Ransomware is a form of malware designed to encrypt and/or exfiltrate files on a device, rendering them unusable or threatening to publish them. In recent years, the ransomware phenomenon gained impressive traction and has emerged as one of the most serious dangers to modern enterprises.
The practice of demanding a ransom for releasing a prisoner goes back a very long time and has been used throughout history as a successful tactic for extorsion. Nowadays, extorsion over ransom has been taken to a whole new level by scaling through technology, with malware that can actually take data as “prisoners” (encrypt) and release it (decrypt) once a ransom is paid. In recent years, building ransomware has become accessible to many criminal groups, due to factors such as: accessibility of strong encryption algorithms and the development of alternative payment methods (bitcoin) that can bypass the standard banking system. That has basically provided “superpowers” to malicious actors, raising the ransomware “business” to another level.
A brief history of ransomware
The first known ransomware attack occurred in 1989, with the AIDS Trojan. 20,000 infected floppy disks were delivered at the World Health Organization AIDS conference in Stockholm. Once the computer booted up 90 times, the virus hid all directories and encrypted filenames. The ransom demanded was $189 to a Panama Post Office Box. At that time, such attacks were expensive and risky for the attackers, as ransom could not be obtained so easily.
In 2006, we see the first use of RSA encryption (Archiveus Trojan) and the use of spear-phishing in the form of email attachments that looked like job applications (Gpcode). The introduction of bitcoin in 2010 enables easy monetization. This is the turning point/catalyst for ransomware, where malicious actors noticed the potential and started exploiting it in more innovative and complex ways. History continues with 2016 (Petya) and 2017 (WannaCry) cyber-attacks, that caused tremendous damage across the globe, by impacting a large number of companies. The concept of “Big Game Hunting” starts to become popular, characterized by targeting large organizations but also “industrializing” ransomware services (leakstortion, RaaS etc.). 2019 brings another major turn, with the appearance of Revil, characterized by advanced evasion capacity and the large number of measures it takes to avoid detection.
Ransomware economics – behind the scenes
According to CyberSecurity Ventures, the global damage cost caused by ransomware is estimated to be approximately $21 billion. It is expected to double by 2024 (to $42 billion) and reach $265 billion in 2031. Almost anyone would be concerned about such an exponential increase. Another relevant fact related to ransomware is that more and more companies are forced/or decide to pay the ransom. According to Enisa’s Threat Landscape Report more than 60% of the companies analyzed may have paid for the ransomware. Other reports show different percentages, slightly lower, but still concerning (44% of companies pay the ransom, according to Sophos State Of Ransomware 2022). The large number of businesses that choose to pay the ransom reveals two crucial findings:
- Such events are highly disruptive, impacting operations to a level that becomes critical for the organization,
- A proper Cyber Security defense system was not available at the time of the attack, to assure their protection and resilience.
Recent years have brought us examples of some incidents that clearly demonstrate the gravity of the threat. Maersk was hit by ransomware in 2017 and the damage was estimated to be approximately $300 million. Norsk Hydro suffered losses of nearly $75 Million, after the 2019 ransomware attack. Colonial Pipeline Company chose to pay the $4.4m ransom in cryptocurrency when they were hit in 2021.
By far, the cheapest option is to have a strong cyber security program and have implemented security measures. Thinking otherwise is just reckless.
When it comes to the methods used by attackers, ransomware does not differ from other types of threats.
Gaining access to the corporate network is done through vectors such as phishing, brute forcing user accounts or exploiting vulnerabilities. Once an account is compromised or a system is identified as vulnerable and the attacker gains access, the next step would be a lateral movement and an escalation of privileges. An attacker will always want to provoke serious damage to critical systems, so that the ransom requested can be of a higher value.
It is important to mention that you do not need to be targeted in order to be a victim of a ransomware attack. The majority of organizations affected by ransomware are affected by opportunistic attacks, meaning that malicious actors are continuously scanning for easy targets, that either easily click on phishing links, use easy-to-crack passwords or just use vulnerable systems. Actually, even for the important cases that reach global headlines, we do not know if they were targeted or just in the wrong place at the wrong time.
Just as an example, documented through available public sources, what might have happened in the case of Norsk Hydro’s LockerGoga in 2019 is the following:
- Attackers identified a misconfigured/vulnerable Active Directory Server, that they got control of it.
- LockerGoga Ransomware was dropped and executed by a rogue PsExec tool.
- Initial analysis showed that LockerGoga, unlike WannaCry or Petya/NotPetya, does not appear to have the capacity to propagate on its own and was most likely deployed via Active Directory to spread the ransomware (credits: tweet from NorCERT). Once installed, LockerGoga changed the passwords of the infected system's user accounts once it was installed. It also tried to log off users.
- LockerGoga binary was executed on many systems simultaneously, locking the company out of its systems.
Fortunately, there is hope, and not all is doomed! 😊
Your company can be prepared for such an event, but chances are that you’ll need professional assistance.
First, there is no single cure/no silver bullet for ransomware. No single point of failure that you need to protect, no single technology and/or control that you can implement and certainly this is not a one-time job, but a process. Also, there is a cost to it, nevertheless incomparable when it comes to damages that such an event might bring to your business. I like to believe that we have long passed the phase where cyber security is just a cost center. That is not the case. Thinking that you reduce costs and get away without being attacked is not a valid strategy anymore.
The key is to take care of your cyber security, with resilience in mind, by implementing a serious cyber security program and bringing together the proper technologies, the right processes, and qualified people so that you can protect as much as possible and quickly recover in case of such an attack. Resilience is the key.
But more on how to do that in the second part of this article, that will be available soon!