Part 1: What is ransomware and how it evolved
Just a few years ago, few companies had ever heard of ransomware. Today, it has become a cybersecurity scourge. This article, the first of a three-part series on this cybersecurity threat, explores what it is, how it evolved, and why your company should be putting protections in place to avoid ransomware attacks now.
Ransomware is malicious software with a twist. Instead of just turning your endpoints into botnets or defacing your website, it targets you with extortion. Ransomware typically encrypts your critical data, relying on you not having backups, and then charges you for the decryption key to get that data back.
Criminals have long relied on extortion as a form of income, from DDoS attacks to threats to publish stolen data. Ransomware has been a part of their arsenal since the nineties. Initially consumer-focused, it used various methods to dupe victims, including impersonating law enforcement. That trend continues today with ransomware such as Reveton, also known as FBI MoneyPak, displays a message purporting to be from law enforcement claiming that the victim had been viewing illicit material on their computer. It locked their entire machine and then demanded a ransom in prepaid cards to grant access.
Criminals also developed malware early on that encrypted files and demanded a ransom key to retrieve them. Early attempts dating back to 1989 were unsophisticated, using symmetric keys that could be recovered from the victim’s machine. It took several years for developers to improve. Early ransomware would often use decryption keys that would not work or would use one key that would unlock every victim’s files.
Even as their technologies improved, criminals still used immature business models. They would use untargeted ‘spray and pray’ attacks, hitting consumers and businesses indiscriminately. That limited their potential earnings.
How ransomware grew up
In recent years ransomware has become far more sophisticated. What was once restricted to locking up peoples’ personal photo collection has mutated, becoming a carefully managed business with high margins. This is due in part to the rise of cryptocurrency, which emerged in 2009 with bitcoin but only became mainstream in the mid-2010s as digital currency prices soared and other kinds of online tokens appeared.
As anonymous payment options grew easier, criminals refined their operations, launching targeted attacks on specific companies that they knew would have more at stake and be more willing to pay. Although there have been some notable attacks on larger organizations in recent years, ransomware criminals continue to turn a healthy profit from smaller companies.
Ransomware perpetrators have used targeted attacks to pry more money from victims. Businesses typically have more money at their disposal than individual targets, and their data also has more monetary value. In some cases, the disruption to operations from ransomware has been so great that it has cost businesses thousands of dollars in operational losses. This has caused the average ransom size to increase from $84,116 in Q4 2019 to $154,108 in Q4 2020.
Evolving business models
The business model for ransomware has also evolved, with perpetrators applying the same economies of scale to this criminal enterprise as legitimate businesses do to their own products. In their 2021 Spotlight Report on ransomware, RiskSense and Cyber Security Works (CSW) reviewed the rise of ransomware-as-a-service (RaaS).
The RaaS model, typified by operations like Ryuk and Revil, uses a franchise system to maximize the return on investment for ransomware developers. Ransomware groups with the technical expertise to develop the malicious software make it available to other attack groups which then use their own techniques to get it into victims’ systems, including phishing campaigns and exploiting network vulnerabilities. This lowers the barrier to entry for criminal groups to infect victims with ransomware, spreading the problem.
Ransomware-as-a-service operations use the same professional approach to online automation as legitimate companies. They include technical support for franchisees and fast, automatic payment and data decryption services for victims.
As ransomware matures, its business model continues to evolve. Recently, monetization techniques have expanded beyond simple payment for decryption. Criminals are now using double extortion techniques in which they steal files before encrypting them. This enables them to blackmail victims to prevent the publication of sensitive data, while also paying to retrieve it.
We have seen companies ranging from movie studios to celebrity law firms fall victim to these attacks, losing data to ransomware groups who then publish the data unless the companies pay up.
Ransomware attacks are becoming more technically sophisticated as attackers increasingly employ advanced intrusion techniques against specific targets. These include identifying likely targets via network weaknesses including RDP flaws and then moving laterally through systems to infect as many devices and network shares as possible.
No wonder, then, that researchers are noticing nation state actors using ransomware to wreak havoc on their targets for purposes that are often non-financial. APT groups are often state sponsored, and the RiskSense/CSW report identified several such groups that are well-funded and willing to launch ransomware attacks on adversaries’ critical infrastructure.
As ransomware continues to evolve, every company is at risk, whether large or small. Discover how we can help to protect you against this threat, and how to mitigate an existing compromise.
Learn how to prevent ransomware like a pro in part 2 of this series.
Learn more about Lumen Ransomware Assessment.
This blog is provided for informational purposes only and may require additional research and substantiation by the end user. In addition, the information is provided “as is” without any warranty or condition of any kind, either express or implied. Use of this information is at the end user’s own risk. Lumen does not warrant that the information will meet the end user’s requirements or that the implementation or usage of this information will result in the desired outcome of the end user. ©2021 Lumen Technologies. All Rights Reserved.