Cracks in The Ransomware Ecosystem

According to the UK’s National Cyber Security Centre (NCSC), ransomware is the most immediate threat to businesses worldwide. Cybercrime around ransomware is organized and sophisticated, with technology that has been democratized and made accessible to the point that ransomware has become its own economy.

Some ransomware operators are playing a numbers game by targeting MSPs (managed service providers) with software supply chain attacks that affect thousands of businesses. Others, such as advanced persistent threat (APT) groups, are going after specific targets to destabilize governments or extort high-value data. Last year, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) observed ransomware incidents affecting 14 of the 16 critical infrastructure sectors in the United States.

These include defense, food and agriculture, as well as government facilities and even emergency services. The Australian Cyber Security Centre (ACSC) recently reported that its critical infrastructures are being repeatedly targeted by ransomware operators and even released a joint statement with the U.S. and the U.K. to warn of the increasing ransomware threat to government entities and private businesses.

This is consistent with the findings we published in our 2022 Security Report. In it, we found that the number of cyberattacks in 2021 will increase by 50 percent year-over-year, with one in 61 organizations globally affected by ransomware every week. The government/military sector saw a 47 percent increase in weekly attacks, the communications sector saw a 51 percent increase, but the education/research sector had the largest increase at 75 percent, reporting an average of 1,605 cyberattacks per week for the year.

This sharp increase could be due, at least in part, to the increased vulnerability of organizations as they moved to hybrid work models in response to the pandemic, providing more attack surfaces. More likely, however, is that the growing Ransomware-as-a-Service (RaaS) economy is responsible. Their service involves ransomware groups and their partner’s packaging and selling ransomware to “customers” and then coordinating the attack.

These prime ransomware operators provide not only the ransomware itself but often money laundering services, negotiation specialists, and even detailed playbooks, as evidenced by Conti’s recently leaked “cookbook.” This democratization of cybercrime has created an entire ransomware sub-industry, where competition drives innovation just like in any other legal sector.

READ:  What Is Vishing?

However, thanks to the efforts of white-hat researchers and security specialists, as well as governments around the world stepping up their security measures and taking a more proactive approach, cracks are now starting to appear in the ransomware ecosystem.

Was the Colonial Pipeline attack the turning point?

One of the hallmarks of modern ransomware attacks is the widespread real-world damage they can cause – from crippling the UK’s National Health Service to wreaking havoc at the US Department of Homeland Security. But never have the real-world consequences of a successful ransomware attack been more apparent than in the 2021 attack on Colonial Pipeline.

Cracks in The Ransomware Ecosystem

One of the largest pipeline operators in the U.S., Colonial Pipeline supplies about 45 percent of the fuel needs of the entire East Coast – from providing heat to homes and businesses to fueling cars, jets, and even military installations. The DarkSide ransomware operators exploited a suspected unpatched vulnerability in Colonial Pipeline’s system, forcing the company to take certain systems offline to contain the threat. Fuel costs skyrocketed, panic buying ensued, and the aviation and military industries could have been seriously impacted had the situation not been remedied a full week later.

This attack seemed to be the last straw for the Biden administration. Shortly after the incident, the U.S. government announced that crypto exchanges like Russia-based SUEX would be sanctioned to make it harder for ransomware actors to profit from their attacks. This appeared to be the first in a series of events that ultimately led to cracks forming in the ransomware ecosystem and proof that a proactive approach rather than remediation is the most effective way to combat cybercrime.

READ:  What is A Hashmap?

In the U.S., ransomware is now classified as a national security threat by the Department of Justice. The European Union and another 31 countries around the world have joined the U.S. in imposing sanctions on crypto exchanges to stop the activities of ransomware operators.

In Australia, a new “Ransomware Action Plan” has been established, giving organizations and government institutions more powers and capabilities to combat ransomware directly. These actions show the extent to which government attitudes toward cybersecurity around the world have shifted from reactive to proactive. All organizations in any industry would do well to follow suit.

Turmoil in the ransomware ecosystem

Ransomware operators are at the top of the ransomware ecosystem, and as with any other service provider, reputation is of enormous importance. RaaS groups need to attract partners or customers to expand their network and increase revenue. Therefore, any disruption inflicted on these groups can have serious consequences and even turn the industry against itself.

As seen in our report, a month after the attack on Colonial Pipeline, the DarkSide group responsible announced that it was ceasing its operations after its servers were seized and its crypto funds stolen. This impacted their ability to pay their RaaS partners. The REvil group responsible for the Kaseya MSP breach in July 2021 also disappeared later that year after a law enforcement operation successfully hijacked their infrastructure and blog, giving the group a dose of their own medicine, so to speak. The Justice Department went even further, arresting members of the REvil group and seizing more than $6 million worth of ransom money.

But what does this mean for the ransomware ecosystem?

Some perpetrator groups are now putting more pressure on their victims to keep authorities away from ransomware attacks. For example, the ransomware group Grief threatened to completely wipe its victims’ decryption data if they hired professional negotiators – something they might have welcomed in the past as a way to extort money.

READ:  What is KRITIS (Critical Infrastructures)?

In addition, proactive prosecution of ransomware operators has led to a number of operators and affiliates withdrawing from the arena or separating and renaming themselves to distance themselves from indictments or seizures. After DarkSide was shut down, for example, several members formed a splinter group called BlackMatter, but it also came under pressure from authorities and was shut down before the end of the year.

This blow to the ransomware ecosystem is not an isolated incident, but the result of increasing pressure from government agencies around the world to contain what is quickly becoming a global threat. Enterprises, however, should not feel too safe.

Not out of the woods yet

Even though 2021 dealt a serious blow to the ransomware ecosystem, it is likely that millions of ransomware attacks will still take place in 2022, with new and existing operators and partners ramping up their attack efforts. Emotet, one of the most dangerous botnets in history, returned in late 2021 despite coordinated efforts by governments around the world to shut it down. This modular botnet, which originated from a banking Trojan, has infected 1.5 million computers on thousands of corporate networks worldwide and is often used as a delivery mechanism for network-wide ransomware attacks.

Businesses must therefore remain vigilant and, like governments around the world, take a more proactive and preventative stance in dealing with the growing threat of ransomware.

That means leveraging real-time global threat intelligence and taking action to protect your organization not only from the threats you can see but also from those you can’t. Zero-day vulnerabilities and fifth-generation (Gen V) attacks are sophisticated threats that require a sophisticated response, as do employee training, continuous backups, multi-factor authentication, and applying the principle of least distributed privilege.

The cracks in the ransomware ecosystem are starting to show, but even though recent blows suggest that ransomware actors may be losing the battle, the cyberwar is far from over.