Threat actors who use Ransomware-as-a-service (RaaS) are looking for a way to branch out with their own operation. The victims are forced to help.
Fueled by double and triple extortion, ransomware has made many threat actors rich in the last several years. For example, Emsisoft estimates that while the average extortion demand was $5,000 in 2018, it skyrocketed to $200,000 in 2020.
Since the number of attacks increased by over 90% in the first half of 2021, yearly reports for 2021 will likely show many new anti-records beaten by ransomware hackers.
"There has been so much money thrown at the threat actors. I think they are having trouble finding where to spend their money," Stephen Nix, Special Agent at the US Secret Service, said during MIT's CyberSecure 2021 conference.
The more money ransomware groups accumulate, the more they can invest into getting better at extortion. The worst part is that all of that money is provided by the victims.
Say if you pay
Nix, who has numerous times assisted victims on ransom negotiations, stressed that paying a ransom is often a futile endeavor. In 46% of the reported cases, threat actors take the money and provide victims with a bogus decryptor.
To add insult to injury, ransomware groups come back to victims willing to pay precisely because they paid. While the number of re-victimized businesses used to be only a fraction of the total pool, the trend has drastically changed recently.
"If I had answered that six months ago, I would have said 20-30% [of victims face subsequent extortion]. Today, I would say 70% of those negotiations are double extortion. Your data is being sold again. You pay, and they are coming back after you," Nix explained.
However, he was not quick to judge businesses who opt to pay, adding that paying aransom or not is extremely difficult for companies. Refusing to pay, in some specific cases, can lead to the end of the business. The worst thing companies can do is to keep quiet about an attack.
"We have this saying: ‘pay something, say something.' So, once you do pay, we'd like to hear about it," Nix said to the online audience.
"We've gone from the large payments to these small payments. It's a quick money grab by lower-level cyber actors, and the problem is they have gotten good at it."-Stephen Nix
Without reporting the crime, law enforcement can't gather evidence, and there's zero chance the culprit will ever face justice. It's also impossible to return a ransom payment in the event of attackers' crypto wallets getting discovered.
Nix shared an instance where after a successful take over of a crypto wallet used for extortion payments, only a fraction of the funds were returned to their owners, as only one or two companies contacted the authorities about the payment.
He advised businesses to be more critical of ransomware gangs and try to combat initial fear. Government agencies have access to numerous decryptors, meaning that a ransom demand can become utterly meaningless upon contacting the authorities.
Criminals do R&D
Among the unintended consequences of paying a ransom are the indirect incentives to develop a criminal ecosystem. The more funds a specific ransomware gang accumulates, the more spear money is allocated to research.
According to Nix, following how a ransom payment travels between crypto wallets allowed the Secret Service to detect that some groups spend almost a third of the money for further research. That translates to more sophisticated malware and better qualified people working to develop it.
Interestingly, some RaaS users seem to have decided to set up their own operation to profit more. A general rule is that affiliates pay around 30% of a ransom payment to the gang that provided them with the malware package.
These criminal start-ups target their victims with demands to provide them with various cyber tools that would allow them to set up a separate operation. Some criminals look for crypto tracing so they can see how obfuscated the funds are.
Other affiliates and variant affiliates look for parsing tools to operate independently without needing to pay hefty fees for their handlers.
Nix noted that with the growth of the RaaS model, the general tactics of threat actors started to shift. While the attacks became more extensive and more targeted over the last couple of years, some affiliates started aiming for payment as small as $500.
With the expanding criminal ecosystem, the entry barrier has been lowered to the point that it takes very little technical skill or expertise to employ ransomware.
"We've gone from the large payments to these small payments. It's a quick money grab by lower-level cyber actors, and the problem is they have gotten good at it," Nix explained.
Cyberattacks are increasing in scale, sophistication, and scope. The last 12 months were ripe with major high-profile cyber attacks, such as the SolarWinds hack, attacks against the Colonial Pipeline, meat processing company JBS, and software firm Kaseya.
The prevalence of ransomware has forced governments to take multilateral action against the threat. It's likely a combined effort allowed to push the infamous REvil and BlackMatter cartels offline, and arrest members of Cl0p ransomware cartel.
Gangs, however, either rebrand or form new groups. Most recently, LockBit 2.0 was the most active ransomware group with a whopping list of 203 victims in Q3 of 2021 alone.
An average data breach costs victims $4.24 million per incident, the highest in the 17 years. For example, the average cost stood at $3.86 million per incident last year, putting recent results at a 10% increase.
Reports show that criminals were taking advantage of the uncertainty caused by the pandemic and the flood of new users to digital channels, who were especially susceptible to attacks.
More from CyberNews
Subscribe to our newsletter