The rise of ransomware

As we have seen in the first episode of our blog series about ransomware, when the Bitcoin boom took hold in the mid-2010s, it signaled a surge in ransomware attacks and a shift in focus for the attackers. Ransoms being demanded in cryptocurrency offered the attackers a level of anonymity as the payments were more difficult to trace compared to regular currency.

With cryptocurrency making it easier to make money from ransomware, there was a rise in attacks throughout 2016, with groups such as Locky and Cerber leading the way. Locky was most commonly distributed using a Word document email attachment which when opened contained gibberish other than a prompt to enable macros in order to view the document. Enabling macros actually result in the encryption Trojan being downloaded and executed. This social engineering ploy was also used by Cerber with them also adopting the deployment method of emailing out Word documents with malicious macros embedded.

2016 also saw the first instance of ransomware-as-a-service (RaaS) with the authors behind Cerber effectively leasing out access to affiliates in return for a percentage of any ransoms paid. By offloading the work of finding targets and infecting systems to partners, it allows more attacks to be conducted with less work for the ransomware developers.

Ransomware was put firmly in the public eye during 2017. The WannaCry ransomware attack in May 2017 had a global impact spreading quickly through unpatched or outdated Microsoft Windows computers. WannaCry spread using the EternalBlue SMB exploit developed by the US National Security Agency and subsequently stolen and released by the “Shadow Brokers” hacking group. Despite Microsoft having released a critical patch a month prior many systems remained unpatched, and therefore vulnerable, resulting in the rapid spread of WannaCry. Even if some reports show that victims had paid the Bitcoin ransom demanded there is no evidence that any of them had their files decrypted. Indeed it is widely believed that there was no viable way of decrypting files built into the malware effectively meaning this was intended as a destructive wiper.

In total, computer systems in 150 countries were impacted and the total losses caused globally were estimated at $4 billion.

Following hot on the heels of WannaCry came NotPetya in June 2017. Widely believed to have been an act of cyber war by Russia targeting Ukraine, NotPetya spread far and wide encrypting computers’ master boot records.

However, despite a ransom note being displayed, any attempt to pay the ransom was futile as the aim of NotPetya was purely to destroy and there was no decryption key available. Several high-profile organizations suffered substantial losses in the $100’s of millions, such as the Danish shipping company Maersk, delivery company FedEx, pharmaceutical company Merck and, perhaps ironically, the Russian state oil company Rosneft.¹

These high profile attacks brought about a realization to ransomware groups that rather than just targeting individual systems they could instead leverage unpatched vulnerabilities and move laterally to other systems, which perhaps contained higher value data, thereby causing more havoc to victims and as a consequence a higher likelihood of a ransom payment.

Fast forward to 2020 and ransomware is a well-established and highly lucrative part of the cybercrime ecosystem. The ransomware itself utilizes much better code and encryption schemes are better implemented thereby thwarting attempts by security companies to try and decrypt affected data.

Whilst there are specific and well-known ransomware groups seemingly dominating the market, the widely adopted ransomware-as-a-service model means it is nigh on impossible to know who the true actors behind an attack actually are.

There have also been significant shifts in the tactics used by ransomware groups. One key element of this is a change from what was a scattergun approach attacking individual systems to a highly targeted approach whereby organizations are singled out based on the potentially high value their data is considered to have, so-called “Big Game Hunting” ransomware attacks.

Perhaps the biggest evolution in ransomware tactics however was originally pioneered by the Maze group towards the end of 2019 and has subsequently been widely adopted with most groups following their lead. The tactic came about when the Maze group realized that rather than just encrypt data and systems they could move through a network and exfiltrate any data of value before then pushing the button to encrypt.

This theft of data then provided an extra layer of extortion, whereby they would threaten to sell the data or release it publicly if a victim refused to pay the ransom. This so-called “double extortion” attack means an attacker has a much higher likelihood of receiving payment either from the actual ransom or through the sale of the data on dark web marketplaces. For a victim organization this tactic introduces several levels of doubt, to begin with, it means the attackers have been inside the network for a prolonged period to exfiltrate the often gigabytes of stolen data.

No one can be sure whether the attackers have introduced back doors or been able to steal credentials allowing them to return, nor do they know exactly what data has been stolen. The Maze ransomware group has since announced they were ceasing operations, although it is widely believed they were simply replaced by the new group Egregor, it is now common practice for the majority of ransomware gangs to utilize double extortion.

Most of the high-profile groups, such as Egregor, REvil (Sodinokibi), DoppelPaymer among others, maintain leak sites either on the dark web or the public Internet.² These sites are used to “out” organizations that have been attacked and/or refuse to pay the ransom and often contain teasers as to what data they have stolen.

Not only does this put pressure on organizations to pay it also effectively acts as a disclosure notice meaning a victim organization can’t try and sweep the attack under the carpet and instead have to treat the attack as a data breach thereby falling foul of regulatory controls such as GDPR along with any associated fines that may come their way as a result.

Sources:
1) Wired
2) ZDnet

To discover more about our ransomware research, don’t miss the upcoming webinar: Don’t be a victim. Ransomware can be beaten!