by Sergey Shykevich, Threat Intelligence Group Manager at Check Point
In the most recent edition of its annual Security Report, Check Point Software Technologies looked back on a tumultuous year in cybersecurity, which saw attack levels reach an all-time high in response to the Russia-Ukraine conflict.
But what can we expect in the future?
In this article, Sergey Shykevich, Threat Intelligence Group Manager at Check Point, looks at the evolution of ransomware from a money-making exercise to highly organized operations.
Ransomware is one of the single biggest threats to an organization’s security. In the early days, attacks were conducted by single entities who developed and distributed massive numbers of automated payloads to randomly selected victims, collecting small sums from each “successful” attack.
Fast forward to today, and these attacks have evolved to become mostly human-operated processes, carried out by multiple entities over several weeks.
In 2022, 1 out of every 13 organizations suffered an attempted Ransomware attack, while the Costa Rica government was forced to declare a national emergency when Russian hackers, Conti, breached its Ministry of Finance and demanded a $20 million ransom.
However, as we move further into 2023, ransomware as we know it is evolving: the number of victims is decreasing, and hackers’ demands are changing.
You could be forgiven for thinking this is a good thing, but in fact, it is because the ransomware ecosystem has become increasingly fragmented but in parallel, much more focused on specific targets and more sophisticated. New variations of malware appear daily, which has created a complex and hard-to-navigate threat landscape.
Shifting focus from encryption to extortion
The focus of bad actors has moved away from ransom payments and is now firmly on extorting unencrypted data.
Why? Unencrypted data is more valuable. It can be released into the public domain almost immediately, meaning victims will be eager to get it back, no matter the cost.
Many different types of information are considered sensitive, from corporate financial and proprietary data to personal data relating to physical or mental health, financial data or any other personal identifiable information (PII), which makes the threat of data exposure even more potent.
Some groups now skip the encryption phase altogether, relying on threats of data exposure alone to extort money. Data exfiltration is much easier than encrypting an entire network, implementing encryption professionally and assisting with decryption when ransom is paid. Cybercriminals find ways to do less and get more.
An extreme example of the effectiveness of the threat of personal data exposure was demonstrated in an attack on Medibank, an Australian health insurer, in October 2022.
When the company refused to pay ransom demands of $10M, the attackers (possibly connected to the REvil group) dumped massive amounts of personal information relating to pregnancy termination, drug and alcohol abuse, mental health issues and other confidential medical data relating to millions of Australian and international customers.
The evolution of Ransomware-as-a-Service (RaaS)
While the ransomware ecosystem is splintering, we are also seeing a pivot to more attractive business models, including Ransomware as a Service (RaaS).
Often referred to as human-operated ransomware, it is the human aspect that makes RaaS so dangerous. Human attackers can make calculated decisions that result in a wide variation of attack patterns specifically tailored to individual targets.
Available via the dark web, it is essentially an arrangement between two parties. One develops the tools to carry out an attack, and the other deploys the payload.
If the attack is successful, both parties receive a share of the profits with the initial cost and accessibility of RaaS making it so easy. Anyone can purchase a kit and they need only well-written playbooks and some basic technical knowledge to execute an attack.
RaaS is extremely profitable, and anyone selling it is a top target for the authorities. For example, in 2021, the US Department of State offered a $10 million reward for information leading to the location of RaaS specialist, DarkSide.
Security leaders are concerned RaaS will grow in popularity over the next 12 months as a potential consequence of redundancies in the technology sector. For example, in the first two months of 2023, over 107,000 tech-sector employees lost their jobs.
Many layoffs were in specialist areas where technology-focused jobs are scarce, and the threat of disgruntled employees using their skills to support bad actors could start to filter into the cybercrime space.
Ransomware is a significant and costly threat that needs to be addressed. But are we seeing the tides change as governments across the world move towards offensive action against these groups?
Has the time come to hack the hackers?
Nations around the world already possess offensive hacking capabilities. In January 2023, the US Attorney General announced that the FBI and its international partners had succeeded in temporarily disrupting the network of the prolific ransomware gang, Hive. In effect, they had hacked the hackers.
The operation, which began in 2022, saved multiple government organizations from having to pay millions of dollars in ransom payments.
For example, in one instance, the FBI was able to disrupt an attack against a Texas school district and stopped it from making a $5 million payment to the hackers. Clear proof that hacking on the offensive works and we could see more organizations adopt this method in the next 12 months.
Similarly, after two major, back-to-back cyberattacks against Australian telecommunications giant Optus and insurance titan Medibank, the Australian cyber security minister vowed to “hack the hackers”.
In December 2022, Japan also started the process to amend laws to allow for offensive cyber operations against foreign hackers.
It begs the question; if more groups knew they could be hacked before they launched an attack, would they think twice about it?
What’s the solution to the evolution of ransomware?
One way to prevent ransomware attacks would be to introduce a ban on organizations making payments. For example, in Florida and North Carolina, it is illegal for state agencies to pay a ransom and Australia is considering codifying payment bans into law.
However, this could result in bad actors specifically targeting organizations that are least likely to cope with extended periods of downtime.
Hospitals, energy providers, and schools could become prime targets and the threat of genuinely harming society or individuals could force these organizations into paying.
While elements of early ransomware remains, it is undeniable that the methods and execution have evolved. It used to be about profit, but now it is about much more than that. As the threat landscape becomes more fragmented and RaaS continues to thrive, 2023 could be a pivotal year in the fight against it.
