The Shifting Landscape of Ransomware Attacks

Ransomware has been a growing menace for years, but there has been a marked increase, during the recent months, in sophistication and level of innovation in this portion of the cybercrime underbelly. If you didn’t know, cybercrime comes in many different types, such as email and internet fraud, identity theft, financial theft like someone stealing your credit cards, theft and sale of corporate data, cryptojacking, cyberespionage, and cyberextortion. Ransomware attacks are a type of cyberextortion. Just to give an idea of how big the ransomware market is today. It is estimated that the cost of ransomware attacks reached 20 billion dollars in 2020.

Now, just for comparison, the ransomware protection tools market like all the software that you can buy today to protect your organization from ransomware stands at 48 billion dollars what that means is that losses from ransomware are ramping up quickly and will outpace and outsize the protection market much like the overall cybersecurity losses. Ransomware perpetrators carry out more than 4,000 attacks daily where an organization on average pays a ransom of 154 thousand dollars and one in four of the organizations end up paying the ransom. Anyhow, ransomware attacks can quickly turn into a nightmare for unprepared IT teams, where the average downtime following a ransomware attack stands at 19 days. Two of the largest sectors that make for the best target for ransomware attackers are education and healthcare. If you remember one ransomware, I bet that’s WannaCry as it was the biggest and most damaging ransomware in history. It crippled 200,000 computers around the globe and NHS in the UK was most severely affected by the attack and as per the cyber risk modeling experts, the overall loss caused by WannaCry was close to 4 billion dollars.

Why Ransomware

It is no secret that ransomware is one of the top threats in cybersecurity today. Organizations around the world are held hostage by ransomware each day, and many are forced to pay up for various reasons, from a lack of recoverable backups to the cost of downtime or data theft outweighing the cost of paying the ransom. New ransom groups are entering the market at a rapid pace and the new ransomware business models are on the rise. The three top ransomware groups today are Revil, Egregor, and Ryuk. As per Checkpoint, the daily average of ransomware attacks in Q3 2020 increased 50 percent when compared to the previous six months, with Ryuk, one of the top ransomware groups, alone attacking 20 organizations a week.

What’s New in the Ransomware Landscape

Anyhow, the real reason for ransomware growth is the fact that it is a lucrative game. Here is the list of ransomware trends on the rise.

Number One. Rise of Ransomware-as-a-service attacks. This enables threat developers to sell or leasing malware to users on dark web forums. Why? Because many cybercriminals want to cash in but can’t code and or launch campaigns and that’s where the affiliate model comes in. The affiliate schemes provide low-level attackers with the ability to distribute and manage ransomware campaigns, with the developer behind the ransomware receiving a portion of each ransom victim’s pay for the decryption key. It is estimated that about two-thirds of the ransomware attacks came from cybercriminals operating out of a ransomware-as-a-service model.

Number Two. Increase in sophistication. These include code tweaks, changes in victimology for the lack of better words, and the move to attack cloud-native workloads managed by Kubernetes and Docker. Some ransomwares can evade sandboxes by evading the detection techniques which allow them to fly under the radar. As ransomware gangs get paid, some of that money is reinvested to even more brainpower and enhance the ransomware capabilities such as finding and building zero-day exploits. With more cash on hand, nothing is stopping a group from buying zero days from the dark webs. Much like trojanized backdoors, there is also a trend to develop cross-platform ransomware. Compromise automation, like informing the owner of the success as soon as the ransomware takes over the victim, is also on the rise.

Number Three. Shifting TTPs and Extortion Operations. Besides technical sophistication, ransomware groups are also switching up their techniques, tactics, and procedures to further improve their extortion outcomes. Like, until two years ago, there was no such thing as exfiltrating the victim’s data and selling it to the highest bidder. This is a significant shift from just encrypting files and data and demanding a ransom for providing the decrypt key. It is expected that over 80% of the ransomware attacks this year, in 2021, will use this tactic. Well why not? It is working. There is also more focus on post-exploitation activities, especially going after the customers or partners in the organization if the attackers can find compromising or valuable information. This is like combining the ransom with blackmail. This is something we can call ransomware based on supply chain and I want to come back to this with the recent Apple attack. But, what else? We have seen attackers demanding double payments, like one payment to decrypt and another to keep the data out of the dark web. We have also seen customers getting DDoS if they don’t pay up the ransom. On cloud-native front, imagine a ransomed Kubernetes cluster. Container images are a new target for ransomware groups as well as supply chain compromises like we saw with Codecov since they contain the application code as well as the external dependencies. Container images are stored within a centralized container repo, such as the Docker Hub. This is where tools like Kubernetes pull container images from. So, if an attacker can successfully compromise popular base images such as Ubuntu or WordPress or what have you, then it could allow the attacker to plant ransomware within those otherwise legit images. Finally, in terms of victim selection, there is a renewed focus on hunting larger organizations. And that brings me to the Apple ransomware attack by a ransomware group known as REvil.

While Apple was launching new products on April 20th, the REvil group announced that they have hacked into Apple partner Quanta and stole bunch of internal docs. If you didn’t know, Quanta Computer is the contractor that Apple uses to build Apple Watch, Macbooks and iMacs. To produce Apple products, Apple provides them with the confidential schematic diagrams and knowledge of product roadmaps in advance. Quanta is yet another Taiwan-based contractor besides Foxconn.

Apple Quanta Ransomware Attack

Now, since Apple has a very strong security posture, the attackers chose to target a weaker link in the supply chain. So far Quanta has refused to pay the ransom and REvil is demanding the ransom directly from Apple. REvil has put a deadline of May 1, and if they are not paid by that date, they will release the Apple confidential schematics revealing details about the future product roadmap. Given REvil history, it is highly likely that they will indeed release the data. You can also take it to the bank that REvil didn’t target Quanta just for Apple, which means you’re going to start to see confidential details about other vendors once Apple ransom is settled one way or the other. REvil has not dumped any Apple-related data since announcement, so the parties may be negotiating behind the scenes.

Final Takeaways

Anyhow, here are my final thoughts. Number One. It is clear that the future of ransomware is not ransom, it is valuable data theft which means more eye-popping ransom demands coming down the pike. Number Two. While data backup is useful for other purposes, it is not going to be useful for protection against ransomware. Why? Because backups do not protect against data theft and selling it to the highest bidder. Number Three. Supply chain. We keep coming back to the supply chain as the new modus operandi. Why? Because it carries the most bang for the efforts put in by the hackers. Like, why try to steal data from Apple, when you can simply compromise Quanta Computer or another contractor down the supply chain which opens up doors to stealing not just Apple’s internal documents but just about everyone else who contracts their manufacturing out to Quanta. For example, Quanta also supplies laptops and desktops for Dell and HP. Number Four. As big game hunting continues in the world of ransomware, we’re likely to see even more novel approaches such as providing data to short-sellers of publicly traded companies. If short sellers did some academic research before initiating a short position, there would be no need to hire PR firms. A case in point is GameStop and what happened to Melvin Capital. If you don’t know, be sure to check it out. Anyhow, 50 million dollars doesn’t look much when you factor in a 2 million dollar regulatory penalty under the EU’s GDPR or California’s Consumer Privacy Act. Last but not least, it is interesting to note that the US DOJ launched a national task force aimed at addressing the ransomware threat exactly the day after REvil announced the hack.