In the last decade, ransomware has exploded. Gone are the days when criminals would only attack consumer PCs, demanding $300 ransoms via Western Union, MoneyPak or Amazon gift cards to decrypt files.
Today’s attackers have become much more sophisticated. Now they target major multinational corporations. Because many victims do not contact law enforcement during an attack, it can be difficult to precisely quantify the overall financial impact. But it’s getting big. Very big. In 2020, the average ransom has been estimated at $300K, nearly tripling from the prior year.
The highest known ransom amount to date of $40M was paid by CNA Financial’s insurance company, which was negotiated down from an initial ask of $60M. With recent changes in the law, federal contractors in the US must now report to the government when they have been hacked. Still, getting a comprehensive view of the scope of the problem will remain difficult because many companies negotiate ransom payments privately.
These days, attackers tend to ask for ransom payments in Bitcoin because of its prominence as a cryptocurrency. The FBI reportedly recovered close to 85% of the bitcoins in the recent Colonial Pipeline ransomware attack. But no credible cryptographer believes that the FBI broke the cryptography behind Bitcoin. Instead, the FBI got access to the private key of a money laundering service bitcoin wallet hosted in California. Future ransomware attackers will undoubtedly evolve their methods in an attempt to evade law enforcement.
Banning Bitcoin is not a viable solution. Besides BTC, attackers can choose from hundreds of other cryptocurrencies. They could instead ask for payments in ETH, the native token on Ethereum, then use a mixer like Tornado Cash to launder it. Or, they could take payments in Monero, which was designed as an untraceable digital currency.
Criminal gangs have begun specializing and segmenting their operations. Especially in countries without extradition to the US, Ransomware-as-a-service (RaaS) is now available as a platform for criminals to use. Cybercriminals who specialize in breaking into corporate systems can focus on gaining access to corporate domain controllers, turning off antimalware software, and acquiring persistence for their attacks. These criminals can then install pre-built ransomware kits, and hand off the backend operational aspects of ransomware collection to a service provider for a cut of the ransom amount. This has led many experts to speculate that DarkSide, the RaaS provider in the Colonial Pipeline case, retained their 15% RaaS fee, while the affiliate group responsible for the break-in and installation of ransomware only got caught because they were less careful with how they handled their ransom funds when they tried to launder them.
Ransomware attackers have evolved to do more than merely encrypt files and demand payment for a decryption key. In a twist dubbed ‘extortionware’, attackers may also exfiltrate enterprise data to their own servers, then threaten to release the private information to the public or the company’s competitors. Note that unlike traditional ransomware, maintaining backups of data does not protect an enterprise from extortionware. Some attackers will also attempt to ransom or extort a victim’s customers as well. This tends to cause those customers to put pressure on the victim to pay the ransom.
Globally, the problem has become so widespread that on June 13, 2021, G7 leaders issued a communiqué specifically mentioning ransomware:
“We also commit to work together to urgently address the escalating shared threat from criminal ransomware networks. We call on all states to urgently identify and disrupt ransomware criminal networks operating from within their borders, and hold those networks accountable for their actions. [...] In particular, we call on Russia to [...] identify, disrupt, and hold to account those within its borders who conduct ransomware attacks, abuse virtual currency to launder ransoms, and other cybercrimes.”
Professional cybersecurity response teams constantly encounter the same anti-patterns in companies victimized by ransomware:
- poor/reused passwords
- lack of multi-factor authentication (MFA)
- open services facing the internet.
To generally protect against malware, using antimalware software and keeping software patched to the latest versions remains good advice. Cybersecurity insurance products are also growing to help companies curtail the financial risks of both malware and ransomware.
To specifically protect against ransomware and extortionware, moving to a passwordless solution and enforcing MFA can help prevent attackers from gaining initial unauthorized entry to enterprise systems. Acceptto’s products and services help provide these specific protections to help keep your organization protected against ransomware and extortionware, as well as drive cyberinsurance premiums down.
To see how Acceptto can protect your organization from ransomware and extortionware, reach out to firstname.lastname@example.org. We’re here to help.