Ransomware has been with us for a while and initially was mostly focused on encrypting individual devices. In 2013, CryptoLocker, a ransomware attack by the GameOverZeus organised crime group, combined strong public key encryption with cryptocurrency payments, making it a profitable business model.
Attackers began to target large organisations instead of small businesses or individuals, a tactic known as “big game hunting.” These targets were more likely to pay large ransoms to regain access to their critical systems and data.
In 2018, businesses became better at preparing for and responding to ransomware attacks. Criminals responded by refining their business model to maximise payouts. They combined data theft with extortion in big game hunting attacks, increasing the pressure on victims to pay. The WannaCry and NotPetya attacks combined encryption with self-propagation, causing widespread damage. This evolution highlighted the impact such attacks could have on critical infrastructure in countries and large businesses.
The availability and legitimate trade of cryptocurrency made it easier, cheaper, and faster for attackers to obtain payments and purchase criminal services. It also made it harder to attribute attacks to individuals and control illicit payments. However, law enforcement is developing new ways to track cryptocurrency transactions, making it more difficult for attackers to profit from their crimes.
Cybercrime operations are increasingly becoming structured like legitimate businesses, with organised crime groups (OCGs) such as EvilCorp employing a workforce with benefits and a hierarchical structure. These OCGs often collaborate with smaller criminal groups and utilise illicit online marketplaces to trade services and tools.
The Russian-speaking cybercrime community poses a significant threat, benefiting from the infrastructure and expertise of larger OCGs. Ransomware-as-a-service (RaaS) has made ransomware attacks more accessible, enabling smaller groups to inflict substantial damage.
Sanctions and indictments against prominent OCGs like EvilCorp and Conti have led to a shift towards decentralised operations, relying on the broader cybercrime ecosystem.The decline of previously dominant groups like Conti and Egregor and the rise of ‘as-a-service’ data leak sites such as ALPHV, Lockbit, and Hive.
Below is a typical ecosystem that is emerging in ransomware with different actors offering services.
How Exploitation can happen?
Most ransomware attacks are not targeted against specific organisations. Instead, attackers look for any opportunity to gain access to networks. They may buy access from other criminals or scan for vulnerabilities in common software products. This is because it is more profitable to attack many different organisations than to focus on a single target.
Most ransomware incidents are caused by poor cyber hygiene. This includes things like unpatched devices, weak passwords, and lack of multi-factor authentication (MFA). Implementing basic security measures, such as MFA, can prevent most ransomware attacks.
Criminals often scan the internet for devices with known vulnerabilities. They may use commercial datasets, such as Shodan, or conduct the scanning themselves. They target devices that are likely to be used by businesses, such as Microsoft Exchange servers, Citrix or VMware platforms, VPN devices, and firewall devices.
Criminal use of exploits often surges shortly after certain critical patches are released indicating they are being reverse engineered from the patches. In most cases, an exploit is widely available in the criminal forums in less than one week from the patch being released. A zero-day exploit is a recently discovered vulnerability, not yet known to vendors or antivirus companies, that criminals can exploit. Cyber criminals don’t need to develop their own zero-day exploits as doing so is expensive, and there are many devices ‘in the wild’ that are not patched regularly. However, some actors have been known to use zero-day exploits, most notably there are public reports of Cl0p’s use of the Accellion, GoAnywhere and MOVEit vulnerabilities.
How to help prevent and limit impact of ransomware:
- Maintain backups thoughtfully
- Develop plans and policies
- Harden your hardware and only have ports that are needed open
- Keep systems unto date
- Training goes a long way
- Cybersecurity hygiene goes a long way.