COVID has definitely amplified ransomware attacks, with many vectors for the malware coming in phishing emails referencing the pandemic. But ransomware, and the tactics used by cybercriminals, is also evolving. Where criminals were once happy to gain access to a system, encrypt the data and demand a ransom, they’re now also extracting the data and holding it hostage.
This data theft means that ransom fees are rising, and many companies are paying up in a bid to avoid the regulatory scrutiny (along with associated fines and reputation loss) that comes with their data being stolen and then released publicly.
The rising cost of ransomware
Sophos’ recent 2021 Threat Report found ransom payouts are rising dramatically over the last twelve months. The report found that in Q4 2019 the average ransom payout was US$84,116. Jump forward three months and it had increased to US$111,605 for Q1 2020. If that’s not expensive enough, the average payout had risen a further US$66,649 by Q2 2020 and has hit a record figure of US$233,817 in the third quarter of this year.
The reason criminals are pushing the limits of what they can extort from victims is that they know how expensive downtime can be, and so they’re testing the upper limit of what they can extract in a ransomware attack.
They’re also well versed in the aforementioned fact that companies don’t want their precious data released into the wild. Cybercriminals know how much damage a data breach can cause to a company’s reputation and they’re charging accordingly. This additional social pressure turns the screws on the victims even more – especially on those who were undecided on whether to pay the ransom or not.
The blurring of criminals and nation-state actors
Our research discovered that distinct threat actor groups that engage in ransomware attacks are now collaborating closely with their peers in the criminal underground. In doing this, they’re starting to behave more like cybercrime cartels rather than independent groups.
Those cartels are also gaining access to tools developed by nation-states for cyberwarfare, and in doing so, blurring the line between crimes and countries. This makes it harder for organisations defending against cyberattacks to determine where the attack is coming from – is it a nation-state engaging in espionage, or is it a criminal group engaging in their usual activities? It’s becoming more and more difficult to know.
Over the past year, Sophos’ analysts have seen ransomware organisations begin to settle on a common – and slowly growing – toolset to extract data from victims’ networks.
These utilities pose a grave threat because they’re well-known and appear to be legitimate pieces of software that anyone might have, and therefore won’t be detected by endpoint security products.
Criminals, when they extract data from a network, are also using commodity cloud services to hold the information they’ve stolen. When the data is exfiltrated from a victim’s network, the traffic, which is going to a service like Google Drive or Amazon S3, looks legitimate, making it even harder to detect that an attack is underway. This traffic is hard to spot since these are common network traffic destinations.
The amount of data they extract also doesn’t seem to be an issue with online crooks. That’s because directory structures are unique to each business and some file types can be compressed better than others. Our analysis has seen as little as 5GB and as much as 400GB of compressed data being stolen from a victim prior to the deployment of ransomware.
Local backups also fall victim
One of the best tactics to defeat a ransomware attack (but not one where the data is also stolen) is to have remote, offline backups that give businesses the ability to restore their data and get their businesses back up and running.
A new trend, however, is where a business has local servers connected to the network holding their backup data. Ransomware attackers, gaining access to the network, have started to hunt down these local backups and when they find them, they either delete them or independently encrypt them before exfiltrating the data and then encrypting it.
Ransomware is evolving to become the defining attack of our era. New techniques and strategies used by cybercriminals mean that they’re not only encrypting the data and holding it to ransom, but also extracting the data and threatening to release it publicly. This double whammy is a new attack, and it’s one that’s not easily defended against if a crook is able to gain access to the network in the first place.