Cybereason, the XDR company, published a new report, titled RansomOps: Inside Complex Ransomware Operations and the Ransomware Economy, which examines how ransomware attacks have evolved from a cottage industry years less than 10 years ago into a multi-billion dollar mega industry today. With increasing sophistication behind RansomOps attacks, ransomware syndicates are reaping the benefits with record profits, making it open season on public and private sector organizations of all sizes.
Ransomware attackers early on relied on spray-and-pray tactics to target mostly individuals where ransom demands were relatively small compared to what we began to see in 2020-2021. With the emergence of RansomOps that are complex and akin to the stealthy operations conducted by nation-state threat actors, ransomware attacks have become harder to defend against for most organizations, and emboldened threat actors have driven up their ransom demands as more and more organizations choose to pay.
“A shift by the ransomware gangs from wide-spread to targeted attacks against organizations that have the ability to pay multi-million dollar ransom demands has fueled the rise in attacks in 2021. No two RansomOps attacks garnered more publicity last year than those on Colonial Pipeline and JBS Foods. Unfortunately, we can expect to see a continued increase in attacks in 2022, with ransom demands increasing and critical infrastructure operators, hospitals and banks having targets on their backs,” said Lior Div, Cybereason CEO and Co-founder.
The new report details the four components of RansomOps:
- Initial Access Brokers (IABs): Infiltrate target networks, establish persistence and move laterally to compromise as much of the network as possible, then sell access to other threat actors
- Ransomware-as-a-Service (RaaS) Providers: Supply the actual ransomware code, the payment mechanisms, handle negotiations with the target and provide other “customer service” resources to both the attackers and the victims
- Ransomware Affiliates: Contract with the RaaS provider, select the targeted organizations and then carry out the actual ransomware attack
- Cryptocurrency Exchanges: Launder the extorted proceeds
To Pay or Not to Pay
A previous Cybereason report, titled Ransomware: The True Cost to Business, revealed that 80 percent of organizations that paid a ransom were hit a second time, many times by the same threat actors. Instead of paying, organizations should focus on early detection and prevention strategies to end ransomware attacks at the earliest stages before critical systems and data are put in jeopardy. There are a variety of other reasons for not paying, including:
- No guarantees of retrieving data: Paying the ransom doesn’t mean that you will regain access to your encrypted data. The decryption utilities provided by those responsible for the attack sometimes simply don’t work properly. In the case of Colonial Pipeline in 2021, the company paid a $4.4 million ransom, received faulty decryption keys from the DarkSide Group and had to activate their backups to restore systems.
- Legal implications: Organizations could end of paying steep fines from the U.S. government for paying ransomware actors that sponsor terrorism. In addition, supply chain ransomware attacks that impact an organization’s customers or partners would result in lawsuits from the impacted organizations.
- Incentivizing ransomware attacks: Organizations who pay ransomware attackers send the message that the attacks work and it continues to fuel more attacks and higher ransom demands. Like Cybereason, the FBI advises that organizations refrain from paying ransoms because it simply emboldens malicious actors by telling them that extortion works.
“Ransomware remains the top cybercrime threat and continues to cause significant damage, disruption and financial losses. With criminals seeking to maximise their illicit gains by exfiltrating and exploiting the victim’s data before it gets encrypted, ransomware is an evolving threat and presents a serious cybersecurity risk that requires a networked response. This must include law enforcement and public-private-partnerships such as the No More Ransom initiative,” added Phillip Amann, Head of Strategy European Cybercrime Centre (EC3), Europol.