Ransomware: Security Against Extortion

Ransomware is a type of malicious software that is either cryptographic or locker-based. Cryptographic ransomware encrypts the victim’s system, devices, folders, and or files, making them unable to read and use without a key. Locker ransomware locks the screen and ignores user input. After a successful attack, the adversaries usually demand a ransom from the victim for decryption or unlocking. Ransomware is often delivered by email as an attachment, but it may also spread via social media messages, pop-ups, or infected websites. The ransomware process usually starts with executing a malicious file on the victim’s computer. This file will download other files that connect to a malicious server. After encrypting files or locking systems, notes are released to inform users about the ransomware and the payment procedures to receive the key. An example of a large-scale ransomware attack is WannaCry in 2017, which infected approximately 230,000 computers in over 150 countries.

Evolving methods and extortion techniques

In 2021, attackers carried out large-scale attacks on major and critical organizations, such as the USA-based Colonial Pipeline Company, JBS SA, a food company in Brazil, and Kaseya Limited, a US software company. The attacks in 2021 did seem to be more targeted than previous ones. That means the attackers focussed their time and energy on one organisation. In the years before, attacks were often chaotic; attackers targeted various organisations hoping for the best. Smaller organisations are not safe either. Targeting large companies also means that ransomware attackers come under the scrutiny of the authorities. Some ransomware attackers, therefore, choose to focus on smaller organisations. The increase in targeted attacks goes hand in hand with increasing knowledge of businesses about how to mitigate ransomware attacks. Businesses take precautions by backing up their data and keeping this data separate from their systems. When the data on their production servers becomes unavailable due to a ransomware attack, the data is not lost, and paying the ransom is unnecessary. Attackers, therefore, have started using other techniques to circumvent this. When planning their attack, attackers sometimes install additional software such as spyware to steal credentials and gather additional data from other servers or applications. In a subsequent attack phase, the attackers may use gathered data to extort the victim organisation. Attackers may threaten to disclose the data to pressure the victims to pay the ransom.

Ransomware-as-a-service: a new type of ransomware

Another major development within the ransomware domain is the rise of Ransomware-as-as-Service (RaaS). Ransomware developers have recently begun outsourcing their software to third parties. Cybercriminals with less experience now have the opportunity to use ransomware and perform attacks. At the same time, ransomware developers can make money while transferring the risks to others. Ransomware is not the only sort of cybercrime that is outsourced; other types of cybercrime sold as services are Botnet-as-a-Service and Traffic-as-a-Service for DDOS attacks. It is similar to legitimate companies’ subscription-based service models like Software-as-a-Service and Platform-as-a-Service. RaaS is often characterised as an “affiliation programme” and is a collaborative effort in which the affiliate or partner pays for the use of the ransomware. The partner is in charge of the actual ransomware attack. The ransomware owner receives the ransom directly from the victims if they pay, and the owner pays a share of the ransom to the affiliate or partner. The ransomware owner, thus, receives money from two various sources; their affiliates or partners and the victims. It is not hard to understand why this model is especially lucrative for ransomware owners. Investigation of RaaS software shows that RaaS enables partners to customise the ransomware according to their preferences. The software also keeps track of partner IDs, allowing a ransomware owner to see which partners have carried out successful attacks and pay them accordingly. Finally, unlike typical ransomware, most of the examined RaaS malware lacks code to enable spreading as the main spreading method is via partners and not through systems.

REvil: a case study

REvil is a Russian ransomware group that has been around since early 2019 until recently. There are indications that the group might have been a spinoff of the older GandCrab ransomware operation. Estimates suggest GandCrab was active from early 2018 until 2019 and held 40% of the ransomware market. Although GandCrab has disbanded, its code lives on and continues to be spread by various botnets and other cybercriminal networks. Both REvil and GandCrab employed a RaaS model, and the code of their programs has a strong resemblance. For example, malware from both groups has code preventing them from infecting Russian computer systems. REvil’s ransomware was responsible for many large cyberattacks.

One of the first attacks of REvil took place on twenty-three municipalities in Texas, USA. None of the municipalities paid the ransom, but the attack disrupted their services for a week. In May 2021, REvil attacked JBS SA, the world’s largest meat company. The attack caused the company to lose control of its supply chain. JSB has confirmed they paid an $11 million ransom to REviL after the group initially demanded $22.5 million. This incident has raised concerns about food security and food safety as the attack forced JBS to shut down several of its food production sites. It has also highlighted how vulnerable businesses are to cyber-attacks and how difficult it is to protect against them.

Not long after the attack on JBS SA, Kaseya Limited also faced a ransomware attack by REvil, on July 4th weekend in 2021. Sophos, a British security software and hardware company, believes that the attack on Kaseya was one of the most significant criminal ransomware attacks ever experienced. They estimated that more than 70 managed service providers and 1500 businesses were affected by this attack. Kaseya announced on July 22 that a security firm had gotten their hands on the universal decryption key, and they did not pay any ransom. In the same year, the US Department of Justice (DOJ), the European Police Office (Europol), and the Romanian police joined to take down GandCrab and REvil. Three members were arrested in early 2021 and several others in November 2021. Decryption tools have been handed out to victim organisations to provide them with access to their data and systems again. That was considered the final blow for REvil, and experts consider the group disbanded.

Responding to ransomware

Cybercrime experts and government agencies frequently advise ransomware victims not to pay the ransom. Payment will make the crime profitable and encourage cybercriminals to keep committing crimes. Furthermore, there is no guarantee that cybercriminals will follow through on their promise to supply a key after paying the ransom. Despite this, many victim organisations choose to pay the ransom. Estimates suggest that more than half of the ransomware victims pay the ransom, and this percentage seems to increase every year. These statistics do not imply that full data recovery occurs after paying the ransom; the average data recovery rate is between 65% and 80%. Files often get lost or corrupted while held hostage. Businesses should be aware of the cost of paying out ransom. Sometimes the ransom and the additional recovery costs are higher than recovering the system without paying the ransom. One of the things businesses can do to prepare is to think of different ransomware scenarios and ransom rates, and the costs involved. A cost-benefit analysis can include different ransomware scenarios. That enables businesses to make a more informed decision if their data and systems become ransomware targets. A cost-benefit analysis also assists in deciding which technical solution would be best for the business to protect against ransomware.

There are other measures that businesses can implement to prevent ransomware from disrupting their operations. A layered security defence and the usual measures to protect the system from any malicious activity is a good start. That means installing anti-virus programs on every computer, updating software and operating systems to the latest version, creating backups of data, and keeping the backup data separate from the rest of the system. Be aware of phishing emails and exercise caution while clicking on links. Provide training to users on how to recognise such emails and links. Anti-virus programs often have ransomware detection build-in; they prevent ransomware from infecting systems in the first place. Some programs and tools specifically target ransomware. These tools use behaviour detection technologies to identify well-known ransomware such as REvil, Petya, WannaCry. Ransomware removal tools may assist in removing ransomware when an attack has occurred. Lastly, ransomware should be a part of an organisation’s incident response plan. An incident response plan is a strategy that outlines what steps to take in case of an attack. This plan enables the business to react quickly and efficiently in a ransomware incident. Nevertheless, prevention is the best way to tackle cybercrime, and ransomware is no different. Having knowledge and understanding of the risks will help protect the business.

References

Keijzer, N. (2020). The new generation of ransomware - An in depth study of Ransomware-as-a-Service, University of Twente, Enschede, the Netherlands.

Fareed Fahmy Bayoumy, Y., Hakon Meland, P., Sindre, G. (2020). The Ransomware-as-a-Service economy within the darknet, Computers & Security, vol. 92.

Fokker, J., “McAfee ATR analyzes Sodinokibi aka REvil Ransomware-as-a-Service – The all-stars,” McAfee, 02-10-2019. Available here. [Accessed 05-05-2021].

Fokker, J., Mundo Alguacil, A. (2019). Different ways to cook a crab: Gandcrab Ransomware-as-a-Service analysed in depth in VB2019, London.

Europol, “Five affiliates to Sodinokibi/REvil unplugged”, 08-11-2021. Available here.[Accessed 06-05-2021].

Do you want to get practical skills to work in cybersecurity or advance your career? Enrol in MCSI Bootcamps!