The Evolution of Ransomware: A 5-Year Perspective

The Evolution of Ransomware: A 5-Year Perspective

Ransomware is malware or a malicious program that, if installed, will encrypt or convert files and their content into undecipherable code. Through extortion, these encrypted files can be deciphered with a decryption key held only by the threat actors once a ransom payment is made. Ransomware has become one of the most detrimental types of cyberattacks impacting organizations and individuals in recent years. Although any sector globally is at risk, threat actors have been recently targeting government and critical infrastructure primarily in the US.

Ransomware is sold as a service, also known as ransomware-as-a-service (RaaS), to either operators or customers that will pay a subscription, share a revenue split or percentage of the collected ransom for each attack with the developers of the service, or purchase the service outright. The RaaS is considered a worthy investment since it requires very little skill level needed to carry out a ransomware attack and the risk of getting caught is low and the reward is high. Besides government-sponsored or independent actors, there are cybercriminal groups, prominently in China, Russia, and North Korea, that will sell RaaS with access to many tools and resources. The rise of RaaS will likely increase the frequency of these attacks and cost organizations more money every year. For example, Conti and Ryuk are ransomware variants sold to cybercriminals, and both originate from the Wizard Spider group, which is a Russian group speculated to be affiliated with the Russian government. These variants specifically have been used to target health organizations, in the US and around the world, which resulted in millions of dollars in losses, and organizations resorted to pen-and-paper methods of recording information.

Furthermore, as these ransomware attacks have become more prevalent, the overall costs associated with a ransomware attack have increased exponentially. Although the cost of a ransomware attack is great, the organizational impacts can sometimes be more devastating than any monetary loss. Ransomware is no longer petty cybercrime as its magnitude of attack can also result in the loss of life. Therefore, organizations should implement proper security measures to help prevent and minimize the impact of these ransomware attacks.

Motives

After 2017, the number of ransomware attacks have become more prevalent and continue to increase each year. The ransomware model has become more attractive to cybercriminals participating in nefarious activity after the inception of Bitcoin and other cryptocurrencies, which allows payments to be sent anonymously than traditional payment methods. Threat actors originally facilitated ransomware attacks with mass phishing campaigns targeting the average user and obtaining a ransom payment to decrypt their files. The phishing emails appeared legitimate from inside or outside the organization and contained malicious attachments and/or links. Larger organizations and critical infrastructure are starting to be targeted for monetary gain by more sophisticated ransomware backed by cybercriminal groups with more resources than ever before. Nation-state-sponsored groups have mostly been employing sophisticated schemes to target their enemies for their political and monetary gain, so the leverage they possess is invaluable when an attack is successful.

Tactics

In recent years, ransomware attacks have started to impact more than the everyday user. Nation states have started to participate in these attacks, either by deploying them themselves or sponsoring criminal groups within their country. State-sponsored ransomware attacks, and cyberattacks in general, have become modern-day warfare between countries with ongoing conflicts. Not only do nations extort money from others, but they also halt critical infrastructure in the process which can be devastating depending on the extent of the attack. Attacking critical functions of a country will almost ensure that they receive payment because these organizations must resume operations as soon as possible.

In 2017, WannaCry and NotPetya were two of the most infamous and damaging ransomware attacks conducted. WannaCry infected approximately 230,000 computers in 150 countries. The ransomware was spread by using an exploit within Windows systems on the SMBv1 network resource sharing protocol, which was associated with the TCP internet protocol that is essential to be used on any internet-connected device. While Microsoft patched the vulnerability before knowledge of it was made available to the public, many users had not patched their devices and were vulnerable. Once a system was infected by the ransomware, it spread to devices that communicated with any infected device, without any human intervention. Ransomware, along with many other malware strains, are extremely effective as a result of human error or ignorance. The ransomware was interrupted by a security researcher who registered a previously unregistered domain that acted as a kill switch, thus stopping the encryption. The ransomware could easily be modified and spread again to compromise more systems. This vulnerability is still currently being exploited, but not to the extent of the original WannaCry attack.

WannaCry was a true ransomware in which the decryptor would execute to decrypt the files after the ransom was paid. Shortly after WannaCry, a new ransomware variant dubbed NotPetya exploited the same Microsoft protocol as WannaCry and started to spread and infect systems. NotPetya was purposedly built to permanently compromise all the data on a system, and the attackers did not implement a way to identify individual compromised systems, making it impossible for them to provide a decryption key. NotPetya was a different type of ransomware with wiper or destroyer capabilities and was considered to be one of the most destructive ransomware variants. In total, these attacks have cost organizations billions of dollars and months of time in recovery efforts. Tactics of wipers or destroyers without involving ransom payments are still being used in a cyberwarfare context today and it is more than certain that malicious threat actors will combine these tactics for both monetary and political gain.

In late 2019, the Maze ransomware group started targeting organizations with sensitive or implicating data and employing a double extortion tactic to threaten to encrypt files and release the stolen data from victim networks on the internet, implying a ransomware incident turns into a data breach, which may result in additional costs from regulators. They first compromised Allied Universal systems, which contained sensitive patient and contact information. When Allied Universal refused to pay the original ransom payment demand of 300 Bitcoin (approximately $2.3M), the group released 700 MB of their data to the public and raised their ransom by 50 percent. It was unclear whether Allied Universal paid the ransom or not, but the group continued to employ this tactic into 2020 and continued to be prevalent as an effective tactic. In April 2021, the REvil ransomware group was determined to extort Apple by attacking Quanta Computer, a close affiliate of Apple that was largely responsible for assembling some of Apple’s best-selling products. After Quanta would not respond to the group’s demands, they sought out Apple themselves and demanded $50M, one of the largest ransom demands in history. REvil posted a screenshot of Apple’s computer blueprints on their blog, as proof that they were serious about leaking the stolen data. It was unclear whether Apple had paid this ransom, but REvil has since removed their original post and their post of the schematics. Although REvil has been inactive and some of its members are currently being prosecuted in the US, this double extortion tactic is still being used by other groups today.

Triple extortion is another recently adopted tactic that can vary in strategy, but typically is double extortion with either distributed denial-of-service (DDOS) attacks to impact the functionality of organizational systems or robocalls to customers, shareholders, partners, the press, and financial analysts in an attempt to inform them that the victim organization has been attacked, adding pressure to affected organizations to pay the ransom. This tactic can be intimidating to the victim, resulting in increased ransom payout rates across the board. In 2021, Avaddon was a ransomware variant sold as a RaaS and targeted the Australian telecommunications company Telstra. The ransomware group accessed and downloaded files before encrypting them. While the attackers demand a ransom, they executed DDOS attacks to force the organization to concede. It was unclear whether Telstra paid the ransom, but their servers were back up and running within a few days. Another triple extortion example was a ransomware attack on the Finnish healthcare organization, Vastaamo Psychotherapy, as a result of two breaches, one in 2018 and another in 2019 which Vastaamo was aware of. In 2020, threat actors threatened Vastaamo to have their patient data leaked if they did not pay the ransom. Once the organization refused to pay the ransom, the patients were singled out and contacted to pay the ransom to protect their information. Some of this information was also leaked on the dark web to prove that these threat actors not only had the information, but were willing to leak it to the world. The company then filed for bankruptcy after it was disclosed that they knew about the original breach before the attempted extortion, impacting their reputation.

The infamous RaaS group REvil/Sodinokibi announced on a dark web forum that they were adding DDOS attacks and Voice-Over-IP (VOIP) calls to pressure victims of the ransomware to increase ransom payout rates. They also made posts recruiting other malicious actors to participate in aiding REvil in successfully carrying out these tactics. The group advertised that the DDOS attacks will target an organization’s internal servers and publicly accessible applications, such as a web server. The group claimed the calls would target journalists and an organization’s business partners, creating leverage through the media and business relationships and adding immense pressure, as many attacks were not made public unless the attackers disclosed the information. Other ransomware groups, such as SunCrypt, Ragnar Locker, and Avaddon, claimed to use DDOS attacks and are very successful within the ransomware landscape.

Additionally, threat actors will use two separate ransomware variants to encrypt data on a system in double encryption. Once one ransom is paid, some or all the files on a system may still be compromised or locked by the other variant, until the subsequent ransom is paid. Double encryption is likely to become more common as it can be more lucrative if organizations pay the ransoms. There is also an increased likelihood of at least one strain of the ransomware being successfully deployed if two strains are introduced into a system. If a decryptor is used, double encryption can be detrimental to organizations with the potential of causing data loss and an increase in recovery efforts.

Ransomware was typically initiated through various network penetration tactics and social engineering tactics, including phishing emails, to obtain credentials with elevated access within an organization. As of 2021, ransomware operators started purchasing credentials from initial access brokers (IABs). IABs posted credentials on a forum for other cybercriminals to purchase and conduct cyberattacks and commit identify theft and fraud. Researchers discovered the sale of these credentials usually occurs within one to three days of them being posted, and the attack will be carried out on average within one month. Credentials were mostly sold without any of the organizational identifying information, likely to avoid detection by the organization itself or its affiliates. However, the IABs attached information, such as organization revenue, the number of employees, and a description of the organization without revealing identifying information. For example, Bangkok Airways was attacked by the infamous LockBit ransomware. The credentials were posted on August 5, 2021 and Bangkok Airways announced a month later on December 26 that they were a victim of a ransomware attack of the same month.

While there has been some improvement with intrusion detection software detecting ransomware and other cyberattacks, ransomware developers are coming up with new tactics to reduce the likelihood of detection. In late 2022, data exfiltration malware was observed with data corruption functionality. Once data was exfiltrated, the threat actors corrupted the organization’s files, which did not seem to be easily detected as previous methods and would also increase the likelihood that the ransom was paid because these files could not be decrypted. This methodology was also more straightforward than traditional ransomware because corrupting files was simply overwriting portions of a file with another file, which takes less time to develop and is more effective due to the files no longer existing on the system in a recoverable manner. According to reports, the BlackCat/ALPHV ransomware group added this feature to their RaaS product, potentially a simple and effective technique used in future ransomware attacks. Additionally, this group recently introduced a new tactic of creating a copy of the victim’s website to a typosquatted domain and publishing the stolen data on it, hoping to pressure and embarrass victims into making ransom payments if initial ransom demands were not met.

Threat actors using one or a combination of these tactics can disrupt an organization’s operations and increase the overall costs associated with ransomware attacks. Notable groups that have been active in 2022 include Hive and Black Basta. Hive was becoming one of the most active ransomware groups of 2022, primarily using phishing emails and IABs to initiate their attacks. The group provided RaaS and targeted many sectors with a focus on the industrial sectors. Black Basta, another RaaS group comprised of former members from the Conti and REvil ransomware groups, employed the tactics utilized by both of those groups. Black Basta exploited unpatched security vulnerabilities and publicly available source code as attack vectors. They also used double extortion techniques, such as DDOS attacks or threatening to leak sensitive files. LockBit and BlackCat/ALHPV ransomware groups were also among the top four active groups in late 2022.

The Cost of a Ransomware Attack

From 2017-2022, ransomware attacks have become more targeted and sophisticated, costs increased, and many organizations were on high alert for the next attack. The five-year trend indicated that ransomware groups targeted larger organizations rather than individuals because they have recognized that not only will they pay more money, but their data is more important to them than the average consumer. A large portion of the cost of ransomware is recovery, oftentimes ransom payments are low in comparison to recovery and downtime losses. For example, in 2017, the median total cost of a ransomware attack was $133,000, including ransom, downtime, etc. and some attacks cost $1.3M to $6.6M. While groups started targeting larger organizations, ransoms have increased due to the organization’s capital. In 2018, the average cost of ransomware related to downtime was around $55,000. In 2019, ransomware ramped up globally, as the global average ransomware remediation cost in the US was around $761,000, while the US average was approximately $622,000. Surprisingly, that year, the US cost of remediation after paying the ransom was double the cost of ransomware remediation for organizations that did not pay the ransom. This cost was due to the added cost of the ransom, but most of this ransomware was flawed and would ultimately result in data loss with additional costs. In 2020, the average remediation cost was $1.85M globally and $2.09M in the US, which was more than double the cost reported in the previous year, due to threat actors targeting larger organizations and using data exfiltration tactics. The average cost globally for central and local governments were $1.37M and $1.64M, respectively, likely due to their sophistication of attack prevention due to added citizen pressure and government expectations to keep data secure. From 2020-2021, ransomware remediation unexpectedly decreased significantly to $1.40M globally and $1.08M in the US despite the sophistication and prevalence of ransomware. This decrease was due to cybersecurity insurance and user awareness becoming more prevalent, resulting in less impact when an organization is inevitably attacked. Also, the highest average ransomware payments were in manufacturing and production ($2.04M) and energy, oil/gas, and utilities ($2.03M). These industries were heavily relied on by other businesses and supply chains and some were more likely to have less IT workers and resources due to the nature of their business, which will increase their susceptibility to attacks. Besides monetary costs, organizations took an average of one month to recover from a ransomware attack, which can be detrimental to normal business operations. As the trend continues, governments have continued to limit the impact of ransomware within their organizations, as the average cost of remediation was $660K in 2021. While the cost is still significant for organizations, it shows the diligence of government organizations in their efforts to thwart attackers.

Legality of Ransom Payments

The legality of paying ransoms is somewhat unclear. Many acts and bills prohibit any international payment from certain countries that are blacklisted (ex. Cuba, the Crimea region of Ukraine, Iran, North Korea, and Syria). These laws were implemented without ransomware in mind, but the payment of a ransom to an unknown source that may be from a blacklisted country will most likely be a violation of those acts. The government strongly urges organizations to contact proper law enforcement in response to an attack where they will provide further guidance. The US Department of the Treasury’s Office of Foreign Assets Control (OFAC) advises that cooperation with law enforcement during and after an attack will factor into any sanctions that will be placed on the organization. Furthermore, the International Emergency Economic Powers Act (IEEPA) states that in cases of a national emergency (i.e., ransomware shutting down critical infrastructure), the President may, in rare cases, allow payments made to an adversary (with proper consultation of government entities). Under the same act, the President or other related entities may also place related sanctions on any unauthorized or undocumented exchange with foreign entities. OFAC published a regularly updated Specially Designated Nationals and Blocked Persons List that designates individuals and groups that citizens are not allowed to engage in monetary exchange. It is important to note that when a ransom is paid, there is no proof of where and to whom that payment is going to, and what it may be used for. Although the legality of ransom payments is not clear, ransom payments are highly discouraged as it will perpetuate the crime, make the organization a target in further attacks, and will not guarantee file restoration. The percentage of data restored after paying a ransom decreased from 8 percent in 2020 to 4 percent in 2021.

Recommendations

Organizations can employ the following defensive measures to create a more cyber resilient environment to help reduce the risk of ransomware attacks:

• Security awareness training. Train employees to help better understand cyber threats and provide a strong line of defense.
• Invest in cybersecurity insurance. Cybersecurity insurance can greatly reduce the impact of a cyberattack, especially for organizations that may not have the personnel to address or mitigate an attack.
• Do not pay the ransom. Most organizations that pay ransoms do not get 100 percent of their data back and paying a ransom will encourage threat actors to attack again and ultimately increase the cost of a ransomware attack.
• Exercise caution with communications. Refrain from divulging sensitive information via phone, text messaging, or email without verifying the requestor via a separate means of communication before taking any action.
• Refrain from sharing or saving login credentials or other sensitive information. Login credentials and other sensitive information should not be shared with anyone. Avoid auto-saving passwords, payment card numbers, or contact information when prompted by your operating system, browser, website, or applications.
• Navigate directly to websites. Navigate directly to authentic or official websites by typing the legitimate URL into the browser instead of clicking on links in messages, and refrain from entering login credentials on websites visited via links delivered in messages.
• Use secure websites. When sharing personal or financial information, ensure you are using verified, secure, and encrypted websites.
• Use unique, complex passwords for all devices/accounts. Unique passwords for each device/account prevents password reuse attacks, in which threat actors obtain your password for one account and use it to compromise an additional account using the same credentials.
• Change the default password. Default passwords for devices/accounts can be used to gain unauthorized access.
• Secure physical devices. Safeguard devices and ensure a password/passcode is enabled for all devices to prevent unauthorized access.
• Keep devices up to date. Stay informed about publicly-disclosed vulnerabilities and update devices—including firmware—to the latest version to ensure they are patched against known vulnerabilities that could be exploited by threat actors to gain unauthorized access to your device and/or data. If a device is unable to receive updates from the vendor, consider not purchasing or discontinuing use of the device.
• Implement protective technologies. IT departments are advised to implement endpoint detection and response software, host-based firewalls, device and file encryption, and keep devices updated with latest security patches. The encryption of sensitive data at rest and in transit is highly encouraged to reduce the likelihood of threat actors publicly exposing any stolen data.
• Adopt a third-party management program. Implement security protections and controls to safeguard client networks and data as well as limit the impact if an incident occurs. Ensure any contracts and agreements with third-party vendors detail the necessary cybersecurity requirements.
• Defense-in-depth cybersecurity strategy. Implement a defense-in-depth cybersecurity strategy and access controls, including applying the Principle of Least Privilege, enabling multi-factor authentication (MFA), utilizing a Network Access Control (NAC) solution for connectivity into internal networks, and establishing a comprehensive data backup plan.
• Network and resource segmentation. Distribute servers and critical data in different data centers to ensure they are located on different networks with diverse paths.
• Firewall and router configurations. Configure firewalls and routers primarily to block unauthorized IP addresses, close unnecessary ports, disable port forwarding, and prevent DNS and ping-based volumetric attacks.
• Network traffic monitoring. Understand your own network traffic patterns, continuously monitor network traffic, and recognize abnormal activity.
• Vulnerability assessment and penetration testing. Regularly check for and remediate exploitable security flaws and vulnerabilities.
• Backup devices. Protect your information from malware, hardware failure, damage, loss, or theft by keeping multiple, tested copies offline with at least one in a separate and secure location.
• Establish a resiliency plan. Establish Business Continuity, Disaster Recovery, and Incident Response Plans to maintain continuity in the event of a ransomware attack.
• Remediate compromised devices. It is important to monitor logs for signs of access and exfiltration. When practical, wipe and reimage hard drives.
• Incident reporting. Report malicious cyber activity to the NJCCIC via the Cyber Incident Report form and/or report data breaches to the NJCCIC via the Data Breach Report form.