Cybersecurity | Ransomware

The Evolution of Ransomware: From Ransomware to RansomOps

Photo by Igal Ness on Unsplash

Ransomware attacks are steep upward, and the gradient isn't softening its progression. Individuals and organizations continue to fall victim to this age-old cybercrime — and it's far from a new phenomenon. Coveware recently released its quarterly report (2022 Q2) regarding ransomware. There are some interesting facts that I want to share with you.

No More WannaCry But Something More Lethal

Take a step back and review what happened in 2017. Then, WannaCry was a small-dollar ransom — seeking to collect hundreds of dollars worth of Bitcoin from each company. This year, we have supply chain attacks.

Compared to the ransomware of recent times, it has shifted toward high-value targets from well-funded threat actors to extort millions of dollars from each victim. But, first, let's look into modern ransomware's technological changes and business models.

Introduction — Ransomware 1.0

Ransomware has been around for several years. Furthermore, according to well-known Security Company Kroll, it has become a huge problem even more lately — surpassing email compromise to become the most popular attack. FUD — Fear, Uncertainty, and Doubt- makes ransomware so profitable.

• The fear of losing the data forever;
• the uncertainty of knowing what to do instead, and
• the doubt of whether paying can get the data back.

Giving a push with a countdown timer on the screen would give victims a chance to learn about cryptocurrency — as most of the ransom is paid by it. While original ransoms were not serious, usually estimated in hundreds of dollars, recent ransom demands can go way up to hundreds of thousands or even millions of dollars.

The old hacker's way of a typical ransomware attack:

1. compromise target,
2. encrypt their data,
3. demand a ransom;

It cannot be remediated entirely by effective backup routines — the only way for a victim company to resume operations without the burden of dealing with cybercriminals.

The Ransom Exists Solely in the Cyberspace — "Double-Extortion"

Photo by form PxHere | CC0 Public Domain

Ransom in the physical world would only end with two outcomes: the prisoner's release or death. But in cyberspace, hackers' creativity is limitless. Because in the digital world, you can release the "prisoner" and request ransom again.

One reason the cost of ransom payments has grown so fast is the increase in attack activity and bitcoin price, where most ransom is demanded. Additionally, one of the trends that are concluding last quarter ransomware attacks is undoubtedly the new wave of attacks adopting the approach called "double-extortion

The pioneer of this technique was the "Maze Crew" in November 2019. The attacker said in their email to Bleeping Computer that they had downloaded the victim's data from their network and threatened to release them if additional payment was not met.."

By adopting double extortion, attackers can force organizations to pay a ransom even if they can recover their information using data backups — due to the threat of a data breach — in these "ransomware 2.0" attacks.

With double extortion attacks, the availability of a backup could become worthless. Moreover, attackers' threat of a data leak can stress the victim's urge to pay a ransom since the potential economic and, more importantly, reputational damage could be more devastating than data loss.

Ransomware 2.0

According to an analysis by cybersecurity company Coveware's Quarterly Ransomware Report (Q1, 2021), the average ransom payment in the first three months of 2021 was USD220,298 — a significant rise from USD154,108 in the last quarter of 2020.

The Coveware's Quarterly Ransomeware Report (Q3, 2020) gives us more insight into this matter. The report shows nearly half of ransomware attacks steal data before the encryption begins. We see that more ransomware attacks are not just a business continuity or disaster recovery matter but also data thefts and a complete cybersecurity incident response.

Criminals now put several layers of extortion in place; some even threaten to send press releases to media or email notifications to your customers if unsuccessful ransom (nonpayment), notifying them of the cyberattacks. All those threats give cybercriminals various opportunities to monetize their attack:

• For example, criminals could threaten to release or sell the data on different "black markets" if the victim did not pay the ransom. Moreover, this was typically followed by a solemn promise to erase the stolen data if the victim paid the ransom.
• Criminals may promise to erase data, but even after receiving the ransom, they sell it anyway, as most companies would not investigate further the post-ransomware impact.
• Another group of cybercriminals contact a victim and explain that they stole a copy of the victim's data from the original thieves and will release (or sell) it unless they receive an additional payment.

Ransomware-as-a-Service (RaaS)

The development of numerous smaller ransomware-as-a-service (RaaS) operations that recruit associates from recently disbanded syndicates and carry out lower-tier, opportunistic attacks is another recent development that Coveware has noticed.

“This trend reflects the shift of RaaS affiliates and developers towards the mid-market where the risk to reward profile of attack is more consistent and less risky than high profile attacks,”

Ransomware-as-a-service (RaaS) is a subscription model that allows affiliates to use already-developed ransomware tools to launch ransomware attacks. In the end, affiliates earn a percentage of each successful ransom payment.

Ransomware as a Service (RaaS) adopts the Software as a Service (SaaS) business model, as we use in other cloud computing technologies. In the past, coding erudition was a requirement for all successful hackers.

But with the introduction of the RaaS model, this technical prerequisite has been entirely diluted — Ransomware attacks are no longer the privilege of advanced hackers. Instead, the low technical barrier of entry, and prodigious affiliate earning potential, make RaaS solutions engineered explicitly for victim proliferation.

Ransomware Econ 101

Multiple economic factors influence the final ransom. A worrying aspect is that attackers usually know how much victims will pay beforehand. They also know whether the victim encounters an attack the first time, which gives attackers the upper hand.

In the report, it stated:

“… the total profit is not only influenced by the amount of ransom they demand from the victim…It also depends on whether the victim decides to pay, and the costs of the operation.*”*

Costs to ransomware groups can include:

• ransomware-as-a-service fees,
• fees to launder extorted cryptocurrency,
• commissions, and
• the cost of carrying out the attack itself.

Another exciting factor is the victim's willingness to pay — As the price is too high, pushing the victim to give up the data, the attacker gets nothing. Therefore, the most profitable method is to increase the percentage of victims instead of the price of each hack. In other words, ransom price and the willingness to pay negatively correlate.

Some interesting findings: Smaller companies generally pay more from a rate-of-return point of view. In other words, a smaller company pays less in absolute amount but higher in the percentage of its revenue.

As a result, attackers must simultaneously lower their costs and increase "sales" to maximize profit like other businesses. Attackers must choose a business model where a smaller number of victims pay a higher ransom, or a more significant number of victims pay a smaller ransom. Thus, the final ransom price should be:

• Tall enough to cover the cost of hosting malware, penetration testing, and developing toolsets for attackers, and;
• Low enough that a high percentage of victims still settle.

So their business model depends on learning how potentially lucrative a target might be and how likely a company is to pay.

More Victims Not Paying

Photo by Sasun Bughdaryan on Unsplash

According to Coveware's report for Q2 2022, the average ransom was $228,125 in Q2 2022, an increase of 8% from Q1 '22. However, the typical ransom payment was $36,360, a sharp decrease of 51% from the previous quarter. This continues a declining trend that began in Q4 2021 when average ($332,168) and median ($117,116) ransomware payments peaked.

This quarter, 86 percent of the reported cases employed the double extortion strategy, which threatens to expose files that have been stolen before they have been encrypted. Coveware emphasizes that threat actors continued their extortion or disclosed the stolen files despite collecting the ransom in many instances.

Data exfiltration was frequently the primary extortion technique for many attackers; hence, many incidents didn't include file encryption. As a result, the average time systems were offline due to ransomware assaults fell to 24 days, an 8 percent decrease from Q1 2022.

Final Words

Ransomware is in the spotlight now and may never go away, but stealing credit card numbers and hacktivism was in the limelight before, and it will be something refreshing in the future. So let's keep pressure on the government to do its part and focus on what we can do within our organizations to do ours.

When addressing this persistent threat, the government must focus on educating and providing resources to guide organizations (e.g., https://www.cisa.gov/stopransomware)— to disrupt the criminal activities and economic drivers that allow this threat vector to grow.

Meanwhile, organizations should focus on reducing the attack surface and building the fundamentals of a comprehensive security operation. This includes:

• knowing what's in your environment (enhance visibility),
• ensuring everything is configured correctly (security posture management),
• managing vulnerabilities and patching,
• limiting access (or even better micro-segmentation), and
• having an incident response plan.

Thank you for reading. May InfoSec be with you🖖.