Ransomware gold rush: why now?

Ransomware is not a new phenomenon, yet 2020 witnessed digital extortion mutating into a beast that can impact everyone and even have the capacity to take human life. ESET's Ondrej Kubovic thinks we're victims of an unlucky coincidence. 

Anyone who has at least mild interest in the news could name at least a couple of noticeable ransomware attacks. Threat actors targeting Colonial Pipeline and meatpacker JBS were almost impossible to miss in the last few weeks.

In only six months of 2021, both Ireland’s and New Zealand's health systems, together with hospitals in Germany, were held at digital gunpoint, facing demands to pay criminals for stolen data.

Attacks such as the one in Germany represent a new cybercriminal wave or a gold rush, if you will. With ransomware gangs being at its forefront. And let me assure you, the situation is really dire,

Ondrej Kubovic.

Due to operational disruptions caused by a ransomware attack, a hospital in Germany could not accept a patient suffering from COVID-19 complications. Diverted to another hospital, the patient did not survive.

"No matter the region, no matter the industry. Attacks such as the one in Germany represent a new cybercriminal wave or a gold rush, if you will. With ransomware gangs being at its forefront. And let me assure you, the situation is really dire. Actually, it has never been worse," Ondrej Kubovic, ESETs Security awareness specialist, said during the ESET World 2021 conference last week.

New tactics

According to Kubovic, ransomware operations have increased due to a change in criminal tactics, namely, the use of double extortion or doxing. Criminal gangs insert themselves into critical systems, steal sensitive data, and disrupt victims' daily operations.

The victim is forced to pay money for stolen data and digital keys that allow continuing operations. For maximum effect, criminals target businesses that have sensitive data and cannot handle halt in operations.

The now-defunct Maze cartel brought ransomware doxing technique to the forefront in late 2019. Competitors, however, soon realized its potential. Criminal gangs like Sodinobiki, Abaddon, Cl0p, DoppelPaymer, and others were quick to catch up.

"Ransomware gangs became much more focused and much more targeted, finding their victims in almost every possible industry that showed even the slightest vulnerability, including military, public administration, and, of course, hospitals and emergency services. And if the initial intrusion was successful, cyber-criminals made the most of it," Kubovic said.

Suppose a victim, such as Colonial Pipeline, is a critical energy supplier. In that case, it is likely to pay hefty ransom demands since millions of people depend on such companies to operate continuously.

According to Kubovic, once threat actors successfully infest their victims' systems, imaginations on how to force them into paying run wild. Since distributed-denial-of-service (DDoS) attacks have become a dire norm, gangs apply pressure by hijacking internal printer systems to allow every connected member of the organization to see the situation the company is in.

If that's not enough, floods of emails are sent to victims' clients, threatening to reveal any sensitive data threat actors have on them. That's meant to encourage clients to apply additional pressure on the victim to pay up.

Force Majeure

While doxxing has become a frighteningly efficient tool to coerce victims into paying humongous ransom fees, on its own, it would not have been sufficient to kickstart a goldrush. A global lowering in cybersecurity standards was also necessary. 

A global pandemic that forced billions of people to login to work from home, remotely connecting to systems that were never meant to be accessed off-premise.

Ransomware gangs became much more focused and much more targeted, finding their victims in almost every possible industry that showed even the slightest vulnerability,

Ondrej Kubovic.

"This change made Microsoft service called Remote Desktop Protocol or RDP for short, into the biggest target in 2020. This small utility built into Windows operating systems allowed users to remotely access their machines with as little as their username and password," Kubovic explained.

Attempts to compromise RDP connections were so numerous that ESET had blocked over 56 billion malicious RDP password guesses, or 56,000 per unique machine, since January 2020. Compared to previous years, that means breach attempts increased by 700%.

The earnings from increased activity were so generous last year that the Sodinokibi crime gang bragged about netting a whopping $100 million in 2020. Since the crime gang takes around 20-30% of the ransom affiliates from victims, the actual amount of money stolen is likely several times larger.

Kubovic claims that data from Bitcoin wards confirms that crime gangs are not bragging since Law enforcement agencies spotted transactions of $150 million by a single crime group in 2020. Group-IB, a cyber threat intelligence company, estimates that an average ransom demand was $170,000 in 2020. However, there already have been at least two ransom demands that stood at $50 million in 2021.

The European Union Agency for Cybersecurity (ENISA) data shows that criminal groups made around €7 billion in 2018. Kubovic claims that it is highly likely that in 2020 criminals will have netted over €10 billion, and 2021 is expected to be even more profitable. That's why this particular time can indeed be called a ransomware gold rush.

Ondrej Kubovic.

How they operate

Research by CyberNews shows that increased activity encourages criminal groups to expand, actively recruiting new employees. Our researcher even tricked ransomware operators into revealing the payout structure, cash-out schemes, and target acquisition strategies.

Ransomware groups advertise online, claiming the successful candidate would get up to 80% of any successfully paid ransom. Criminals could even prove they have $1 million worth of bitcoin in one of their digital wallets.

The group our researcher tried to infiltrate is the Russia-linked cyber gang Ravil, also going by the name Sodinokibi. The same group is likely responsible for the disruption of JBS operations in the US, slaughtering plants for a day after the attack. An event that threatened to disrupt North American food supply chains and increase the price of food.

JBS later admitted to paying $11 million worth of bitcoin to put an end to the attack. According to the FBI, the company says that JBS has fallen victim to 'specialized and sophisticated cybercriminal groups in the world.'

More from CyberNews:

Raising the game in European cybersecurity

Costlier than a house: list of the most expensive computers of the vintage era

US DoJ takes Slilpp – underground marketplace for accounting data offline

Electronic Arts breach: FIFA 2021 and Frostbite source codes, 9 million user records stolen from EA and sold online

Cryptocurrency and institutional investors: A love-hate relationship

Subscribe to our newsletter


John N
prefix 3 years ago
I come from a time before the proliferation of technology to now and wonder why these victims (large business entities) dont have a business continuity/disaster recovery plan and execute it? When you lose sight of your core business and are unable to peform tasks then that in itself is negligent and probably criminal.
prefix 3 years ago
It’s a very well known fact that most companies (even the biggest ones) totally under-fund their cybersecurity department if there even is any, most have only IT department which was until very recently deemed as “not so very important, let’s cut the budget and continue run on windows 7” so funds were cutted over the years (as a running system does not need the same funding as setting it up). This is the return of the underestimation of the importance of IT in companies. In 20 years we will look back and ask ourselfs “how could the most important department of any company be so much under funded?”. But until then, there will be much more such events happening until one day, the managing level is going to understand the importance of good opsec. And the detrimental butterfly effects of cutting budgets merely for a little bit more profit on the paper.
Leave a Reply

Your email address will not be published. Required fields are markedmarked