Ransomware has been one of the hottest topics in cybersecurity during the last year. And now some researchers are labeling it the "perfect storm."
A storm made more severe by the pandemic, with so many employees working remotely, exacerbating the risk of ransomware. However, there are other contributing factors to the rise in ransomware the world witnessed in 2020.
The Royal United Services Institute for Defense and Security Studies (RUSI), a British defense and security think tank, has released a report titled Ransomware: A Perfect Storm which dives into specific reasons ransomware has become an issue so many organizations must face.
The report states there are five major contributing factors to the "perfect storm" of ransomware:
We will take a look at each of these contributing factors.
This is the first factor mentioned in the report and addresses how cybercrime groups might be more organized than you would think.
It also notes that there is evidence of ransomware operators actively recruiting new talent, which is a sign that the scale of the threat is still increasing.
Here is a quote from the report:
"Many ransomware variants are distributed on a 'ransomware-as-a-service' or affiliate model, where those conducting the attacks take a cut of the proceeds, and the top-level organisers typically provide the ransomware itself and handling of the extortion/payment process. This level of organisation and collaboration within the cybercriminal landscape comes with a number of benefits to the criminal side, and appears to be working well for organisations such as REvil. Although there is undoubtedly competition and rivalry between sets, having different organised criminal groups specialise in different services (for example, ransomware development or initial access) is an efficient model that allows them to increase the tempo and volume of their operations."
Ransomware groups are constantly learning and adapting to current circumstances. Every news headline involving ransomware and a payout from the victim encourages more cybercriminal groups to use this attack.
More groups are beginning to use the double extortion method, which has recently been encouraged by successful attacks against companies such as Travelex, CWT, and Garmin.
Ransomware operators are coming up with innovative ways to market their operations to both cybercriminals and their victims. There was one case in which a ransomware group used paid Facebook ads to increase pressure on its victims.
In some cases, paying the ransom is the only option for an organization. The data that has been stolen or encrypted is essential to operations and without it, even for a short time, the organization could fail.
That is an incredibly difficult situation to be put in, and one that is contributing to the problem.
"The more organisations that pay a ransom, the more acceptable the notion of paying a ransom to solve the problem becomes. Furthermore, when an organisation has a cyber insurance policy, it might be able to claim the ransom back, which may encourage payment. Besides, the cost of payment may be far lower than the potential damages to the business, especially if they cannot recover quickly."
The report also mentions there has been an increase in the use of ransomware recovery companies that act as a middleman between the victim and the attacker. In some cases, they simply drive down the ransom demand and take a cut for themselves.
There is a plethora of ways for ransomware operators to gain initial access to an organization's systems. Here is what the report says are some initial access vectors:
"The use of spear-phishing emails, exploitation of vulnerabilities in external-facing infrastructure and brute force attacks on services, such as Remote Desktop Protocol (RDP), can theoretically allow for a wide net to be cast in the search for potential victims. Compromise of managed service providers (MSPs) has also proved fruitful for a number of ransomware groups. Research has highlighted that both human (social engineering) and technical vulnerabilities are exploited in ransomware attacks, and that this creates difficulties in establishing effective countermeasures. Furthermore, 2019 and 2020 were prolific years for the exploitation of critical vulnerabilities in external-facing infrastructure, which is quickly followed by public proof-of-concept code on open source repositories like GitHub."
It also notes that in many cases, ransomware groups don't even need to go through the hassle of gaining personal access to victims, they simply purchase pre-compromised corporate networks through the Dark Web.
This is the last factor mentioned in the RUSI report, and perhaps the most impactful.
As mentioned before, the transition to remote work for many people has increased the potential access surface into target organizations. This is compounded by the potential for misconfigurations and vulnerabilities in new software and network equipment being rolled out across many organizations, as well as weaknesses in home IT.
This is what the report says regarding ransomware and the pandemic:
"Proving a statistical link between the coronavirus pandemic and the increased frequency of successful ransomware attacks would be difficult, but the increased attack surface and the use of coronavirus-themed phishing emails (which has been rampant across all areas of the threat landscape) are two factors which could potentially explain the increase in ransomware attacks during the pandemic. Further factors are likely to have played a part.
Furthermore, with many organisations in sectors typically favoured by ransomware operators (for example, healthcare, local government or education) vastly increasing their use of and reliance on remote IT services, victims may be more inclined to pay to restore services than under 'normal' conditions."
For more information on the "perfect storm" of ransomware, you can read the report in its entirety.