Ransomware has staked its claim as a major element of the cybercriminal ecosystem. As one of the most potentially damaging and costly types of malware attacks, ransomware remains the kind of attack that keeps most administrators up at night, a Keyser Söze of the internet. As we move into 2022, ransomware shows no sign of slowing down, though its business model has gone through some changes that seem likely to persist and even grow over the coming year.
Ransomware-as-a-service subsumes attacks by solo groups
Over the past 18 months, the Sophos Rapid Response team was called in to investigate and remediate hundreds of cases involving ransomware attacks. Ransomware isn’t new, of course, but there have been significant changes to the ransomware landscape over this period: the targets have shifted to ever-larger organizations, and the business model that dictates the mechanics of how attacks transpire has shifted.
The biggest change Sophos observed is the shift from “vertically oriented” threat actors, who make and then attack organizations using their own bespoke ransomware, to a model in which one group builds the ransomware and then leases the use of that ransomware out to specialists in the kind of virtual breaking and-entering that requires a distinct skill set from that of ransomware creators. This ransomware-as-a-service (or RaaS) model has changed the landscape in ways we couldn’t predict.
Sophos Rapid Response, reason for incident response engagements 2020-2021
For instance, when the same group crafted and attacked using their own ransomware, those threat actors tended to engage in unique and distinctive attack methods: one group might specialize in exploiting vulnerable internet-facing services like Remote Desktop Protocol (RDP), while another might “buy” access to an organization previously compromised by a different malware group. But under the RaaS model, all these distinctions in the finer details of how an attack takes place have become muddled and make it more difficult for incident responders to identify exactly who is behind an attack.
Expanding extortion
Ransomware is only as good as your backups, or so an adage might go if any existed. The truth of this statement became the basis for one of the most devastating “innovations” pioneered by some threat actor groups involved in ransomware schemes in the past several years: the rise of extortion in ransomware attacks.
Increasingly, large organizations have been getting the message that ransomware attacks were costly but could be thwarted without the need for a ransom payment – if the organization kept good backups of the data the attackers were encrypting and have been acting on it by engaging with large cloud backup firms to keep their systems cloned. After all, if, for instance, you only lost one day’s worth of work, it would be a manageable loss, completely survivable for the targeted organization, if they chose to restore from backups rather than pay the ransom.
We have to presume that the ransomware groups were also getting the message because they weren’t getting paid. They took advantage of the fact that the average “dwell time” (in which they have access to a targeted organization’s network) can be days to weeks and started using that time to discover an organization’s secrets—and move everything of value to a cloud backup service themselves. Then, when the ransomware attack struck, they’d layer on a second threat: pay up or we release your most sensitive internal documents, customer information, source code, patient records, or, well, anything else, to the world.
It’s a devious ploy and one that put ransomware attackers back on their feet. Large organizations not only face a customer backlash – they could fall victim to privacy laws, such as the European GDPR, if they fail to prevent the release of personally identifiable information belonging to clients or customers, not to mention the loss of trade secrets to competitors. Rather than risk the regulatory (or stock price) fallout from such a disclosure, many of the targeted organizations chose to pay (or have their insurance company pay) the ransom. Of course, the attackers could then do whatever they wanted, including selling that sensitive competitive data to others, but the victims found themselves unable to resist.
As 2021 moved to a close, at least one ransomware group published a press release (of sorts) that stated they would no longer work with professional firms that negotiate on behalf of businesses with ransomware attackers. The overt threat leveled against ransomware targets was this: If you speak with or go to the police or work with a ransomware negotiation firm, we will instantly release your information.
There have been some bright spots on the horizon, however. In September 2021, the U.S. Treasury Department enacted financial sanctions against a Russia-based cryptocurrency broker and market, which the government alleges had been widely used as an intermediary for ransom payments between victims and attackers. Small steps such as this may offer a short-term solution, but for most organizations, we remain consistent on our basic advice: it’s far better to avert a ransomware attack by hardening your attack surfaces than to have to deal with the aftermath.
Sophos expects that threats of extortion over the release of data will continue to be a part of the overall threat posed by ransomware well into the future.