SecurityWeek Cyber Insights 2022: Ransomware
Ransomware has grown from humble beginnings as threat-based scams to a worldwide criminal phenomenon. It has been a continuous process of extortion refinement, with criminals adapting their behavior to maximize their financial return. This evolutionary process will continue.
The purpose of ransomware is financial extortion. The intent is extortion – encryption-based ransomware is merely a successful methodology. This methodology will be abandoned or adapted without a thought if some better method of extorting money is found, or if the current method no longer provides an adequate return.
For now, the criminals are content with refining their approach to extortion and maximizing their return from it.
Increasing use of ransomware-as-a-service
Ransomware-as-a-service is growing. It already exists with organizations such as DarkSide and REvil franchising their services to other criminals. This process will expand through 2022, because it has numerous organizational advantages – such as the separation of roles. Elite coders can concentrate on developing the product; marketers can sell the product; access brokers can provide access to targets; and unsophisticated criminals can deliver highly sophisticated attacks. See Cyber Insights 2022: The Good Versus the Bad for more details.
Shay Nahari, CyberArk’s VP of Red Team, explains, “In 2022, the provision of ransomware will continue to evolve from cottage industry to something more akin to coteries of specialists. We will see operator-driven ransomware expand, with a clear distinction between off-the-shelf ransomware payloads and delivery methods, skilled practitioners moving through networks, and experts that make the actual ransomware code.”
Josh Rickard, security solutions architect at Swimlane, adds, “In 2022, this will make it even easier to deploy ransomware attacks, and will lead to a rise in more sophisticated attacks such as double extortion.”
Greater use of data theft (double extortion)
As companies improved their defenses against ransomware, primarily through better backups, ransom payments declined. The criminals responded by adding sensitive data theft to file encryption. If the victim declined to pay the decryption ransom, the sensitive data would be exposed or sold on. Victims would be faced with data protection fines (exposure of PII), loss of competitive edge (sale of intellectual property), and loss of brand reputation (and consequent loss of customers).
This data ransom has proved highly successful. Hardware can be replaced, but exposed sensitive data is exposed forever. Data theft has become the most effective part of ransomware – to such an extent that we may see a decline in the use of encryption in favor of concentration on the theft of sensitive data. “As more organizations backup their data, threat actors will likely skip the deployment of ransomware and just go straight to stealing the data and blackmailing organizations,” warns Daniel Spicer, CSO at Ivanti. This makes the protection of data even more important than the protection of systems.
This view is supported by Mike Sentonas, CTO at CrowdStrike. “We’re seeing an entire underground economy being built around the business of data exfiltration and extortion,” he said. “Data-shaming websites are popping up like street-corner storefronts, providing a hub for ransomware groups to post and auction stolen data that’s being held ransom. These ransomware groups are revamping their entire infrastructure of tactics, techniques and procedures (TTPs) to concentrate on more effectively exfiltrating and selling stolen data. In 2022, we expect to see the extortion/exfiltration side of ransomware achieve even higher levels of sophistication, possibly with a shift away from encryption to a sole focus on extortion.”
However, just as data theft was introduced to back up decryption extortion, we may also see a rise in associated DDoS attacks to back up the data theft extortion. “To further coerce victims into paying ransom, criminals will increase the use of distributed denial of service attacks when victims initially refuse or are slow to pay,” warns Brian Kime, VP of intelligence strategy and advisory at ZeroFox.
But don’t assume that paying the ransom is an end to everything. If the criminals have your data, the scenario might easily evolve into a virtual protection racket. “As attackers seek to make maximum profit, campaigns that steal and threaten to reveal information gain popularity,” comments Guido Grillenmeier, chief technologist at Semperis. “Once data has been extorted, attackers may then come back asking for regular payments.” Just because they promise to delete the data, it doesn’t mean they will.
Ransom payment by cryptocurrency is an important part of the extortion ecosphere. It makes the recovery of monies paid almost impossible (the partial recovery of the Colonial Pipeline ransom remains an unexplained anomaly).
However, ransomware – or perhaps more accurately, extortion – will only be eliminated if the attempted extortion yields no return for the criminal. This is something well understood by law enforcement, but unenforceable in practice.
Since law enforcement cannot forbid the payment of ransom money (at least under current laws), we can expect greater efforts in 2022 to interrupt the criminal receipt of that money. This is not likely to be successful.
“While international law enforcement has made some progress in tracking and interdicting cryptocurrency payments to the criminals,” comments Kime, “ZeroFox does not expect that this will make a significant dent in overall ransomware volume.” He believes that criminals will launder extortion proceeds through non-fungible tokens (NFTs) and virtual property in the metaverse.
The demand for payment in cryptocurrency is also driving up the value of the extortion demand. If a criminal demands payment of 10 Bitcoins today, he is unlikely to reduce that to nine bitcoins next month simply because the fiat value of the Bitcoins has increased. Extortion demands will increase over the next year partly driven by an increase in the value of cryptocurrencies.
There is an interesting side issue here. The extortion scourge might encourage larger companies to become cryptocurrency traders. Coins purchased now are likely to be cheaper than coins purchased at some time in the future – so it becomes a method of minimizing the personal cost of future extortion, but with the unintended consequence of driving up the general cost of extortion.
A second side-issue to the use of cryptocurrency is the degree of anonymity it provides. Cash-strapped nation states can use crypto to hide the destination of the extortion in a form of sanction busting. This is discussed in Cyber Insights 2022: Nation-States, but is expected to increase.
The big unknown is what governments will do. We can expect governments to make strides in increased regulation of cryptocurrencies during 2022. It is doubtful they can be banned outside of autocracies, but law enforcement will be hoping for increased accountability. It is possible that future laws may make the traceability, and interception, of ransomware cryptocurrency payments easier. If this can be achieved, an important part of the extortion ecosphere could be neutralized.
Attacks against Critical National Infrastructure (CNI)
Grillenmeier warns that any vestige of a ‘morality filter’ to extortion has disappeared. “Attackers no longer care about the physical impact they cause, for example by attacking critical infrastructure and hospitals where lives could be at risk. As a result, critical everyday services could become unavailable, prices could go up and we could find ransomware affecting our daily lives.” In short, the effect of ransomware will spread from the specific target to start affecting everyone.
“Critical infrastructure will get walloped,” says Rick Tracy, CSO at Telos Corporation. “Absent mandates to implement even basic security measures, critical infrastructure will remain an easy target for cyber criminals in 2022.” The double attraction isn’t just that it is relatively easy to breach CI (that, sadly, applies to almost all industries), but the ‘critical’ nature of the service. The criminals believe that CI will be willing to pay more and faster where lives or societal well-being are at risk.
More specifically, Syed Belal, director of cybersecurity consulting services at Hexagon PPM, says, “Despite government action such as the DOE’s 100-day Action Plan and TSA’s Pipeline Directive, it’s unrealistic to think that hackers are going to be scared out of attacking critical infrastructure. I predict that entities large and small will be hit, specifically over major holidays when folks aren’t attending to their networks as closely as usual and recovery abilities are handicapped.”
Daniel Spicer, CSO at Ivanti, adds, “In 2022, as the pandemic calms down, the healthcare industry will be targeted more aggressively. For critical infrastructure industries such as food supply chain and energy, we will continue to see more attacks because they are not as secure as other industries.”
But not everybody believes that attacks against large and critical industries will increase. Felipe Duarte, security researcher at Appgate, believes that recent actions by the cybersecurity industry against the extortion gangs has forced them to be more careful in their operations. He suggests that the effect is to reduce the criminals’ profit margins. “Ransomware groups will, therefore, start to target smaller companies, where there will be less media and government attention, in order to maintain their profit margin,” he says.
Ransomware summary for 2022
We cannot eliminate bad actors and we cannot prevent hacking. The only way to stop the scourge of ransomware/extortion is to make it less attractive to the attackers. This would require industry to stop paying ransoms – either by choice or by lack of necessity – or for law enforcement to prevent payments reaching the attackers.
Stopping ransomware will require the cooperative action of law enforcement, legislation, the security industry and the commercial targets. Law enforcement and governments will need to make it harder for extortion gangs to receive payment. The security industry needs to make security controls more effective and easier to implement. CI and manufacturing need to develop better physical resilience, while commercial organizations need to better protect their sensitive data.
“We aren’t even close to being better protected,” comments Mark Guntrip, senior director for cybersecurity strategy at Menlo Security. “For ransomware to stop, business continuity and disaster recovery strategies need to improve to a point where enterprises can sustain the attack and have the right tools. Only then will we see the cost of ransomware go down. These tools don’t exist yet.”
The aim must be to make extortion so difficult and costly for the attackers that they simply move on to easier pickings. Frankly, we are nowhere near achieving this – meaning that extortion is still in the growth phase of its lifecycle. For this reason alone, we can say with confidence that there will be more extortion with increasing demands throughout 2022.
About SecurityWeek Cyber Insights 2022
Cyber Insights 2022 is a series of articles examining the potential evolution of threats over the new year and beyond. Six primary threat areas are discussed:
Adversarial AI (Publishing 01/12/22)
Nation-state attacks (Publishing 01/17/22)
Supply chain (Publishing 01/19/22)
Identity (Publishing 01/24/22)
Improving Criminal Sophistication (Publishing 01/26/22)
Although the subjects have been separated, the attacks will rarely occur in isolation. Nation state and supply chain attacks will often be linked ‒ as will supply chain and ransomware. Adversarial AI will likely be seen primarily in attacks against identity; at least in the short term. And underlying everything is the growing sophistication and professionalism of the cybercriminal.
SecurityWeek spoke with dozens of security experts and received almost a hundred suggestions for the series.