How to Stop the Advancement of Ransomware Attacks
Ransomware can cripple even the most sophisticated business institutions by causing large-scale disruption and damaging reputations.
Jose Miguel Esparza, head of threat intelligence at Outpost24, examines the progression of the ransomware ecosystem, analyzing notable malware scams and how they’ve “grown up” over time to become ransomware as we know it today and strategies to tackle them better.
According to the head of the National Cyber Security Centre (NCSC), ransomware is today’s biggest cybersecurity threat. Ransomware can cripple even the most sophisticated business institutions by causing large-scale disruption and damaging reputations. Ransomware was first discovered in 1989 and has since morphed into a widely used attack method for hackers and threat actors. Ransomware can impact organizations of all sizes and sectors, and failure to prepare for a malicious attack could have catastrophic consequences.
See More: A Playbook for Better Incident Response: Learnings from Major Security Trends
Ransomware in its Infancy
If ransomware was a person, you must go back to 1989 to find the first documented ‘birth,’ which targeted the World Health Organization. The malware was called ‘AIDS Trojan’, or ‘PC Cyborg’, and was delivered via floppy disks that contained a malicious payload demanding infected devices to pay $189 to a postal office box in Panama. Interestingly, this early form of malware did not encrypt the files completely but instead only focused on the filenames. However, as this was such a novel intervention, the prevalence of the early malware was enough to bring institutions to a grinding halt. The ‘father’ of the notorious ransomware was a Harvard-educated biologist named Dr. Joseph Popp. He claimed to have developed the ransom, addressed to the ‘PC Cyborg Corporation’ to fund additional research into AIDS treatment.
Fast forward to 2004, when newer and more advanced malware families were found. The GpCode malware was delivered through malspam campaigns (similar to phishing) and instructed those scammed to use gift cards to make the ransom payment. While this malware encrypted the sensitive files, it did have cryptographic shortcomings, so file recovery was possible.
In 2011, the Reveton (police ransomware) surfaced, and the capabilities of this threat were also different from some of its predecessors because it did not encrypt the files of its victim. Instead, it locked the screen while displaying a police warning and requesting a fine payment via a pre-paid gift card. What gave this specific instance of ransomware a more authentic feel was the warnings issued were in the local language and used the police logos from that region which can help dupe the victims further into handing over ransomware.
Early Years of Ransomware
Between 2011 and 2014 is the period that ransomware truly boomed with a focus from cybercriminals on targeting business institutions with banking botnets. But in 2014, the hackers had to pivot their attack methods after the FBI took down the CryptoLocker botnet. The same group behind CryptoLocker also operated the GameOver ZeuS botnet.
When these botnets were takedown, it was revealed that the CryptoLocker operation earned roughly 3 million USD over nine months. Naturally, more cybercriminals began jumping on the bandwagon, not wanting to miss out on potential paydays like this. So between 2014 and 2017, new ransomware families emerged, including the infamous WannaCry. These malware families’ deployment and attack methods varied, with some utilizing malspam campaigns, vulnerabilities, or exploit kits.
Ransomware attacks at this point were more widespread and less targeted.
Ransomware as a Service (RaaS) as we know it today became more common when cryptocurrencies burst into the scene. Cryptocurrencies became the payment of choice for hackers because it was a deregulated currency, a trend first noted to have begun with CryptoLocker in 2013. According to research, cryptocurrencies such as Bitcoin account for up to 98% of ransomware payments.
Ransomware Enters its Formative Years
Before 2017, it was common for ransomware to be distributed via weak credential abuse, exposed unsecure services like RDP (Remote Desktop Protocol) systems, malspam and active exploit kits. The objective was to infect any kind of victim and organization regardless of location. This scatter-gun approach wasn’t effective in getting ransom payments from individuals after news surfaced about hackers not decrypting the files after receiving payment. This means cybercriminal groups had to think of other ways to monetize ransomware.
This is when cybercriminals begin aiming their malware at specific, high-value targets – known as “big game hunting.” When it comes to big game hunting, attackers need particular institution intelligence networks to carry out intrusions and navigate around an organization’s network. Although more time-consuming and difficult, this knowledge created a significant return on investment for cybercriminals.
EvilCorp was well-known for adopting such an approach, used Dridex infections to deliver BitPaymer, and the “TrickBot Group” (“Wizard Spider”), which leveraged Trickbot infections to deploy the Ryuk ransomware. While these tactics aren’t entirely new, this was the first time cybercriminal groups were doing that intending to deploy ransomware. Cybercriminals were now casting their nets at larger international companies hoping for bigger ransom payments.
Ransomware Reaches Adolescence During the Pandemic
During COVID-19, ransomware attacks proliferated with remote workers in the cybercriminal crosshairs. Hackers use the opportunity to exploit remote working security gaps to gain access and move laterally across business networks to deploy malware – in some cases across multiple systems without being detected. This would create more chaos and a higher likelihood of payment being made by the victim.
Yet law enforcement departments were vocal in recommending businesses not to pay the ransoms. This resulted in ransomware groups piling more pressure onto targets to force their hand and to make them pay by using even more aggressive tactics. For example, in 2019, the “Maze Ransomware Group” stole valuable documentation and threatened to make them public if the payment was not made. This was the start of the use of double extortion tactics.
In recent years, double extortion attacks have become more frequent, with more pressure applied to ransomware victims. As mentioned, hackers have become more determined in their methods, and there are now instances of triple extortion attacks. This happens when attackers contact the customers of the targeted business, inform them their data has been stolen and blackmail them that if ransom payment is not delivered, then the exfiltrated information will be published.
Criminal gangs deployed a new level of extortion that involved threatening to contact stock market regulators about the data breach, resulting in a decrease in stock value.
Ransomware as a Young Adult
Modern-day ransomware attacks are now highly targeted – in 2022, this is the new normal. With Ransomware as a Service (RaaS) being an in-demand model, cybercriminals now have easy access to popular ransomware kits. They also have Dark Web market and Deep Web forums where they can sell and buy stolen credentials or systems access from Initial Access Brokers (IABs). Initial Access Brokers will provide intelligence to know what industry in which country to target. Most of these cyber criminals just look at the company revenue to know if it is a worthwhile endeavor.
From what has been examined over the years, the biggest differentiation between advanced and novice attackers is their ability to gain access undetected, move laterally and cause the largest amount of disruption possible. Success and payment of the ransom are usually dependent on these factors, as they no longer need to develop ransomware (thanks to RaaS) or acquire initial information to infiltrate a company themselves (thanks to IABs).
Reducing the impact of Ransomware
In addition to incident response and documenting tactics, techniques and procedures (TTPs), the industry must learn from the past to grasp what to expect in the future. Ultimately, cybercriminals want money, fast, and so will do anything they can to achieve and will use more malicious tactics and techniques in an ever-evolving cybercrime environment.
The best way to mitigate ransomware is to make sure that security hygiene is adequately maintained and proactive monitoring of your cyber exposure, making it harder for threat actors to break through gaps in your defense. Detecting stolen credentials and sensitive data leak with threat intelligence, regular vulnerability assessment and fixing important vulnerabilities, plus a good backup and password policy, are all strategies that can help reduce your business risk against ransomware.
How’re you trying to tackle the latest trends in ransomware attacks? Let us know on Facebook, Twitter, and LinkedIn. We love it when you share!
MORE RANSOMWARE ATTACKS
- What Is Ransomware? Definition, Types, Examples, and Best Practices for Prevention, and Removal
- Why BAS Platforms Should Be Part of Your Enterprise Security Stack
- Top 10 Antivirus Software in 2022
- Lock and Key: Compromised Credentials and Growing Ransomware Threats
- Looking for an Antidote to Tackle the Ransomware Pandemic? Try These Prevention Tricks
- Double Extortion Through Ransomware Attacks: Why CISOs Should Worry
- 14 Insights on How To Prevent a Ransomware Attack and Avoid Being the Next Headline
- Lessons From the Colonial Hack: Law Enforcement Action Isn’t Enough To Defeat Ransomware
