An Accelerating Ransomware Threat Needs a Strong Cyber Defense

Synopsis

High-profile ransomware attacks around the globe during the first half of 2021 are forcing businesses, individuals, and governments to acknowledge that these costly and disruptive attacks are the new normal. The tactics, techniques, and procedures (TTPs) used by ransomware groups are becoming more efficient, while technically sophisticated and versatile business models and a mature cybercriminal ecosystem are expanding the threat landscape. A strong, intelligence-driven cyber defense is one of the best strategies to protecting against ransomware. This ransomware series examines several challenges surrounding ‘cyber defense’ and presents suggestions for the cyber security community. This post will begin by looking at the growth of ransomware.

Ransomware: A Growth Industry

Ransomware attacks are growing at a faster rate than network defenses can be updated to prevent them. May 2021 experienced the most ransomware attacks recorded in a single month, according to Sonicwall. The same article noted that as of May, the 2021 year-to-date number of ransomware attacks represented a 116% increase over the same period in 2020. (1) Ransom amounts are growing as well, making ransomware incredibly lucrative. In its 2021 Ransomware Threat Report, Palo Alto Networks noted that among North American and European victim organizations, the average sum paid for a ransomware attack increased 171% in a single year: from $115,123 in 2019 to $312,493 in 2020. The same report indicates the amount of the single highest ransom doubled from $5 million in 2019 to $10 million in 2020. (2) An increasingly efficient business model is driving much of this growth.

Making the Ransomware Business Model Work

A ransomware incident can be extremely disruptive, and the prospect of lost business or a dip in stock price compels many companies to pay ransoms quickly. This means successful attacks against high-value targets can be exceptionally lucrative. Press reports state REvil initially demanded $70M in ransom from Kaseya. Although REvil reportedly reduced the ransom demand to $50M a few days later, either amount is huge. (3) Kaseya’s status as a key service provider and its international customer base probably emboldened the attackers to demand such a high ransom. While few ransoms are this high, a recent survey by Sophos indicates 32% of respondents across industries opted to pay ransoms, indicating the trend of paying ransoms is both common and underreported. (4)

One reason for the growth in ransomware attack numbers and ransom amounts is the success of attackers in implementing TTPs that are proven to be successful. These TTPs range – from adapting single-purpose malware into a multi-functional threat to facilitating ransom negotiations. Attackers are employing these methods with growing frequency and focus.

• The sophisticated and mature nature of the cyber-criminal ecosystem allows threat actors to scale up their attacks for maximum impact. Outsourcing parts of the process that require special skills - such as initial access to compromised networks, exploitation of vulnerabilities, and malware deployment - gives an extremely high return on investments for successful ransomware attacks.

• The new trend of both encrypting and exfiltrating data (called ”double extortion”) compels victims to pay for fear of having stolen data leaked if they refuse. (5) Attackers also thoughtfully selecting targets that face the greatest pressure to quickly resume a critical service or limit disruption to clients. The ransomware incident against Kaseya illustrates how pressure from an international client base can have an outsized impact on the willingness of a company to pay up. (6)

• Developers who offer off-the-shelf ransomware packages as a service for their affiliates make it easier for non-hackers and non-programmers to deploy ransomware. One example of a group which uses an affiliate model is Darkside– the group whose malware was behind the Colonial Pipeline ransom incident earlier this year. (7)

Outlook

Countering the Business of Ransomware with Cyber Intelligence

Experts in industry and government are deliberating the best ways to react to ransomware attacks, but prevention and survival boil down to a willingness to prioritize cybersecurity. Those who take the initiative to implement an intelligence-driven defense which adheres to accepted cybersecurity best practices will be best positioned to avoid a ransomware attack, or to respond to one effectively.

Read the Ransomware series Part 2

References

1. SonicWall. 2021, June 21. Already a Record Breaking Year for Ransomware, 2021May Just be Warming Up. Retrieved from https://blog.sonicwall.com/en-us/2021/06/already-a-record-breaking-year-for-ransomware-2021-may-just-be-warming-up/
2. Palo Alto Networks. 2021, March 17. Highlights from the 2021 Unit 42 Ransomware Threat Report. Retrieved from https://unit42.paloaltonetworks.com/ransomware-threat-report-highlights/
3. Greig, Jonathan. 2021, July 7. Should Kaseya Pay REvil Ransom? Experts are Torn. Retrieved from https://www.zdnet.com/article/should-kaseya-pay-revil-ransom-experts-are-torn/
4. Sophos. 2021. The State of Ransomware in Government 2021. Retrieved from https://secure2.sophos.com/en-us/medialibrary/Gated-Assets/white-papers/sophos-state-of-ransomware-in-government-2021-wp.pdf
5. The Institute for Security and Technology - Ransomware Task Force. 2021, April 30. Combating Ransomware. Retrieved from https://securityandtechnology.org/wp-content/uploads/2021/04/IST-Ransomware-Task-Force-Report.pdf.
6. Hammond, John. 2021, July 3. Rapid Response: Mass MSP Ransomware Incident. Retrieved from https://www.huntress.com/blog/rapid-response-kaseya-vsa-mass-msp-ransomware-incident.
7. Schwartz, Mathew J. 2020, November 12. Darkside Ransomware Gang Launches Affiliate Program. Retrieved from https://www.bankinfosecurity.com/blogs/darkside-ransomware-gang-launches-affiliate-program-p-2968

About EclecticIQ Threat Research

EclecticIQ is a global provider of threat intelligence, hunting and response technology and services. Headquartered in Amsterdam, the EclecticIQ Threat Research team is made up of experts from Europe and the U.S. with decades of experience in cyber security and intelligence in industry and government. EclecticIQ’s Threat Research team strives to apply the analytic rigor principles of U.S. Intelligence Community Directive 203 to its analysis—please click on the link for more detail.

We would love to keep the conversation going! Please email us at research@eclecticiq.com.