The Changing Face of Ransomware
Westend61 / Getty Images
As ransomware continues as a profitable business model, attackers are squeezing the inefficiencies out of their operations.
The specter of ransomware has been looming over organizations for some time, but recent reports show attacks are getting more sophisticated as attackers streamline their operations.
Headlines tend to focus on the amount to the ransom demanded and whether the victim should pay, but the ransomware payment is only about one-seventh of the overall cost of the attack, according to a new study by Check Point Research and Kovrr. Additional costs—for response, restoration, legal fees, network monitoring—kick in whether the ransom gets paid or not. In 2020, the study stated, “the average total cost of a ransomware attack was more than seven times higher than the average ransom paid.”
Attackers are increasingly targeting organizations they think will deliver the greatest rewards. They vary their ransom demands based on the victim’s estimated financial position, the quality of data exfiltrated, whether the victim has cyber insurance and the reputation of the ransomware group, the study said.
Extortion, or the threat to publish sensitive exfiltrated data, is also used to compel the victim to pay the ransom and unlock their data. In some cases, attackers are skipping the ransom part of the scheme and demanding payment for not posting stolen data online, according to The Register.
“Rather than scramble files and demand payment for the decryption keys, and all the [fuss] in between in facilitating that, simply exfiltrating the data and demanding a fee to not leak it all is just as effective,” the article stated.
The Karakurt extortion gang does not encrypted victim’s files, but rather it claims to have stolen data that it intends to publish, The Register stated. The group sends screenshots or copies of stolen file directories to the victim’s employees, clients and business partners along with harassing emails and phone calls to increase the pressure to cooperate, according to a June 1 Joint Cybersecurity Advisory from the FBI and the Cybersecurity and Infrastructure Security Agency.
In some ransomware schemes, crime groups offer "sliding-scale payment systems," Mandiant Intelligence VP Sandra Joyce told The Register. Depending on how much ransom the victims pay, they might get a control panel, decryption tools and even customer support, she said.
Another innovation, ransomware-as-a-service, is also gaining ground. It allows criminals with little to no programming experience to buy a subscription to a ransomware service, much like any cloud service, that comes with code, instructions for deployment, support and updates. Users or affiliates can then launch their own attacks, and the proceeds are divided between the ransomware developers and the affiliates who deploy it.
In another worrying development, the LockBit ransomware gang has launched a bug bounty program, asking for exploitable vulnerabilities in return for rewards up to $1 million, Bleeping Computer reported. The group is looking for website bugs, locker bugs, vulnerabilities in the TOR network or in TOX messenger. The organization is also willing to pay for “brilliant ideas” that improve its ransomware operations.
“The speed at which the cybercriminals are weaponizing the vulnerabilities has really increased,” Rob Joyce, director of the National Security Agency, told attendees at the recent RSA conference. He said that ransomware gangs were starting to use their profits to buy zero-day exploits, PCMag reported.
Ransomware’s operating velocity has also accelerated, shrinking the time organizations have to respond. Some malware can encrypt 54 GB in about 40 minutes, according to March research from Splunk.
The best way to avoid becoming the victim of a ransomware attack is to follow oft-repeated best practices: Develop and practice a cyber response plan, conduct regular vulnerability scans, patch actively exploited bugs, ensure devices are properly configured and that security features are enabled, enable multifactor authentication and maintain and test offline, encrypted backups.