The threat landscape for ransomware is constantly changing with evolving variants and the seemingly endless game of Whack-a-Mole with digital crime gangs. With the Ransomware-as-a-Service (RaaS) model becoming more popular, ransomware gangs provide a cut of the profit to individuals able to infect organizations with ransomware and generate payment. The motivation behind the attacks continue to remain financially driven resulting in the attacks being purely opportunistic with plenty of profit to be shared with an average payout around $170,000 per attack[i]. In an analysis by Chainalysis, ransomware attacks amassed a total of $406 million in 2020 and are on pace to further increase in 2021[ii]. As ransomware gangs become more ambitious in their targeting, they have drawn the increased attention of governments around the world.

Flying too close to the sun

While profits soar, the greed may result in the downfall of some ransomware groups. In early May, as was widely reported, the DarkSide criminal organization leveraged a compromised account to access and deploy ransomware to the Colonial Pipeline’s computer networks. The attack brought the critical fuel pipeline to a halt for days resulting in fuel shortages and consumer panic. However, the attack gained a large amount of unwanted attention for the group. As a result, DarkSide released a statement stating the affiliate program is closed and that the group would no longer be operating[iii]. The unwanted publicity to ransomware activity also resulted in a major Russian-language cyber criminal forum, XSS, to ban ransomware related commerce on its website[iv]. It is apparent that the attack resulted in much more attention than the group realized or wanted.

At the same time another ransomware gang, Conti, paralyzed Ireland’s Health Service in a ransomware attack against critical IT infrastructure. The gang provided the Health Service a decryption key, but still holds the compromised data for ransom[v]. Conti and DarkSide both have broken unspoken rules within the underground community of not attacking high profile infrastructure or healthcare entities – moves that will bring a large amount of attention to ransomware activity.

Authorities push back

The US Department of Justice was able recover a portion of the $4.4 million dollar ransomware payment made to DarkSide. The newly established Ransomware and Digital Extortion task force was able to obtain the decryption key of the cryptocurrency account holding the ransom funds, a rare victory in the fight against ransomware gangs. In addition, increased pressure has been placed on the Biden administration ahead of the Geneva summit to confront Russian president Vladimir Putin regarding the haven Russia has created for ransomware gangs[vi]. The UK government has also urged organizations affected not to pay ransoms citing no guarantee for a successful outcome and lack of protection in the future[vii].

What’s next?

Until there is a robust ability to intercept funds traveling cryptocurrency exchanges, more international effort in arresting ransomware gangs and support from agencies in incident response and remediation need to occur.  If these principles are not established, ransomware attacks will continue to be profitable. Thwarting ransomware gangs will take an international effort from organizations and authorities alike.

In the meantime, organizations should continue to adhere to cybersecurity best practices. Leveraging multi-factor authentication, strong password practices, and ensuring timely patch management cycles all help increase resiliency to ransomware attacks. Limiting the external attack surface area is vital in preventing a compromise. The Charter of Trust continues to promote security awareness and facilitate information sharing of trends and practices to improve cybersecurity posture internationally.

____________________

References:

[i] https://www.sophos.com/en-us/press-office/press-releases/2021/04/ransomware-recovery-cost-reaches-nearly-dollar-2-million-more-than-doubling-in-a-year.aspx

[ii] https://www.coindesk.com/ransomware-attacks-are-growing-more-profitable-chainalysis-says

[iii] https://www.nytimes.com/2021/05/14/business/darkside-pipeline-hack.html

[iv] https://threatpost.com/darkside-toshiba-xss-bans-ransomware/166210/

[v] https://www.bleepingcomputer.com/news/security/conti-ransomware-gives-hse-ireland-free-decryptor-still-selling-data/

[vi] https://www.cnn.com/2021/06/07/politics/president-joe-biden-cyber-attacks-russia-putin-trump-economy/index.html

[vii] https://www.globalreinsurance.com/ransomware-dont-pay-urges-uk-government/1437486.article