In 2019, ransomware attacks were already a prominent and persistent threat for organizations across several industries. Although the pandemic lockdowns in 2020 initially affected the volume of activities carried out by ransomware criminals, attributed mainly to restrictions in mobility and access to resources, these malicious actors quickly bounced back and even breached pre-pandemic levels in 2021.
In an exclusive dialogue with Newsbytes Philippines, Sophos senior security advisor John Shier said that there remains to be a significant amount of money to be made in the global cybercrime industry, with larger organizations providing the infrastructure and tools used by individuals (also referred to as “affiliates”) who are carrying out the actual breach, for a cut of the profit.
“The affiliates are generally self-funded. They are anybody from an individual to a loose collective of people that are doing the attacking. The way that they make money is through the ransom – whether the company paid for an encryption key, or the company paid to keep the leaked data,” said Shier.
On average, affiliates get to keep 70-90% of the profit from successful attacks, while the rest goes to the ransomware-as-a-service (RaaS) operators. Based on conventional profit-sharing models used between RaaS entities and third-party affiliates, the infrastructure providers take less on higher value ransoms.
In the past, the onboarding process of RaaS operators usually involved straightforward registration. Today, affiliates are required to be vetted by other community members and are also encouraged to work with other ransomware crews.
Based on a recent study commissioned by Sophos and conducted by market research specialist Vanson Bourne, the average ransom paid by organizations whose data are encrypted by a ransomware attack grew more than five times to $812,360 in 2021.
The same research shows that 83% of mid-sized organizations are relying on the coverage of cyber insurance services in the event of ransomware attacks, where in 98% of these incidents, the insurer paid some or all the costs incurred capped at only 40% of the overall ransom payment.
As a workaround to data recovery measures of their targeted organizations, cybercriminals have also resorted to blatant stealing of data with the threat of leaking them if ransom is not paid. Not all companies, however, recover 100% of their stolen or encrypted data due to several factors like poorly coded ransomware and corruption of data.
“The intent of the business model is to give you your data back. If I don’t trust the criminal to give me the key for decryption, why would I pay in the first place? It’s built on trust, ironically. We’re seeing that some of the criminals are actually preferring to just steal data because there’s still that extortion threat and they could make money, it also means it could be done a lot quieter so there’s not a need to get on as many systems and install additional tools,” he explained.
Shier also disclosed that this shift in cybercriminal behaviour where they covertly exfiltrate an organization’s data and extort the victim at a later time reduces the likelihood of discovery. Recent reports shows that some malware groups are even upgrading their data exfiltration malware with intentional data corruption functionality, a new tactic that these affiliates can potentially switch to in the future.
Sophos recommends observing foundational security practices such as putting a limit on external services exposed to the internet which are also safeguarded by a firewall interface and VPN devices, quickly installing an updated patch to reduce the chance of attacks from initial access brokers who take advantage of public exploits, and especially setting up a multi-factor authentication measure at all times.
“Ransomware definitely has increased in complexity, but when I look at a lot of the attacks, they are very much following a very similar playbook. With complexity comes a little bit more noise and more opportunity for detection. When it comes to security, if it’s doing a really good job and it’s working effectively, it’s almost invisible. It’s preventing a lot of threats, then on the detection and response side people are proactive and dealing with the threats as they come along,” Shier remarked.
As far as the ransomware landscape goes, Shier notes that every time a large ransomware group dissolves, another group is always primed to fill in their shoes. He cited how the Russian ransomware group REvil was taken over by the double extortion experts at Conti, who were then succeeded by Lockbit in late 2021.
“Somebody else is always waiting in the wings ready to jump in. The key for us as a company building security products and monitoring the companies is to understand how these attacks are being carried out so that we can then put some additional mitigations and protection in place. With Lockbit, our team is on top of it, we are constantly analysing and adding protection and looking at the techniques and ways we can add additional value by blocking some of the tools that they use,” he revealed.
To empower organizations to focus on creating business opportunities and unlocking value in other areas, Sophos offers a fully managed service called Managed Detection and Response (MDR) who perform the detection and response measures against cyberattacks for the customer. Sophos recently fully completed upgrading its Sophos Managed Threat Response (MTR) customers to MDR for the same flagship-level service, with new capabilities, at no extra cost.