Ransomware is becoming an epidemic in the cybersecurity world, with new strains being created continuously by criminals to extort money out of unsuspecting users. Cybercriminals are becoming more and more sophisticated. From the comfort of their own homes without any physical contact, they can launch virtual kidnappings of valuable digital assets and hold them hostage in exchange for money.
What is Ransomware?
Ransomware is a devastating attack on an organization’s or individual’s digital assets. Cybercriminals or threat actors release a kind of malware which enters a computer system or network through fraudulent means and locks down files from access by encrypting them until a demanded ransom is paid to hackers in return for a decryption key.
Damages from ransomware in 2019 rose to over $11.5 billion and a new organization will fall victim to ransomware every 14 seconds, and every 11 seconds by 2021*.
What strategies do cybercriminals use?
As these attacks increase in their frequency, threat actors have had to evolve their strategies due to the following reasons:
- Competition from other threat actors vying for the same “pie”
- “Lessons learned” from attacks that did not generate a pay-out
- Effectiveness of data backup strategies
- Inherent software bugs within the ransomware variant used in certain attacks
- Speed of ransomware deployment and;
- Effectiveness of security controls within an organization
Criminal programmers are also competing among themselves by attempting to create a more effective software that offers:
- Automation capabilities to increase the scope of impact
- Increased speeds
- Increased reliability
- Ability to customize different features such as encryption keys, emails, demands, ransom notes
- Provides the ability for MASTER KEYS in case the original threat actors does not deliver on promises
At present there are thousands of various ransomware variants in different phases of activities and in some cases, victims are hit with multiple strains at the same time.
Learn more about the different ransomware variants.
What tactics do cybercriminals use?
Threat actors attack tactics include the following:
- Phishing – using a phishing email the workstation is infected and access provided to the ransomware threat actors.
- Vulnerable externally facing web service – this may include a remote access service, but can also include other services such as databases, web servers and/or web applications.
- Cloud services – some cloud applications are vulnerable to a compromise that may, in turn, be utilized to infect connected systems or act as a malicious service where threat actors can direct potential victims.
- Compromise of a centrally managed service – threat actors are now seen to compromise centrally managed services such as Anti-virus servers. These systems can deploy software to numerous systems and therefore are seen as a very useful tactic in gaining access to more systems in a shorter time frame.
- Alliances with “other” malware groups – it has been observed an increase in the trend of threat actor groups collaborating to increase access to compromised systems.
What are the Steps in a Typical Ransomware Attack?
The typical steps in a ransomware attack are:
- Infection – After it has been delivered to the system via email attachment, phishing email, infected application or other methods, the ransomware installs itself on the endpoint and any network devices it can access.
- Secure Key Exchange – The ransomware contacts the command and control server operated by the cybercriminals behind the attack to generate the cryptographic keys to be used on the local system.
- Encryption – The ransomware starts encrypting any files it can find on local machines and the network.
- Extortion – With the encryption work done, the ransomware displays instructions for extortion and ransom payment, threatening the destruction of data if payment is not made.
- Unlocking – Organizations can either pay the ransom and hope for the cybercriminals to actually decrypt the affected files (which in many cases does not happen), or they can attempt a recovery by removing infected files and systems from the network and restoring data from clean backups.
Ransomware in 2019
The number of ransomware attacks increased in 2019 — but worse, 22 of those cyberattacks shut down a city, county and even state government computer systems. Most of the victims offered public services that were disrupted or severely damaged.
Ryuk cause panic in the U.S. with several attacks in 2019. Jackson County, Georgia paid $400,000 after a Ryuk ransomware attack majorly disrupted workflow to all county agencies, including the 911 dispatch centre. Unfortunately, the citizens of the country had to pay the ransom as the city had no cyber insurance. Ryuk ransomware also impacted Lake City, Florida in late June 2019, during which authorities found that restoring the systems would exceed a million dollars compared to the $700,000 ransom. Having cyber insurance meant the city only had to pay a small fee to get their systems back up and running.
Last year, we also saw Maze ransomware extort their victims by releasing stolen documents if they did not pay the ransom. Maze operators furthered extorting their victims to pay up by threatening to release more sensitive information if payment was not made. These ransomware campaigns demanded up to six million dollars in exchange for the decrypted files and used the exfiltrated data as leverage to collect payment.
Ransomware in 2020
Ransomware will continue to be the growth driver in cyber-crime. The reason is simple, it’s the shortest distance between investment and revenue for its perpetrators. Unlike, identity theft, crypto-currency theft, or bank fraud, ransomware is a fast, cheap, and effective method of extracting fees from victims. With their profits rising, ransomware operators will likely increase their campaign volume in 2020. The success of ransomware campaigns will create additional ransomware families. For this reason, companies need to be proactive about their cybersecurity.
The need for cyber insurance for companies will increase significantly in 2020. Cybersecurity insurance firms are increasingly encouraging their customers to pay the ransom, instead of rebuilding or outright losing resources that are encrypted. Companies are also being encouraged to take preventative measures such as using behaviour changing cyber awareness training to help employees refrain from going to untrusted websites or from opening suspicious email attachments.
We also predict the need for secure and accredited third-party cybersecurity firms to facilitate ransom negotiation. Utilizing a company that truly understands the threat landscape and the threat actors are key to recovering from a cyber attack.
Read more about our predictions for cybersecurity in 2020.
The Cytelligence Advantage
From proactive offensive security audits and cyber awareness training to ransomware investigation and removal, our team of cyber experts work with companies of all sizes to combat cybercrime every day. Contact us now to learn how you can improve your security posture to reduce the chance of a breach situation.
Have you experienced a breach? Our team is available 24×7.
*Click here to read the full research report by Cybersecurity Ventures.