Ransomware Evolves from “Spray and Pray” to Multi-billion Mega Industry
Over the last decade, ransomware attacks have evolved from so-called “spray and pray” to a sophisticated, multi-billion “mega industry,” capable of extracting millions of dollars in ransom payments from large corporations, Cybereason said in a new report.
In a newly released white paper, entitled Inside Complex RansomOps and the Ransomware Economy, the security provider called the ransomware landscape “open season on public and private sector organizations of all sizes.” It described the ransomware syndicates that use such tactics as similar in composition to the stealthy campaigns deployed by nation-state actors.
“A shift by the ransomware gangs from wide-spread to targeted attacks against organizations that have the ability to pay multi-million dollar ransom demands has fueled the rise in attacks in 2021,” said Lior Div, Cybereason chief executive and co-founder.
Expect the volume of attacks to increase this year, particularly as targeted at critical infrastructure operators, hospitals and banks, Div said.
In diving into ransomware operations (RansomOps), Cybereason determined there are four types of operatives:
- Initial access brokers (IABs). Infiltrate target networks, establish persistence and move laterally to compromise as much of the network as possible, then sell access to other threat actors.
- Ransomware-as-a-Service (RaaS) providers. Supply the actual ransomware code, the payment mechanisms, handle negotiations with the target and provide other customer service resources to both the attackers and the victims.
- Ransomware affiliates. Contract with the RaaS provider, select the targeted organizations and then carry out the actual ransomware attack.
- Cryptocurrency exchanges. Launder the extorted proceeds.
As for ransom demands, Cybereason advised organizations not to pay, similar to advice offered by the Federal Bureau of Investigation (FBI). “Instead of paying, organizations should focus on early detection and prevention strategies to end ransomware attacks at the earliest stages before critical systems and data are put in jeopardy,” the company said.
There are three main reasons not to meet ransom demands, according to Cybereason.
- No guarantees of retrieving data. Paying the ransom doesn’t mean that you will regain access to your encrypted data. The decryption utilities provided by those responsible for the attack sometimes simply don’t work properly.
- Legal problems: Organizations could end of paying steep fines from the U.S. government for paying ransomware actors that sponsor terrorism. In addition, supply chain ransomware attacks that impact an organization’s customers or partners would result in lawsuits from the impacted organizations.
- Encouraging ransomware attacks: Organizations that pay ransomware attackers send the message that the attacks work and it continues to fuel more attacks and higher ransom demands.