber insurance to the tune of £7.5M GBP.
How did they ascertain this figure? In what may be described as a multi-channel attack, and possible evidence of honour among thieves, a different ransomware gang stated that they now target firms who they know have cyber insurance, followed shortly after by a possibly (although not confirmed) connected attack on a major seller of… you guessed it… cyber insurance!
A final element to consider is quite how weaponised ransomware has become. Back in 1989, when the first example of ransomware was released, the AIDS/COP Trojan, the creator asked for $189 to be sent to a PO box in Panama. When caught, he was found to be unfit to stand trial but committed all of the money gained to be donated to AIDS research (Dr Joseph Popp was also a Harvard trained anthropologist, consultant for the WHO and worked with the Flying Doctors in Africa). Such magnanimous statements and professional activities are unlikely to be carried out by today’s career criminals!
Another change from early ransomware to today is that nothing is off the table when it comes to extracting money. We saw the negotiation tactics above bring to bear insider knowledge, but criminals also threaten to release the stolen data if a payment isn’t made (and often will anyway), publicly announce the breach in order to shame the company into paying.
If that isn’t bad enough, a Finnish healthcare provider that suffered a ransomware attack had their patients contacted by the criminals and threatened with the disclosure of their deeply private health records unless they also paid a ransom.
Criminals today will use every last ounce of leverage that they have over their victims to maximise profits and return on investment. In fact, they will use financial and emotional triggers to ensure that the victim feels they have little choice to pay and pay quickly. This form of insidious behaviour means a ransomware attack can not only leave someone financially vulnerable but also emotionally vulnerable too, leading to all sorts of long term damage to individuals and institutions alike.
With all of this, it is safe to say that today’s ransomware is nothing like the ransomware of the past. The ransomware of today has moved from playful to malevolent, fundraising to commercial, and annoying to insidious. With criminals thinking strategically, commercially and above all being highly motivated, there doesn’t appear to be any respite from the sheer volume of ransomware threats out there for us to have to deal with.