Recently my wife’s hospital trust in the UK received a rather aggressive sounding email demanding large sums of money or the sender would release large quantities of patient data into the public domain. It’s part of a growing canon of ransomware attacks over the past year that have sought to capitalize on the chaos and disruption caused by Covid-19.
As the ransomware ‘market’ has grown, it has become both more commercial and more professional, with new entrants to the market adopting many of the language and practices of the latest startups. A good example of this is DarkSide, which pledges to provide real-time support and guaranteed turnaround times to clients. Indeed, DarkSide have even embraced a degree of corporate social responsibility, and claim that they won’t ever attack hospitals or schools.
In true Robin Hood style, DarkSide suggests they’ll only ever attack the bad guys.
REvil ransomware are another group that shares many of the same professional veneer as DarkSide, offering a range of support options to clients. Similarly, the Maze ransomware tool operates an affiliate style business model, whereby they take a slice of all of the attacks made using their technology.
It’s a reflection of the growing size of the industry, with an estimated $7.5 billion extorted from victims last year in the United States alone. The sheer scale of the market is forcing many to up their game.
Extortion with a smile
The seemingly ethical approach espoused by DarkSide is reflected across the sector. Earlier this year, Reuters reported an attack from Ragnar Locker on the travel firm CWT, and they describe the support offered to the company by the attackers, including the services a ransom payment would provide them, and even a discount if they paid the ransom promptly.
They even kept the lines of communication open after the decryption keys had been handed over in case the company needed any help getting operations back up to speed.
Of course, one could argue that the industry has always had a degree of professionalism, in that being responsive with your communication and providing reasonable guarantees that systems would be restored after payment had been received helped to ensure a ‘successful’ resolution for the attackers. By only targeting certain sectors, however, the likes of DarkSide are perhaps going that bit further in mirroring some of the practices seen in more legitimate sectors.
In a way this makes sense, as any attacker will inevitably assess the likelihood of payment of the ransom they demand. It’s impossible to accurately gauge the suitable ransom without a robust knowledge of the accounts of the target institution. Unlike extortionists from bygone eras, they profess not to want to squeeze the pip more than it can afford.
Professionalism among cybercriminals
This growing professionalism requires not only greater operational sophistication, but new skills. Whereas traditionally hackers have predominantly focused on the technical capabilities required to conduct the hack itself, a new range of skills is required to assess the financial and reputational strength of potential targets, and to liaise successfully with them to ensure that the ransom is paid promptly.
For instance, the kind of market research that has been common among merger and acquisition or technology scouting professionals is now a key part of the ransomware toolkit, with attackers expected to produce a detailed understanding of the ability and willingness of a target organization to pay up.
Of course, if this paints a picture of an almost legitimate approach to business, they are nonetheless criminals looking to extort money from their victims, so their practices are certainly not all of the whiter than white variety. As well as simply barring access to systems, it’s common for data to be stolen and held hostage by ransomware attackers. Just as with my wife’s healthcare organization, victims are threatened with the exposure of private data should they fail to comply with the payment terms demanded of them.
DarkSide have performed this trick recently after they released some 200 GB of data from a Canadian property company, and REvil did likewise in May when they released 2.4 GB of private legal documents belonging to Lady Gaga to show that their demand for $42 million was to be taken seriously. Indeed, the group has since auctioned off this data on the dark web to create a further source of income.
It’s not uncommon for attackers to have robust communications operations to ensure that any leaks are efficiently sent to the press, to rivals, or even to regulators, should the victims not comply.
It’s a weaponization of the stolen data that underlines the seriousness of these threats.
This combination of ruthlessness with efficiency should underline the seriousness of the ransomware threat, and hopefully the significant growth in attacks during the coronavirus pandemic will reinforce the need for organizations to take this threat significantly more seriously than they have previously. After all, as the attackers reap the increased rewards from their endeavors, they are only going to get more professional and more proficient.