In order to win at the ransomware cat-and-mouse game, the ransomware itself must constantly change, and ransomware gangs must keep upping their game – or risk losing their “clients” as well as their revenue streams. In this, they are strikingly similar to legitimate businesses, which must continue to innovate and keep products fresh, or risk losing to competitors that are more savvy, hungrier or have a finger that’s more firmly placed on the pulse of their market.
The impressive success of the ransomware “market” as a whole, as well as its “leading players” is, of course, terrible news for their possible victims. That is, for the rest of us – businesses, organizations, and individuals alike.
Sophisticated Organized Cybercrime Gangs
Today’s ransomware gangs manifest growing sophistication in several ways:
- Selective targeting. Cybercriminals are increasingly targeting victims for whom down time is very expensive. According to IBM, manufacturing companies account for nearly a quarter of all ransomware incidents so far this year. Since shuttered operations can cost manufacturers millions of dollars in lost revenue each day, they are more likely to pay ransom demands to get back up quickly.
- Ransomware demands are getting higher – some reportedly reaching as much as $40 million.
- Pricing structures are getting more sophisticated. Cyberthieves are doing more homework on how to set prices for best results. They’re analyzing target company annual revenues, for example, and setting ransom demands accordingly.
- In a new take on pure ransomware plays, cybercriminals are blending extortion and ransomware attacks, with gangs stealing sensitive information before locking up data. If a victim balks at paying to get their data released, the criminals threaten to release the data they’ve “saved.” These attacks up the ante for target companies, which may be liable for fines if sensitive personal information is disclosed. In one such attack, the University of Utah foiled a ransomware attack by restoring data from backup — but then paid out $457,059 in hush money to keep student information from being released online.
The “Winning” Ransomware Strains of 2020
While it’s still too early to name a winner for the “most common (or most damaging) ransomware of the year,” title, a few ransomware strains are leading the pack. Sodinokibi (also called REvil) has been most frequently seen by IBM Security X-Force so far, accounting for 29% of attacks. Sodinokibi uses a ransomware-as-a-service (RaaS) model: The developer of the tool rents infrastructure to conduct ransomware attacks to malicious actors, with the ransomware malware creators typically getting a piece of the payment. Sodinokibi has experienced considerable success using the combined extortion and ransomware model. IBM Security X-Force estimates that over 36% of Sodinokibi attack victims pay ransom; another 12% have had their sensitive information sold at auction on the dark web, and 32% of victims have had their data leaked.
Maze is next on the list, responsible for 12% of ransomware attacks this year to date, according to IBM Security X-Force. Maze uses a RaaS program that combines extortion with ransomware, much like Sodinokibi, and outs extortion victims on a publicly available blog. A common Maze installation tactic is using a code-signed Buer Loader, available for sale on the dark web.
In a highly unusual trend – and perhaps the most potent indication of the “businessification” of cybercrime — is that cybergangs that are donating (or trying to donate) part of their proceeds to charity, and announcing their “good deeds” to the world.
DarkSide, a cybergang that made its debut in August 2020, has already had received payments of over $1 million from some victims. Demonstrating consummate chutzpah, they issued a press release to announce they were in business:
We are a new product on the market, but that does not mean that we have no experience and we came from nowhere. We received millions of dollars profit by partnering with other well-known cryptolockers. We created DarkSide because we didn't find the perfect product for us. Now we have it.
DarkSide has donated .88 bitcoin, worth about $10,000, to a couple of US-based not-for-profit organizations, Children International and The Water Project. Neither organization is likely to get to keep the money, however, since it is illegal to accept illegally-sourced funds. The money will most likely be seized by authorities, and if possible, returned to the victims.
Other cybercrime gangs have also made charitable donations to organizations or individuals. GandCrab gang handed out free decryption keys to victims of war in Syria; another cyber gang known as Phineas Fisher claims to have hacked into a bank and donated to funds to Rojava autonomous province in Syria.
In the spirit of countless Hollywood flicks that glorify clever, appealing criminals (think “Ocean’s 11), it’s easy to be awed and a little amused by the innovation and sheer smarts of these ransomware “artists.” But don’t let that distract you from the danger they represent – or how essential it is to keep up your guard.
Make sure your users are suitably suspicious when it comes to downloads from emails, social media and the web as a whole. They should know to check the URLs lurking behind links to root out discrepancies – before clicking, of course.
And do your part as well, by adding smart Zero Trust protections to your network. Because no matter how much sophistication cybercriminals bring to their attacks, we “good guys” need to stay five steps ahead, and smarter than them.