Cybereason Report on the Economics of Ransomware: Professionalization and Industrialization of the Sector
Cybereason has just published a new report titled RansomOps: Inside Complex Ransomware Operations and the Ransomware Economy, which studies the evolution of ransomware attacks, which have evolved from a practice that can be described as “artisanal” to a mega-industry. With the increasing sophistication of RansomOps-type attacks, ransomware conglomerates are reaping record profits and extending their reach to businesses and organizations of all sizes, in both the public and private sectors.
At first, ransomware attackers used so-called “spray and pray” tactics, or cast their net in hopes of catching some “fish.” These were mostly individuals, for whom ransom demands were relatively low compared to what we started to see in 2020-2021. With the rise of RansomOps, which are complex in nature and similar to stealth operations carried out by those seeking to undermine the integrity of nation states, most organizations are finding it more difficult to defend against ransomware attacks. Thus emboldened, its authors have revised their claims upwards, because unfortunately more and more organizations choose to pay.
“The shift of ransomware gangs from large-scale campaigns to attacks targeting entities capable of paying multimillion-dollar ransoms is driving the surge in attacks in 2021. Last year, the most publicized RansomOps attacks were those targeting Colonial Pipeline and JBS Foods. Unfortunately, we should expect a continued rise in attacks in 2022, with ransom demands on the rise and targeting critical infrastructure operators, hospitals and banks,” said Lior Div, CEO and co-founder of Cybereason.
“Ransomware remains the number one threat to cybercriminals and continues to cause significant damage, disruption and financial loss. As criminals seek to maximize their illicit profits by extracting and exploiting victims’ data before encrypting it, ransomware is an ever-evolving threat and poses a serious cybersecurity risk that demands a network response. This should include law enforcement and public-private partnerships like the No More Ransom initiative,” said Phillip Amann, director of strategy at Europol’s European Cybercrime Center (EC3).
The new report details the four components of RansomOps:
Initial Access Brokers (IABs) – infiltrate target networks, establish themselves there and move laterally within the entity to compromise as much of the network as possible, then resell established access to other cybercriminals.
Ransomware-as-a-service (RaaS) providers: They develop the ransomware code, payment mechanisms, handle negotiations with the targeted victim, and provide other “customer service” to cybercriminals than to victims.
Ransomware Affiliates: They contract with the RaaS provider, select the organizations to target, and then carry out the actual ransomware attack.
Cryptocurrency exchanges: It is about laundering the proceeds of extortion.
Pay or not pay
A previous Cybereason report, titled Ransomware: The True Cost to Business, found that 80% of organizations that paid a ransom experienced a second ransomware attack, often organized by the same cybercriminals. So instead of paying, organizations should focus on early detection and prevention strategies to nip ransomware attacks in the bud before critical systems and data are compromised. There are other legitimate reasons not to give in to blackmail, including:
NO DATA RECOVERY GUARANTEE: Paying the requested amount does not necessarily mean that you will regain access to your encrypted data. Sometimes the decryption utilities provided by cyber criminals do not give the expected results. In the case of the Colonial Pipeline attack, in 2021, the company paid a ransom of 4.4 million dollars to receive faulty decryption keys from the DarkSide Group… And thus had to restore its own backups to restore your systems.
LEGAL IMPLICATIONS: Ransomware organizations may face heavy fines from the US government for funding ransomware attackers who support terrorist organizations. Additionally, ransomware attacks that hit an organization’s supply chain and ultimately affect its customers or partners expose that organization to potential legal action from harmed parties.
DON’T BLOW THE EMERS OF RANSOMWARE ATTACKS: By choosing to pay the demanded ransom, organizations send a message to cybercriminals: “it works”. Message that further fuels the avalanche of attacks and increases the number of ransoms. Like Cybereason, the FBI advises organizations to refuse to pay ransoms as this only encourages malicious actors to continue down this path.