Threat Intelligence Blog

Posted April 15, 2020

Businesses Face Escalating Ransomware Threats

Since gaining notoriety in 2016 when ransomware campaigns targeted the healthcare industry, ransomware attacks have been observed globally across public and private sectors and impacting numerus industries. While initially used primarily as a vehicle to drive cyber crime and extort victims into paying ransoms of various amounts, clever actors saw the potential of ransomware to support other nefarious activities, suggesting that making money may not be the primary motive behind an attack. Indeed, a recent article indicates that cyber criminals use ransomware as a secondary source of income, rather than a primary one.

What motivations are driving ransomware popularity

Ransomware’s deployment depends largely on the intent of the attacker. In addition to conventional financially-driven extortion, ransomware attacks have purposefully crippled targeted systems (see NotPetya ransomware), exploited industrial control systems (Ekans ransomware), and have been used in tandem with the theft of data before encrypting it (Zeppelin ransomware). A mid-2019 incident in Germany revealed a strain of ransomware that overwrote existing data on the machine, thereby destroying it, rather than encrypting or locking it.

Ransomware is a profitable business

Ransomware continues to be a popular tool for hostile actors. According to a cyber security site of independent experts, thus far in 2020 ransomware remains a top five threat, has migrated to targeting small-to-medium sized businesses with ransoms ranging from USD 500 – USD 2,000, and has a new variant increase of 46 percent from the previous year (another company stated that for large enterprises, a ransom cost approximately USD 780,000). Perhaps more disconcerting for businesses is the increased downtime that ransomware infections have caused. According to one company report on ransomware, downtime increased by 200 percent in 2019.

Ransomware’s longevity is a testament to its success. The prevalence of activity has lead to the head of the Department of Homeland Security’s Cybersecurity and Infrastructure Agency (CISA) to address ransomware at a premier security conference in San Francisco. Elevated attention at such a venue attended by senior company and government officials is a positive development showing that the importance government places ransomware as a pervasive threat. In addition to DHS, the Federal Bureau of Investigation (FBI) has promptly disseminated more information when new information becomes available.

Ransomware is a flexible tool for threat actors

Versatility is one of ransomware’s greatest assets and supports a variety of motivations across the cyber threat actor landscape. Moreover, such flexibility is showing that it can potentially hinder defenders’ abilities to attribute the attack. For example, with NotPetya, ransomware was used as a punitive measure – in this instance the disruption of Ukraine’s services – as extorting money did not appear to be the main objective of the ransomware attack. Ultimately, Russia was implicated, but the event demonstrated how such malware could be used for other than pure extortion.

We have seen ransomware campaigns that focus on stealing information, as well as encrypting it. In these instances, the actors have demonstrated an interest in making money two ways – decrypting files and selling the safe return of the data that they took. However, such a technique can be used to support cyber espionage operations, misleading defenders to think that cyber criminals perpetuated act. If these actors appear to try to collect ransoms (to include use of ransom notes, valid, cryptocurrency wallets, Jabber contact, etc.), this may be enough to obfuscate their true intent.

Another tactic that surfaced in late 2019 was the collaboration of groups to facilitate ransomware delivery. Ransomware-as-a-service is an established offering in the cybercriminal underground, but groups actively working together may gain traction. In one instance, a group sold access to a target’s networks to other threat groups, some of which engaged in ransomware campaigns. It remains to be seen if this will catch on, but it certainly enables ransomware attacks.

What can organizations do about ransomware?

Organizations need to prepare for ransomware and establish contingency planning and continuity-of-operations processes that will help mitigate the threat and ensure the sustainment of critical business operations. Those able to demonstrate cybersecurity resiliency will be best positioned to remediate and recover from ransomware campaigns, regardless of the intent of the attacker.

The LookingGlass STRATIIS product line has been tracking ransomware’s development and usage by hostile actors for the past couple of years. Find out how finished intelligence from LookingGlass can give you the perspective you need to make informed decisions.

Additional Posts

Best Practices to Counter the Ransomware Threat

Ransomware is a persistent threat that targets individuals, enterprise organizations, and everyone ...

CloudShield™ Eclipse: Next Generation IDS/IPS in the AWS Cloud

CloudShield Eclipse provides an organization with business network threat detection, visibility ...