Ransomware began as a relatively opportunistic method for extorting money from individuals and organisations. But since earlier this year, we’ve seen a shift to ransomware being used by threat actors such as organised crime groups.
Ransomware - innovation
It’s also believed that some APTs are using the ransomware business model to generate money to fund initiatives and subsequently impact the economy of nations they’re targeting, while the National Cyber Security Centre reports state-sponsored espionage to be increasingly behind many of the ransomware attacks, with Russia and China said to be high players.
In addition, actors have transitioned to using more innovative approaches, such as that of double extortion and whereby they receive a ransom for the decryption of data, and additional payment by threatening to disclose sensitive data to the public, with the victim facing risk of reputational damage and potential fines.
Actors are also utilising the supply chain to subvert defences put in place by more mature organisations. This has included the software supply chain in recent high-profile attacks and which can be particularly difficult to detect and overcome.
The technology news website, ZDNet, reports in their article, Supply chain attacks are getting worse, and you are not ready for them, a quote from the European Union Agency for Cybersecurity (ENISA) on analysing 24 software supply chain attacks, and warning that it’s “crucial to understand that an organization could be vulnerable to a supply chain attack even when its own defences are quite good and therefore the attackers are trying to explore new potential highways to infiltrate them by moving to their suppliers and making a target out of them.”
In recent years ransomware as a service (RaaS) has grown into a thriving multimillion-pound industry and one very much run and operated in a comparable manner to that of modern-day tech companies. In fact, the level of customer service and aftercare provided at times is quite astonishing. Even in the criminal underworld it’s understood that customer centric approaches are important to success…
Ransomware - the impact
The impact of ransomware is now having such an effect that politicians and policy makers have started to take note, with many believing that legislation offers the best way to address this growing problem. US President Joe Biden recently warned Russia to act against ransomware groups, or otherwise face repercussions from the USA.
Reuters, in their article Biden presses Putin to act on ransomware attacks, hints at retaliation, quotes President Biden as saying, “I made it very clear to him that the United States expects, when a ransomware operation is coming from his soil even though it’s not sponsored by the state, we expect them to act if we give them enough information to act on who that is.”
Director of GCHQ, Jeremy Fleming, says in introduction to the NCSC’s 2021 Annual Review, “This year we have seen countless examples of cyber security threats: from state sponsored activity to criminal ransomware attacks. It all serves to remind us that what happens online doesn’t stay online – there are real consequences of virtual activity.”
Ransomware - some facts and figures
The impact of ransomware in 2021 has been clear to see.
Mandiant M-trends show the impact on global dwell time, where the overall median dwell time for investigations stood at 24 days, significantly down from 2019, and with the global dwell time for ransomware intrusions in 2020 reported as just five days. However, this drop in dwell time was being influenced by an increase in the number of ransomware intrusions seen globally, which was up 11% from the 2019 figures. In fact, there is still controversy over the figures, as not all ransomware attacks are linked back to the potential initial intrusion – often due to insufficient audit policies being in place, and/or inadequate log retention or detective capabilities.
In the 2021 Verizon the Data Breach Investigations Report (DBIR) a new pattern was uncovered within the System Intrusion section. This pattern indicated that a series of more complex attacks was taking place, of which the majority involved malware (70%).
This is believed to be related to the emergence of ransomware as a service and the lucrative nature of the ransomware as a service industry. The primary motivation behind these attacks was financial (93%) with ransomware now accounting for 5% of all global incidents, and appearing within 9% of all breaches – and linked in particular to the rise of the double extortion movement.
Earlier in 2021 there were reports that overall attacks had decreased in number as the criminals were becoming more targeted in their approach, as mentioned in Infosecurity Magazine’s article, Ransomware Attacks Decline as Gangs Focus on Lucrative Targets – and reporting Raj Samani, McAfee fellow and chief scientist as saying “Criminals will always evolve their techniques to combine whatever tools enable them to best maximize their monetary gains with the minimum of complication and risk. We first saw them use ransomware to extract small payments from millions of individual victims. Today, we see RaaS supporting many players in these illicit schemes holding organizations hostage and extorting massive sums for the criminals.”
Coveware, a specialised ransomware services provider, produced statistics on the median size of organisations targeted within Q2 of 2021. This research showed that the size of the companies being targeted had grown significantly since 2018. However, there had been a slight drop in size from Q4 2020.
Nevertheless, Coveware also indicated that ransomware remains a big problem for small and medium sized businesses as well.
In his paper Human Operated Ransomware (HOR), Bridewell Cyber Defence Technical Lead, Gavin Knapp looks in detail at the ransomware threat as we head into 2022, covering:
- The types of ransomware attack currently prevalent
- The major ransomware players
- An in-depth look at human operated ransomware and its complexity
- How to protect against an attack
- How to detect, respond to, and recover from an attack