Ransomware gangs are using these ‘ruthless’ tactics as they aim for bigger payouts
Ransomware attacks are becoming more sophisticated as cyber criminals continue to develop new techniques to make campaigns more effective and increase their chances of successfully demanding a ransom payment.
According to the European law enforcement agency Europol there was a 300% increase in the number of ransom payments between 2019 and 2020 alone – and that doesn’t account for 2021 being another bumper year for cyber criminals launching ransomware attacks, as they’ve taken advantage of security vulnerabilities presented by the rise in remote working.
Europol’s Internet Organised Crime Threat Assessment (IOCT) shows that while cybercrime, including malware and DDoS attacks, continues to evolve, it’s ransomware attacks that have been a significant amount of disruption over the course of the past year.
SEE: A winning strategy for cybersecurity (ZDNet special report)
Several major incidents where cyber criminals have targeted supply chains, critical infrastructure, hospitals and more have showed how disruptive a successful ransomware attack can be.
Desperate to get the decryption key needed to decrypt encrypted files and servers, many organisations that fall victim to ransomware attacks will pay the ransom, which can cost millions of dollars in Bitcoin or other cryptocurrencies.
One of the reasons ransomware attacks have become more effective is because cyber criminals have become more hands-on with campaigns. Instead of attempting the mass distribution of ransomware and hoping some attacks will be successful, cyber criminals are selecting a smaller number of targets, but choosing them on the basis that they’re most likely to pay a ransom.
“The use of traditional mass-distributed ransomware seems to be in decline and perpetrators are moving towards human-operated ransomware targeted at private companies, the healthcare and education sectors, critical infrastructure and governmental institutions,” said the report.
“The shift in the attack paradigm indicates that ransomware operators choose their targets based on their financial capability to comply with higher ransom demands and their need to be able to resume their operations as quickly as possible.”
Conti, Maze, Avaddon and Babuk ransomware groups are some of those that the paper notes deploy these methods.
The focus on a smaller number of targets also allows cyber criminals to spend more time preparing for attacks to be as disruptive as possible by stealing additional login details to move around the network and encrypt as many files and servers as possible. The more data that’s encrypted, the more likely a victim will need to pay the ransom.
“Ransomware attacks have become more sophisticated as criminals spend more time inside the network researching the target and escalating their privileges in order to further compromise the infrastructure and get their hands on more data,” said the report.
In addition to this, cyber criminals will steal data and threaten to publish it if the ransom isn’t paid. The use of these double extortion attacks has proven to be effective against organisations that don’t want sensitive information being made public.
The paper also notes that some ransomware attacks have started to threaten victims with further disruption through DDoS attacks if they don’t pay the ransom.
“Perpetrators continue to be increasingly ruthless and methodical in their modi operandi,” Europol said: ” In the past 12 months, the arsenal of coercion methods has expanded with cold-calling journalists, victims’ clients, business partners and employees. In addition, many of the most notorious ransomware affiliate programs deploy DDoS attacks against their victims to pressure them into complying with the ransom demand.
SEE: Ransomware: It’s a ‘golden era’ for cyber criminals – and it could get worse before it gets better
While ransomware and other cybercrime is still very much a significant problem for business there have also been some victories over the past year. The paper details how an international operation involving Europol, the FBI and others helped to take down the Emotet botnet, preventing cyber criminals from using Emotet as an entry point for ransomware attacks – even if they did eventually move onto other distribution methods.
“Worldwide operations, such as the successful takedown of Emotet botnet, have demonstrated the effectiveness of international cooperation,” said Europol’s executive director, Catherine De Bolle.
“The collective response of our international law enforcement community is clear: the authorities and the private sector worldwide stand strong and ready to mitigate together any threat that blackmails the stability of our societies,” she added.