Tackling the Ransomware Threat

Ransomware is a form of malware designed to encrypt and/or exfiltrate files on a device, rendering them unusable or threatening to publish them. In recent years, the ransomware phenomenon gained impressive traction and has emerged as one of the most serious dangers to modern enterprises. 

The practice of demanding a ransom for releasing a prisoner goes back a very long time and has been used throughout history as a successful tactic for extorsion. Nowadays, extorsion over ransom has been taken to a whole new level by scaling through technology, with malware that can actually take data as “prisoners” (encrypt) and release it (decrypt) once a ransom is paid. In recent years, building ransomware has become accessible to many criminal groups, due to factors such as: accessibility of strong encryption algorithms and the development of alternative payment methods (bitcoin) that can bypass the standard banking system. That has basically provided “superpowers” to malicious actors, raising the ransomware “business” to another level. 

A brief history of ransomware  

The first known ransomware attack occurred in 1989, with the AIDS Trojan. 20,000 infected floppy disks were delivered at the World Health Organization AIDS conference in Stockholm. Once the computer booted up 90 times, the virus hid all directories and encrypted filenames. The ransom demanded was $189 to a Panama Post Office Box. At that time, such attacks were expensive and risky for the attackers, as ransom could not be obtained so easily.  

In 2006, we see the first use of RSA encryption (Archiveus Trojan) and the use of spear-phishing in the form of email attachments that looked like job applications (Gpcode).  The introduction of bitcoin in 2010 enables easy monetization. This is the turning point/catalyst for ransomware, where malicious actors noticed the potential and started exploiting it in more innovative and complex ways. History continues with 2016 (Petya) and 2017 (WannaCry) cyber-attacks, that caused tremendous damage across the globe, by impacting a large number of companies. The concept of “Big Game Hunting” starts to become popular, characterized by targeting large organizations but also “industrializing” ransomware services (leakstortion, RaaS etc.). 2019 brings another major turn, with the appearance of Revil, characterized by advanced evasion capacity and the large number of measures it takes to avoid detection. 

Ransomware economics – behind the scenes  

According to CyberSecurity Ventures, the global damage cost caused by ransomware is estimated to be approximately $21 billion. It is expected to double by 2024 (to $42 billion) and reach $265 billion in 2031.  Almost anyone would be concerned about such an exponential increase. Another relevant fact related to ransomware is that more and more companies are forced/or decide to pay the ransom. According to Enisa’s Threat Landscape Report more than 60% of the companies analyzed may have paid for the ransomware. Other reports show different percentages, slightly lower, but still concerning (44% of companies pay the ransom, according to Sophos State Of Ransomware 2022). The large number of businesses that choose to pay the ransom reveals two crucial findings: 

• Such events are highly disruptive, impacting operations to a level that becomes critical for the organization, 
• A proper Cyber Security defense system was not available at the time of the attack, to assure their protection and resilience. 

Recent years have brought us examples of some incidents that clearly demonstrate the gravity of the threat. Maersk was hit by ransomware in 2017 and the damage was estimated to be approximately $300 million. Norsk Hydro suffered losses of nearly $75 Million, after the 2019 ransomware attack. Colonial Pipeline Company chose to pay the $4.4m ransom in cryptocurrency when they were hit in 2021. 

By far, the cheapest option is to have a strong cyber security program and have implemented security measures. Thinking otherwise is just reckless. 

Modus Operandi 

When it comes to the methods used by attackers, ransomware does not differ from other types of threats.  

Gaining access to the corporate network is done through vectors such as phishing, brute forcing user accounts or exploiting vulnerabilities. Once an account is compromised or a system is identified as vulnerable and the attacker gains access, the next step would be a lateral movement and an escalation of privileges. An attacker will always want to provoke serious damage to critical systems, so that the ransom requested can be of a higher value. 

It is important to mention that you do not need to be targeted in order to be a victim of a ransomware attack. The majority of organizations affected by ransomware are affected by opportunistic attacks, meaning that malicious actors are continuously scanning for easy targets, that either easily click on phishing links, use easy-to-crack passwords or just use vulnerable systems. Actually, even for the important cases that reach global headlines, we do not know if they were targeted or just in the wrong place at the wrong time.