Cybercriminals can be ingenious, resourceful and entrepreneurial. This is one of the reasons that private businesses are currently facing a sustained threat from ransomware groups, who are increasingly audacious in their attempts to compromise networks and extort their victims. Recent examples have shown that these groups understand how to apply maximum pressure on their victims to improve the chances of a payout and they are always looking for new ways to make a profit. Some of these groups now turn over multi-millions a year from their “human-operated” attacks, which can result in significant payouts from victims wishing to get their data back.
It could be seen as a golden age for these groups, who are reaping extremely high returns. Governments must act decisively to control the “scourge of the internet”.
Piling on the pressure
Last week we learned that the REvil ransomware group had launched an attack against Quanta, a Taiwanese electronics supplier to Apple, and stolen product schematics. In a tactic which perfectly demonstrated the groups’ understanding of applying pressure to their targets, REvil started leaking the designs, just hours before an event showcasing some of the unreleased products, demanding an eye-watering $50m from Apple before 1 May 2021.
New revenue streams
Yet another example of these groups’ abilities to eke out profit was the revelation that a group calling themselves Darkside would provide information around their conquests to stock traders. The group published a message on their dark web blog saying they were willing to trade information to those wanting to short businesses in the expectation of a dropping share price following a data breach.
The increasing professionalisation of cybercrime
In the past few years, ransomware operators have shifted tactics from untargeted “spray and pray” email attacks which contained malicious software to much more targeted attacks, seeking out businesses and employees in specific industries, using tactics and techniques which reflected an ongoing and increasing professionalisation.
Preferred vectors for attack include using recently published technical exploits against public-facing infrastructure and remote-working technology such as Remote Desktop Protocol (RDP) and Virtual Private Networks (VPN). Criminal exploitation of newly publicized vulnerabilities can happen within days or weeks of the release of advisories from businesses to update their software, as was the case with a set of vulnerabilities in Microsoft’s Exchange Server email software, made public earlier this year. In this series of events, ransomware operators exploited the vulnerabilities just a few days after they were made public, demonstrating a rapid ability to adapt and use new and highly technical approaches in their attacks.
A golden age of ransomware
Just like the pirates of the golden age, ransomware groups have proliferated in number and impact. 2020 saw reports of ransomware attacks every day of the year and 2021 is on a similar trajectory. Volatile cryptocurrency markets and increasingly high extortion demands which businesses frequently pay, have contributed to this success.
But the golden age of piracy was widely held to have come to an end when navies ramped up enforcement to rid the high seas of this economic threat. With governments beginning to take notice of this threat, is the golden age of ransomware due to come to end as well?
Is time closing in on ransomware groups?
Cyberattacks are having increasingly profound impacts on supply chains, an issue which is of no doubt grave concern for governments trying to ensure healthy and functioning societies following the additional economic impact of the coronavirus pandemic. The attack on Quanta has shown that hugely important industries such as technology can be subjected to third-party risks and governments have already ramped up sanctions regimes against ransomware and other cybercriminal groups. US authorities now place some cybercriminal groups on sanctions lists, meaning that businesses who may have been minded previously to pay may now think twice about doing so for fear of attracting heavy fines. Cryptocurrency exchangers are also increasingly regulated. If regulatory attention tightens further, this may force attackers to adapt tactics once again.
Businesses too are increasingly aware of cyber threats, partly due to data protection legislation such as GDPR and the threat of fines for inadequate controls, and partly due to professionalisation of cybersecurity education and industry, which has developed rapidly in the past ten years. This means that many businesses take the threat of cybersecurity very seriously.
However, despite these attempts to control ransomware, the groups continue to innovate at a rate which outpaces many businesses’ defences, make higher demands and cause more damage. Even with all these steps in the right direction, we are not yet at a tipping point to reverse this trend.
Without more decisive and coordinated action to legislate and enforce against these groups, the situation will only get worse before it gets better - unfortunately for the victims, the golden age of ransomware is not ending. It will likely be some time before we see the level of legislation, enforcement and defences required to see it gone.
Businesses can take steps against to reduce the risks posed by ransomware groups by ensuring they have a security programme which regularly audits cyber defences and vulnerabilities through intelligence-led security testing and has well-practiced incident response processes. Businesses which understand developing tactics of attackers, and have the means to prevent, detect and respond to ransomware incidents can reduce the level of damage caused by such an attack, ensure business continuity and avoid reputational damage.