Ransomware’s Evolving – Are You Ready?

Ransomware is big business.  It’s difficult to accurately measure just how big; the true size of the ransomware industry is masked by the fact that not all attacks and payments are made public.  However, a simple analysis of the ransom payments in the news – where new ransomware headlines appear almost daily – reveals a multi-billion-dollar industry.  Ransomware attacks are estimated to occur every 11 seconds, with the total cost of attacks to businesses exceeding $20 billion last year.  

In 2022, there are no signs ransomware is slowing down.  From ransomware as a service (RaaS) to Big Game Hunting, cybercriminals are becoming increasingly sophisticated; ransomware represents one of the greatest threats facing businesses today.  For chief information security officers (CISOs) and the wider executive leadership team, navigating the modern ransomware landscape is challenging.  Attackers are almost always one step ahead – with innovative, well-funded and coordinated teams utilising every tool at their disposal to penetrate corporate networks.  It can be difficult to know exactly what form a threat might take and where best to focus risk mitigation efforts.        

The Evolution of Modern Ransomware

Ransomware has come a long way since the first recorded incident in 1989.  The attack – known as the ‘AIDS Trojan’ or the ‘PC Cyborg’ – was distributed via floppy disk to a World Health Organisation’s AIDS conference mailing list.  The ransom in this attack involved the victim mailing $189 to a PO Box address in Panama.  It wasn’t until the advent of Bitcoin in 2009, which gave cybercriminals the ability to monetise ransomware attacks via virtually anonymous cryptocurrency payments, that the evolution of the modern ransomware industry began in earnest.    

One of the most high-profile demonstrations of cybercriminals’ ability to generate significant revenue from large-scale ransomware attacks was CryptoLocker – a ransomware attack targeting business users via the GameOver Zeus botnet.  CryptoLocker infected more than 250,000 machines within months of its release in September 2013, with almost 42,000 Bitcoins moving through the associated ransom accounts.  Worth around $27 million at the time, today this haul would be worth well over $1 billion.  

Since then, numerous similar ransomware variants have continued to plague businesses – primarily those based in the US, Canada, and UK.  Research from BlackFog showed these countries represented 2 out of every 3 ransomware attacks in 2021.  The scale of the ransomware threat has increased exponentially since the introduction of RaaS – a revenue share business model that recruits affiliates to distribute ransomware variants.  With RaaS providers offering end-to-end support services to their clients, criminals with minimal technical abilities can launch their own sophisticated cyber-attacks.  Malware is distributed widely, and ransom demands are optimised to encourage as many victims as possible to pay up. 

An “Unimaginable Upward Trend”

In its Mid-Year Update to the 2021 SonicWall Cyber Threat Report, SonicWall Capture Labs threat researchers revealed a 148% year-to-date increase in global ransomware attacks, with the UK suffering a 233% surge.  SonicWall President and CEO, Bill Conner, described this as a “nearly unimaginable upward trend” – an alarming, but certainly not overexaggerated assessment of the rapidly evolving ransomware landscape.      

One of the most critical factors – and the inherent challenge for security teams trying to mitigate this threat – is the increasing diversity of attacks.  While RaaS represents a significant threat to businesses, Big Game Hunters are now targeting organisations with sophisticated, bespoke attacks designed for maximum impact.

The RaaS model represents a high-volume, low-investment form of attack.  Big Game Hunting flips this idea on its head.  Attackers choose their victim carefully, often targeting larger organisations where the potential for financial return is much greater.  Attackers spend time selecting and studying their target before conducting any form of attack.  

The tactics, techniques, and procedures (TTPs) employed are those typically associated with attacks targeting larger organisations with more complex environments – from reconnaissance and initial access through to privilege escalation and lateral movement.  Attackers may be present in an organisation’s network for months before deploying a payload.  With so much time and resources invested in any single target, the attackers will only initiate the attack once they are certain it will put the victim organisation in a position where they must pay.  The attacker will likely have visibility into their victim’s backup and disaster recovery capabilities, making this form of attack extremely difficult to defend against.    

Getting The Basics Right First

Big Game Hunting attacks are likely to become increasingly common in the coming years, driven by the potential to secure millions of dollars in ransoms.  One high profile attack, conducted by the DarkSide group, was responsible for bringing the US Colonial Pipeline – the largest fuel pipeline in the US – to its knees in May 2021.  Transporting nearly 50% of the US East Coast’s fuel, the DarkSide group deployed ransomware on the company’s computer system that oversees and manages the pipeline.  Within just a few hours of the attack, Colonial Pipeline paid the ransom of $4.4 million. 

Security leaders must continually review the tools and processes their organisation has in place to defend against these attacks, ensuring they have a comprehensive security strategy from the ground up.  The organisation’s cyber defence strategy should encompass the assets and data that need to be protected, the specific threats to those assets and the security tools and processes needed to deal with these threats.  

Getting the basics right first might seem obvious, but often this is both the most effective and overlooked aspect of an organisation’s defence strategy.  

In the days following the Colonial Pipeline attack, Joseph Blount, the firm’s CEO, explained how the business was not using multi-factor authentication (MFA).  This is an unforgivable oversight for such a key organisation in the US critical national infrastructure.  With no MFA in place, just one compromised password led to one of the most damaging cyber-attacks in recent years.  MFA, which appears in any list of basic cyber security essentials, could have prevented the Colonial Pipeline attack. 

Even with MFA in place, it is still vital that passwords are strong, complex, and changed regularly.  With a recent study showing less than half of users change their passwords after a breach, organisations are leaving themselves wide open to the risk of credential stuffing.  Colonial Pipeline again offers a case in point – the compromised password used to gain access to the organisation appeared on a previously leaked credentials list published on the Dark Web. 

Shore Up or Pay Up?

The threat of ransomware is constantly evolving, and businesses must tackle it head on before it’s too late.  The ability for criminals to monetise attacks means it’s virtually certain ransomware will remain the ‘go-to’ format for bad actors in the coming years.  As attacks become ever more complex, ensuring a solid foundation of security now is essential.  For every single organisation, an attack is inevitable – it’s only a matter of time.  Security teams must shore up their environment if they are to minimise the risk of being faced with the difficult decision of  paying a ransom.  For the most serious attacks, the consequences of not paying may be too great.  By prioritising security now, businesses can minimise the potential financial, reputational, and legal consequences they may face later.