Ransomware has evolved in complexity over the last few years as the technology and encryption methods continue to improve and evolve in sophistication. Ransomware is now one of the main cybersecurity attacks that can completely disrupt an organization’s ability to conduct day-to-day business.
What started with simple encryption algorithms and progressed to the point of being impossible to decrypt, ransomware is now almost impossible to remediate and recover without having proper backup and offline vault solutions in place.
Ransomware has evolved in complexity over the last few years as the technology and encryption methods continue to improve and evolve in sophistication. Ransomware is now one of the main cybersecurity attacks that can completely disrupt an organization’s ability to conduct day-to-day business.
What started with simple encryption algorithms and progressed to the point of being impossible to decrypt, ransomware is now almost impossible to remediate and recover without having proper backup and offline vault solutions in place.
The Old and the New
In general, ransomware attacks were focused on end-user machines as single targets in the attack and have now progressed towards company-wide infiltration and encryption of as many targets as possible. What started as compromise of individual systems or endpoint to now being used as an exploit method as the last step of the cyber-attack kill chain once attackers have internal privileged access.
To date, ransomware has increased in the volume of attacks and ransom payments have skyrocketed to new levels, and for many reasons. Traditionally, ransomware payments were requested via offline channels, but since the rise of digital assets and virtual currencies, ransomware payments have since then exclusively been made via Bitcoin or other forms of cryptocurrencies.
The Old and the New
In general, ransomware attacks were focused on end-user machines as single targets in the attack and have now progressed towards company-wide infiltration and encryption of as many targets as possible. What started as compromise of individual systems or endpoint to now being used as an exploit method as the last step of the cyber-attack kill chain once attackers have internal privileged access.
To date, ransomware has increased in the volume of attacks and ransom payments have skyrocketed to new levels, and for many reasons. Traditionally, ransomware payments were requested via offline channels, but since the rise of digital assets and virtual currencies, ransomware payments have since then exclusively been made via Bitcoin or other forms of cryptocurrencies.
In Y2020 and Y2021 alone, almost $1.3B were paid in ransom by organization. This statistic does not consider any payment made that were not disclosed.
Looking back in time, it is somewhat fascinating how ransomware attacks came to life and continue to plague companies worldwide. What was once almost a nonexistent event is now a major topic in the cybersecurity industry with no signs of becoming a less important topic.
The most notable difference in past and present ransomware attacks is the emphasis on encrypting as many machines as possible. Hackers have developed high-end skills to infiltrate a company’s network, perform lateral movement and perform privilege escalations. Only when the hacker had sufficient network access and presence would a ransomware attack be launched. In the past, hackers focused on single individuals and targeted web users without any analysis of the target.
Another new development in ransomware attacks is that hackers are starting to target specific individuals within a company to lay a foundation for a ransomware attack. Instead of sending general phishing emails to many users, hackers send spear-phishing emails, targeting a specific set of individuals with customized malicious emails. Additionally, various other measures are taken by the attackers such as threatening with destroying decryption keys if any domains or command and control IPs are blacklisted. Subsequently, any remediation efforts taken by the victim company can trigger the attackers to destroy the decryption keys.
In Y2020 and Y2021 alone, almost $1.3B were paid in ransom by organization. This statistic does not consider any payment made that were not disclosed.
Looking back in time, it is somewhat fascinating how ransomware attacks came to life and continue to plague companies worldwide. What was once almost a nonexistent event is now a major topic in the cybersecurity industry with no signs of becoming a less important topic.
The most notable difference in past and present ransomware attacks is the emphasis on encrypting as many machines as possible. Hackers have developed high-end skills to infiltrate a company’s network, perform lateral movement and perform privilege escalations. Only when the hacker had sufficient network access and presence would a ransomware attack be launched. In the past, hackers focused on single individuals and targeted web users without any analysis of the target.
Another new development in ransomware attacks is that hackers are starting to target specific individuals within a company to lay a foundation for a ransomware attack. Instead of sending general phishing emails to many users, hackers send spear-phishing emails, targeting a specific set of individuals with customized malicious emails. Additionally, various other measures are taken by the attackers such as threatening with destroying decryption keys if any domains or command and control IPs are blacklisted. Subsequently, any remediation efforts taken by the victim company can trigger the attackers to destroy the decryption keys.
CryptoLocker - a Game Change
In 2013, new ransomware came to the scene and used RSA encryption with public and private keys on its CnC server. The CryptoLocker ransomware strain was distributed in spam emails via a botnet network. Ransomware ransom request skyrocketed and new ransomware strains began employing CnC infrastructure on the ToR network, effectively hiding their online presence. This combination of anonymity and widespread use of bitcoin as a payment system boosted the proliferation of ransomware and its complexity.
Ransomware as a Service - RaaS
Following a trend of major cloud providers, ransomware actors launched and named their new service “ransomware-as-a-service” in 2015 with creators taking 20 % of every bitcoin ransomware payment made via the platform. The launch of RaaS has effectively created a very successful business model and is arguably responsible for the majority of the increase in ransomware attacks. Several payment methods exist from one-time fees and not profit sharing, strict profit-sharing, and percentage of profits going to RaaS developers.
CryptoLocker - a Game Change
In 2013, new ransomware came to the scene and used RSA encryption with public and private keys on its CnC server. The CryptoLocker ransomware strain was distributed in spam emails via a botnet network. Ransomware ransom request skyrocketed and new ransomware strains began employing CnC infrastructure on the ToR network, effectively hiding their online presence. This combination of anonymity and widespread use of bitcoin as a payment system boosted the proliferation of ransomware and its complexity.
Ransomware as a Service - RaaS
Following a trend of major cloud providers, ransomware actors launched and named their new service “ransomware-as-a-service” in 2015 with creators taking 20 % of every bitcoin ransomware payment made via the platform. The launch of RaaS has effectively created a very successful business model and is arguably responsible for the majority of the increase in ransomware attacks. Several payment methods exist from one-time fees and not profit sharing, strict profit-sharing, and percentage of profits going to RaaS developers.
WannaCry Ransomware - World Wide Attack
WannaCry ransomware reached a new level of fame in the ransomware world in 2017 and targeted Windows operating system machines by encrypting the machines and demanding a bitcoin payment. Thanks to the EternalBlue exploit initially developed by the National Security Agency, hackers managed to launch an attack so massive in scale that it hindered computer systems across almost every continent. The ransomware exploited a vulnerability in Microsoft’s SMB protocol which provided the path to encryption of most if not all network drives. In less than 1 day, WannaCry managed to infect more than 200 thousand machines in more than 140 countries. The total amount of payments reached around 130 thousand US dollars, which is a small number considering the vast reach and impact of the ransomware.
Recent Ransomware Attack
The most recent attack that resulted in a massive payment to hackers was the DarkSide ransomware that hit the Colonial Pipeline in May 2021. The gas pipeline stretches from the West coast of the US all the way to the northeast coast. The pipeline serves gasoline needs for almost 50 % of the US states it passes through and has gone offline for multiple days due to the ransomware attack. What is shocking is that the Colonial Pipeline had to pay 4.4 million USD to get control over their systems. Whopping amounts of money such as these give hackers more incentive to perform even more debilitating attacks in the future.
WannaCry Ransomware - World Wide Attack
WannaCry ransomware reached a new level of fame in the ransomware world in 2017 and targeted Windows operating system machines by encrypting the machines and demanding a bitcoin payment. Thanks to the EternalBlue exploit initially developed by the National Security Agency, hackers managed to launch an attack so massive in scale that it hindered computer systems across almost every continent. The ransomware exploited a vulnerability in Microsoft’s SMB protocol which provided the path to encryption of most if not all network drives. In less than 1 day, WannaCry managed to infect more than 200 thousand machines in more than 140 countries. The total amount of payments reached around 130 thousand US dollars, which is a small number considering the vast reach and impact of the ransomware.
Recent Ransomware Attack
The most recent attack that resulted in a massive payment to hackers was the DarkSide ransomware that hit the Colonial Pipeline in May 2021. The gas pipeline stretches from the West coast of the US all the way to the northeast coast. The pipeline serves gasoline needs for almost 50 % of the US states it passes through and has gone offline for multiple days due to the ransomware attack. What is shocking is that the Colonial Pipeline had to pay 4.4 million USD to get control over their systems. Whopping amounts of money such as these give hackers more incentive to perform even more debilitating attacks in the future.
Ransomware Statistics
The ongoing attacks have increased 60% since 2021 and have cost businesses across the globe more than $20B. As mentioned before, new ransomware attacks have become more victim-specific, with attackers carefully choosing their next target based on the system criticality and the likelihood of ransomware payment.
As a result, healthcare organizations are most targeted with ransomware attacks due to the criticality of data and potential side effects of systems not being usable. Legal and insurance companies experience ransomware attacks with a frequency just below the healthcare industry.
The sudden increase in ransomware attacks can only be explained by the fact that it has become a very lucrative business. The large public payouts have increased giving incentives to hackers who seek to earn profits in the rank of millions.
Cyber Insurance
Due to the ongoing rise in ransomware Cyber Insurance providers have also started to limit their exposure by either not covering for breaches related to ransomware or to provide financial coverage by charging extremely high premiums due to the resent hefty payouts.
As part of the due diligence, Cyber Insurance Providers are also now validating the level of ransomware protection and recovery capabilities organizations have in place to evaluate if an organization can be sufficient covered or is a high-risk candidate.
Ransomware Statistics
The ongoing attacks have increased 60% since 2021 and have cost businesses across the globe more than $20B. As mentioned before, new ransomware attacks have become more victim-specific, with attackers carefully choosing their next target based on the system criticality and the likelihood of ransomware payment.
As a result, healthcare organizations are most targeted with ransomware attacks due to the criticality of data and potential side effects of systems not being usable. Legal and insurance companies experience ransomware attacks with a frequency just below the healthcare industry.
The sudden increase in ransomware attacks can only be explained by the fact that it has become a very lucrative business. The large public payouts have increased giving incentives to hackers who seek to earn profits in the rank of millions.
Cyber Insurance
Due to the ongoing rise in ransomware Cyber Insurance providers have also started to limit their exposure by either not covering for breaches related to ransomware or to provide financial coverage by charging extremely high premiums due to the resent hefty payouts.
As part of the due diligence, Cyber Insurance Providers are also now validating the level of ransomware protection and recovery capabilities organizations have in place to evaluate if an organization can be sufficient covered or is a high-risk candidate.
What the Future Brings
What the Future Brings
Ransomware is continuing to increase in complexity and has evolved dramatically over the past decade. With new delivery tactics and ever-increasing creative ways the attackers use to infect systems, the cyber security industry will have to put more effort into spreading awareness and defending against new ransomware strains. We have yet to see if the ransomware numbers will hit an all-time high this year and continue to be one of the biggest concerns for businesses worldwide.
See also: