Ransomware gold rush: why now?
Ransomware is not a new phenomenon, yet 2020 witnessed digital extortion mutating into a beast that can impact everyone and even have the capacity to take human life. ESET's Ondrej Kubovic thinks we're victims of an unlucky coincidence.
Anyone who has at least mild interest in the news could name at least a couple of noticeable ransomware attacks. Threat actors targeting Colonial Pipeline and meatpacker JBS were almost impossible to miss in the last few weeks.
Attacks such as the one in Germany represent a new cybercriminal wave or a gold rush, if you will. With ransomware gangs being at its forefront. And let me assure you, the situation is really dire,Ondrej Kubovic.
Due to operational disruptions caused by a ransomware attack, a hospital in Germany could not accept a patient suffering from COVID-19 complications. Diverted to another hospital, the patient did not survive.
"No matter the region, no matter the industry. Attacks such as the one in Germany represent a new cybercriminal wave or a gold rush, if you will. With ransomware gangs being at its forefront. And let me assure you, the situation is really dire. Actually, it has never been worse," Ondrej Kubovic, ESETs Security awareness specialist, said during the ESET World 2021 conference last week.
According to Kubovic, ransomware operations have increased due to a change in criminal tactics, namely, the use of double extortion or doxing. Criminal gangs insert themselves into critical systems, steal sensitive data, and disrupt victims' daily operations.
The victim is forced to pay money for stolen data and digital keys that allow continuing operations. For maximum effect, criminals target businesses that have sensitive data and cannot handle halt in operations.
The now-defunct Maze cartel brought ransomware doxing technique to the forefront in late 2019. Competitors, however, soon realized its potential. Criminal gangs like Sodinobiki, Abaddon, Cl0p, DoppelPaymer, and others were quick to catch up.
"Ransomware gangs became much more focused and much more targeted, finding their victims in almost every possible industry that showed even the slightest vulnerability, including military, public administration, and, of course, hospitals and emergency services. And if the initial intrusion was successful, cyber-criminals made the most of it," Kubovic said.
Suppose a victim, such as Colonial Pipeline, is a critical energy supplier. In that case, it is likely to pay hefty ransom demands since millions of people depend on such companies to operate continuously.
According to Kubovic, once threat actors successfully infest their victims' systems, imaginations on how to force them into paying run wild. Since distributed-denial-of-service (DDoS) attacks have become a dire norm, gangs apply pressure by hijacking internal printer systems to allow every connected member of the organization to see the situation the company is in.
If that's not enough, floods of emails are sent to victims' clients, threatening to reveal any sensitive data threat actors have on them. That's meant to encourage clients to apply additional pressure on the victim to pay up.
While doxxing has become a frighteningly efficient tool to coerce victims into paying humongous ransom fees, on its own, it would not have been sufficient to kickstart a goldrush. A global lowering in cybersecurity standards was also necessary.
A global pandemic that forced billions of people to login to work from home, remotely connecting to systems that were never meant to be accessed off-premise.
Ransomware gangs became much more focused and much more targeted, finding their victims in almost every possible industry that showed even the slightest vulnerability,Ondrej Kubovic.
"This change made Microsoft service called Remote Desktop Protocol or RDP for short, into the biggest target in 2020. This small utility built into Windows operating systems allowed users to remotely access their machines with as little as their username and password," Kubovic explained.
Attempts to compromise RDP connections were so numerous that ESET had blocked over 56 billion malicious RDP password guesses, or 56,000 per unique machine, since January 2020. Compared to previous years, that means breach attempts increased by 700%.
The earnings from increased activity were so generous last year that the Sodinokibi crime gang bragged about netting a whopping $100 million in 2020. Since the crime gang takes around 20-30% of the ransom affiliates from victims, the actual amount of money stolen is likely several times larger.
Kubovic claims that data from Bitcoin wards confirms that crime gangs are not bragging since Law enforcement agencies spotted transactions of $150 million by a single crime group in 2020. Group-IB, a cyber threat intelligence company, estimates that an average ransom demand was $170,000 in 2020. However, there already have been at least two ransom demands that stood at $50 million in 2021.
The European Union Agency for Cybersecurity (ENISA) data shows that criminal groups made around €7 billion in 2018. Kubovic claims that it is highly likely that in 2020 criminals will have netted over €10 billion, and 2021 is expected to be even more profitable. That's why this particular time can indeed be called a ransomware gold rush.
How they operate
Research by CyberNews shows that increased activity encourages criminal groups to expand, actively recruiting new employees. Our researcher even tricked ransomware operators into revealing the payout structure, cash-out schemes, and target acquisition strategies.
Ransomware groups advertise online, claiming the successful candidate would get up to 80% of any successfully paid ransom. Criminals could even prove they have $1 million worth of bitcoin in one of their digital wallets.
The group our researcher tried to infiltrate is the Russia-linked cyber gang Ravil, also going by the name Sodinokibi. The same group is likely responsible for the disruption of JBS operations in the US, slaughtering plants for a day after the attack. An event that threatened to disrupt North American food supply chains and increase the price of food.
JBS later admitted to paying $11 million worth of bitcoin to put an end to the attack. According to the FBI, the company says that JBS has fallen victim to 'specialized and sophisticated cybercriminal groups in the world.'
More from CyberNews:
Subscribe to our newsletter