If you think ransomware is bad, it is about to get much, much worse. What will ransomware gangs do? Just everything.
I have been writing about computer security for over 27 years. And each year, as the year comes to an end, I am often asked questions about what I think the future computer security and cybercrime trends will be. They boil down to will the attacks get worse next year or will the computer security industry finally start to make a dent in cybercrime and actually decrease overall malicious hacker and malware activity?
And year after year, looking at all the evidence from prior years, I have always had to conclude that it is going to get worse…and that the cybersecurity industry is not yet capable of implementing a robust defense to even slow the continued increase in cybercrime, much less actually lessen it. Year after year, cybercrime just gets worse. Many times, however, what is going on today seems so bleak and huge that I cannot see how it could possibly get worse the next year. But so far, it always does.
The ransomware problem is a great example. A few years ago, ransomware was already extorting billions of dollars a year, exploiting any company it wanted to, taking down hospitals, taking down consortiums, holding entire cities for ransom. I was asked if it could get worse. I said, “Yes.” To be honest, I could not believe what I was saying, but based on my experience and seeing no signs that the good side was doing a significantly better job at preventing cybercrime, it was the only thing I could conclude – that ransomware was going to somehow get worse. And it did. Far worse than I could have predicted.
Ransomware 2.0 Quintuple Extortion
Starting in late 2019, ransomware started routinely exfiltrating data, in what is now commonly known as “double extortion”. I wrote about it on January 7, 2020 on the blog. I shared that beyond traditional encryption, ransomware programs and gangs were also doing the following:
- Stealing Intellectual Property/Data
- Stealing Every Credential It Can – Business, Employee, Personal, Customer
- Threatening Victim’s Employees and Customers
- Using Stolen Data to Spear Phish Partners and Customers
- Publicly Shaming Victims
The most important thing about these five new ransomware activities, beyond the issue that there are now six things to worry about instead of one, is none of the new ones can be mitigated by a good backup. Before Ransomware 2.0, a good, secure backup could possibly save you. Once the ransomware gangs routinely started doing all of the new actions, a good backup was just one piece of the possible solution.
When I originally wrote about Ransomware 2.0, less than 10% of ransomware was doing what I called more accurately, quintuple extortion. At first, in late 2019, it was just one ransomware gang. Then, as the other ransomware gangs saw how successful that gang was, one after another, gangs joined in. By the end of 2019, it was two or three ransomware gangs. And then each month after, more gangs joined in. By the time 2020 ended, over 60% of all ransomware gangs were routinely doing quintuple extortion. Last quarter, Coveware said 81% of ransomware threats now involve threats to leak exfiltrated data.
We suspect that it is over 90% of all ransomware incidents now, and why not? The ransomware gangs doing quintuple extortion are making bank! The U.S. Department of Treasury says the top 10 ransomware gangs (there are well over 100 ransomware gangs), raked in at least $5.2 billion dollars in extortion payments. That is just what the U.S. government can track and prove. The real figures are likely orders of magnitude far higher. Total costs, including damage and recovery, are estimated to be as high as $265B by 2031. Critical infrastructures, including national gas pipelines and food consortiums, have been successfully attacked. Over half of all businesses have been exploited by ransomware already and a higher percentage is expected to be hit this year and next. The percentage of victims paying the ransom (above 60%) and the average ransomware extortion payment ($280K) continues to increase. Cyber insurance premiums have increased significantly at the same time that the total dollar amount of the average coverage has decreased. The leaders of many nations, including President Biden, are getting directly involved to try to mitigate the threat of ransomware and, so far, all their efforts seem to be having limited impact.
So, how can it possibly get worse?
Ransomware 3.0 Everything
The trend is fairly clear. Ransomware gangs are beginning to evolve into multi-faceted, do anything attack gangs. Not limited by encryption-only or even quintuple extortion, they are branching out into all sorts of other related or unrelated activities, including:
- Selling exfiltrated data
- Selling exfiltrated stolen credentials
- Selling initial access
- Stealing money from bank and stock accounts
- Personal extortion against individuals
- Hacking for hire
- Selling lead lists from stolen customer data
- Business email compromise scams
- Installing adware
- Launching DDoS attacks
- Crypto mining
- Creating rentable botnets
- Sending spam emails
- Resource renting
- Acting as proxy sites for other attacks
- Anything else they can think of to generate revenue
The Hacker Gold Is Access
At the beginning of the quintuple extortion phase, the “Ransomware 2.0” period, ransomware gangs realized that the ultimate value they had was not the ability to encrypt or even exfiltrate a compromised victim’s data. The real Holy Grail was the unbridled access they had to the victim’s digital resources. They literally could do anything. In hacker speak, it is called “pwning” the victim. When you have all the victim’s login credentials, you can do anything you want with them. The sky is the limit! And that is what most ransomware gangs get. They break in, get all the passwords, including all the admin account passwords, and are then able to access anything the legitimate admins can access – which is nearly everything, if not everything digital.
More Types of Attacks
If you have been following ransomware, you have probably noticed a trend over the last year or so. Ransomware gangs have been branching out. Where they once did mostly traditional ransomware quintuple extortion, lately they have been venturing out into other avenues of work. Brian Krebs had a recent story on the Conti ransomware gang selling initial access into compromised victims. That is sort of the opposite of what used to happen until very recently. It used to be the ransomware gangs were the ones buying initial access to new victims to start the ransomware process and now, they are becoming originating sellers of the same.
We have known that some ransomware gangs were installing crypto mining bots on victim computers before they started the encryption racket scheme. The Rakhni trojan horse stager has long been delivering both ransomware and crypto mining bots to victims, often for the same gangs. It has always made sense for a criminal to “borrow” a victim’s resources for crypto mining, if they can get away with it, while also pre-staging the encryption bots ahead of the ultimate encryption extortion plot. They get the money earned by crypto mining first and then from the encryption event. They just have to keep the crypto mining activity below a level where they might accidentally reveal themselves too early and spoil the potentially larger eventual ransomware payout. Ransomware gangs routinely monitor the emails and messaging of IT and IT security staff to see if their malicious activities are starting to be noticed.
Some ransomware gangs, like Avaddon and Sun.Crypt, are known for conducting DDoS attacks simultaneously, while also encrypting victims to cause more pain to make the victim more likely to pay quicker. This technique is especially “helpful” to the ransomware attacker when the victim’s main money-making website is not hosted at the compromised location (which is often the case). By both shutting down the company’s own internal network operationally (using encryption) and shutting down the victim’s revenue stream from their offsite assets (using DDoS), the victim is in no position to bargain for long.
What changed recently is that some ransomware gangs are starting to do DDoS as their first and only malicious act against the victim. Here is an example of the very popular REvil ransomware gang extorting a popular VoIP provider into paying a $4.2M ransom to stop the DDoS attack that was taking down the victim’s services. To be clear, DDoS attackers have been around for decades. They were the big extortion kings for years before the ransomware crews picked up and ran with the mantle. But what is different here is that the ransomware gangs are not even attempting to encrypt the victim’s files. They just start and end with the DDoS attack. The ransomware gang already has the payment system set up and it can be used for any sort of cybercriminal attack type they want.
So, we are clearly seeing ransomware gangs doing more types of damage and even “chained” objectives, where they start with one sort of attack and then move onto another.
Cybersecurity vendors have been picking up on this tiny, but growing trend of ransomware gangs that do more than one “payload” objective once they gain initial access. Here is an example from Microsoft’s March 2020 report on Human-Operated Ransomware Attacks. Microsoft states at the beginning of the report, “They exhibit extensive knowledge of systems administration and common network security misconfigurations, perform thorough reconnaissance, and adapt to what they discover in a compromised network."
In the same report, they list various ransomware gangs and their known activities. Here, they discuss one particular ransomware family: "PARINACOTA impacts three to four organizations every week and appears quite resourceful: during the 18 months that we have been monitoring it, we have observed the group change tactics to match its needs and use compromised machines for various purposes, including cryptocurrency mining, sending spam emails, or proxying for other attacks. The group’s goals and payloads have shifted over time, influenced by the type of compromised infrastructure..."
Clearly, ransomware groups are adapting. If you are a cybercriminal with penultimate control of a victim’s resources, why not try everything?
If you take this new trend to its eventual conclusion, what you will have is more ransomware gangs becoming “everything gangs” with multiple, progressive, chained objectives. They will do whatever it takes to ask for the ransom and make money. The low-level, less sophisticated gangs will stick to a few methods of attacks and a few objectives, but the cleverer gangs, already run more like a corporate business, are likely to start to do a more complex analysis. They will look at each customer like a potential pool of money that they want to maximize the value of. They will break into the customer, look around, examine assets and resources, and then determine what attacks to perform and in what order to perform them to maximize profit.
Maybe they start off with a business email compromise scam, then do password exfiltration, then crypto mining, then data exfiltration, then identity theft, spear phish the victim’s trusted partners, then and only then, perform the final state ransomware encryption. They will learn from their mistakes. They will figure out what order different attacks and objectives should be in, and how to best hide for long periods of time. They might avoid crypto mining if that sets off the victim’s alarms too early and leads to a premature lockdown. Nope, they will figure out the best cost/benefit ratio for each possible objective, and slow move up the chain until the eventual, final, encryption. Some gangs will find more success at different combinations of payload chains, as they already do today using single objectives, and focus on what works for them.
The most sophisticated crimeware gangs will likely create and use crude algorithms to determine the best chance of success and maximum payout depending on the type of victim (e.g., size, industry, applications, platforms, etc.) and what resources the victim has. The highest paid person in the ransomware gang after the CEO might be its “algo”.
We do not know for sure if any of the future state of Ransomware 3.0 will happen, in exactly the thoughtful framework of “chained objectives extracting maximum value from each victim”. There’ still a chance that ransomware gangs will simply stick to the one thing that works best for them and ignore the other potential avenues of value extraction. Each new threat objective is a risk for the attacker that they will be discovered early and the final, larger, payout prematurely disrupted.
There is even still a chance that cybersecurity defenses will finally be able to remediate the continued advance of ransomware. But in light of better defenses, it seems likely that ransomware gangs will continue to mature their business models to maximize value extraction. We are already seeing some tiny, but growing, trending, just like we did when ransomware went from just encryption to quintuple extortion. Same, initial, slow, but growing, march to something far worse. We are seeing it again.
Many of the gangs already operate like pseudo-corporations. They should. They bring in hundreds of millions to billions of dollars. They have CEOs, admin staff, recruitment, payroll, marketing, development teams, and marketing and PR staff. The C-Level leaders of ransomware groups want to maximize their revenues, like any leaders of any organization, especially with increasing competition and threats.
Ransomware 4.0 – Automation
What is the next step? The bad actors automated it all. Right now, most ransomware gains initial access and then installs itself as a backdoor, and then notifies the gang’s command-and-control (C&C) servers, so that the ransomware gang or their affiliates, can learn of the new compromised victim. The initial malicious program may collect some passwords and details of the environment, download, and install other malware, and then wait for further instructions. The hackers often then come in and use existing, legitimate programs and customized scripts to research the environment and decide what to do next. Then the hackers initial the new actions, whether it be data exfiltration or kicking off the encryption routines. This is what they do today. It is mostly human-operated and directed after the initial access and spreading.
As any good developer knows, if you need to do the same thing more than a few times, it is better to automate. It is time consuming to use human operators to do research, installation, and exfiltration. Expect the newer waves of ransomware to be better at automating the reconnaissance and chained objectives, with less humans involved in every decision. Ultimately, the future of both cybersecurity and hacking will be the good threat hunting bots versus bad “everything” bots, with the best side adapting on the fly and winning in the end. Humans will still be involved, on both sides, but only in the tasks where automation doesn’t excel.
If the future of ransomware seems disheartening, there is something very good you can take comfort in. It is that prevention of all ransomware, no matter how automated and sophisticated, is the exactly the same. The mitigations you should already be performing today are what you should be doing, hopefully, even better, in the future. The same defenses will work. You just need to focus on putting the right defenses in the right places against the right things in the right amounts.
Also, recognize that your problem has never been ransomware, but how ransomware gets in, in the first place. The same methods that malicious hackers and malware have been using since the beginning of computers are still being used today. The top two methods of how attackers break in are social engineering and unpatched software. Do not mitigate those threats well and you are usually going to fall to malicious hackers or malware eventually. Do a great job at preventing social engineering, patching and have MFA and a good password policy, then you are probably going to be far more resilient against all hackers and malware, ransomware included, than the organization that does not do those things well.
Right now, chained objectives to maximize the extraction of value from the victim by ransomware groups are a small minority of attacks, but they are starting to grow. Expect most ransomware within the next few years to do more things every time they break in. It will make us wish for the days when ransomware programs just locked up our data. But the solution is to do what you should already be doing today (i.e., fight social engineering, good patching, use MFA, have a good password policy, etc.). Get better at your existing defenses and the future of ransomware will not be so scary. And one day, for sure, we will see the year when cybersecurity defenses finally start to truly defeat malicious hackers and malware.