There's been a huge increase in the number of ransom ware attacks over the course of 2020, with a seven-fold rise in campaigns compared with just last year alone, according to newly released data from cyber security researchers.
Ransom ware attacks have been on the rise and getting more dangerous in recent years, with cyber criminals aiming to encrypt as much of a corporate network as possible in order to extort a bit coin ransom in return for restoring it. A single attack can result in cyber criminals making hundreds of thousands or even millions of dollars.
Not only has the number of ransom ware attacks increased, but ransom ware has continued evolving, with some of the most popular forms of ransom ware last year having disappeared while new forms of ransom ware have emerged. In some cases, these are even more disruptive and damaging.
For example, one of the most prolific ransom ware threats during 2019 was GandCrab – until its operators shut up shop during the middle of the year, claiming to have made a fortune from campaigns.
Since then, new families of ransom ware have emerged, including Sodinokibi – also known as REvil – which while not a massively prolific campaign, is a highly targeted operation that has made large amounts of money from disruptive, often high-profile ransom ware attacks.
In many cases, hackers are following through with threats to leak data they've stolen in the run-up to deploying the ransom ware attack if the victim doesn't pay – something that might strike fear into future victims and encourage them to give into the extortion demands more quickly.
If they do that just once, they set an example for everyone else who becomes infected, because those who don't pay end up with data leaked and a GDPR fine. Everybody else who gets infected afterwards is going to see the attackers are serious. While ransom ware from specialist cyber-criminal gangs such as Sodinokibi and DoppelPaymer grab the headlines, ransom ware-as-a-service has continued to be an issue for organizations around the world, with ransom ware families like Zepto and Cryptolocker causing problems.
Ensuring that security patches are applied as soon as possible helps prevent hackers from exploiting known vulnerabilities to gain a foothold inside the network in the first place, while organizations should also apply multi-factor authentication across the ecosystem because that can prevent hackers moving across the network by gaining additional controls.
Organizations should also regularly backup their systems, as well as testing those backups on a regular basis as part of a recovery plan, so if the worst happens and ransom ware does infiltrate the network, there's a known method of restoring it without the need to pay cyber criminals.
Ransom ware is rapidly shaping up to be the defining online security issue of our era. It's a brutally simple idea, executed with increasing sophistication by criminal groups. A huge chunk of our lives is now stored digitally, whether that's photos, videos, business plans or customer databases. But too many of us, both businesses and consumers, have been lazy about securing these vital assets, creating an opportunity which criminals have exploited.
Their brilliant twist was to realize they don't have to steal that data to make money: they just have to make it impossible for us to access it again -- by encrypting it -- unless we pay up.
Ransom ware was once a menace mainly for consumers, but now it's a significant threat to business. Just last week, there were warnings about a new wave of ransom ware attacks against at least 31 large organizations with the aim of demanding millions of dollars in ransom. The attackers had breached the networks of targeted organizations and were in the process of laying the groundwork for their attacks. The vast majority of targets were household names, including eight Fortune 500 companies, tech Security Company Symantec said: if the attack (by a group calling itself Evil Corp) hadn't been disrupted, it could have led to millions in damages and downtime, with the impact felt through the supply chain.
Some of the hyperbole around ransom ware is overblown. It's probably over the top to describe these WastedLocker attacks as part of Evil Corp's retaliation against the US government after its leaders were indicted by the Justice Department in December -- which is how The New York Times interpreted them. (Indeed, others have argued that the gang is actually trying to attract less attention right now, which is why, so far, it has not threatened to publish information stolen from its victims.) But it's also true that these groups are smart, sophisticated and, because around half of companies pay the ransoms, very well funded. For example the groups behind it have access to highly skilled exploit and software developers' capable of bypassing network defenses on all different levels, according to researchers.
How skilled? When a version of their malware is spotted by the defenses on victim networks, the group is often backing with an undetectable version after just a short time.
In one case the group went so far as to pose as a potential customer to request a trial license for a security product that was not commonly available, says FOX-IT, part of NCC Group.
The targets of the ransom ware gangs have evolved, too. It's not just about PCs anymore; these gangs want to go after the really irreplaceable business assets too, which means file servers, database services, virtual machines and cloud environments. They'll also search out and encrypt any backups that organizations foolishly leave connected to the network. All of this makes it much harder for victims to recover -- unless of course they want to pay that ransom. And the attackers seem willing to take a longer view too; some of these attacks can take weeks or longer to go from the initial minor breach of network security through to complete control of the victim's corporate network.
Police forces, lacking officers trained in high-tech crime, are loath to investigate knowing that the perpetrators will be far from their jurisdiction and impossible to catch. Many businesses would rather pay up, return to business as usual and forget about the cost and the stress of the whole thing.
It's quite possible that ransom ware will form the core of a new type of a digital attack, used by nation states and others who simply want to destroy networks. Wiper malware is ransom ware whose encryption can't be reversed, so the data is lost forever. There have been a few of these incidents, but the fear is they could become more mainstream.
Another concern is that, as they become more confident and better funded, these criminal groups will raise their sights even higher. One new worrying trend is that gangs will steal the data as well as encrypting the network. They then threaten to leak the data as a means of pressuring the victim into paying up.
These cyber criminals often spend weeks poking around in a network before they make their attack, which means they have time to understand key digital assets, like the CEO's emails for example, allowing them to put even more pressure on their victims.
There's no obvious end to the ransom ware nightmare in sight. Indeed, the likelihood is it will get even worse.