When Cryptolocker arrived in 2012, it brought a great deal of fear and panic in its wake. This particularly malicious type of malware affected and encrypted data across the globe with no way to reverse it. While that was certainly a terrifying scenario, little did we know that ransomware encryption would get much worse over the next decade.
When we first came across this new breed of ransomware, the ransoms charged rarely exceeded $100 USD. Fast forward to 2020 and the average ransom being charged is somewhere around $180,000 and rising fast.
With ransoms rising, the severity and impact of attacks have worsened as well. A British insurer stated that nearly half of their cyber insurance claims for the first half of 2020 were ransomware related. Although the majority of criminal money is still made at the expense of the SMB sector (as always), brazen “big game” attacks on giant corporations, government, healthcare, education and transport have never been in the news as much as they have been in recent years, with some U.S. states even declaring a national emergency in response to the crisis.
In the early days, crooks used botnets, email campaigns or exploit kits to target and infect millions across the globe with ransomware. The problem with this approach, from a criminal perspective, was its imprecise and haphazard nature. A million malicious emails might be sent out, but it was tough to know just who you were writing them to and how much money they had. Was the victim rich or poor? Corporate or consumer? Did they have backup or not?
Law enforcement began warning about targeted attacks in 2016 when criminals were casing their victims and tailoring their attacks and ransoms accordingly. If you know your victim is rich, has no backups and is sensitive to disruption, then your ransom demand would be a whole lot bigger. Current specialists, such as the Maze gang, know EXACTLY how much their victims are worth and even boast about it online to put pressure on them to pay.
The level of execution and ruthlessness of ransomware operators has been increasing. While older attacks could be dealt with by wiping a machine or restoring data from backups, modern attacks aim to bring an organisation to its knees. Why encrypt just one machine when you can encrypt thousands? Why encrypt thousands of machines when one critical file server will do? Malicious actors are taking their time to compromise accounts and defences and get as much access to a network as possible. Disabling security, cancelling or wiping backups and encrypting network shares are just some of the methods used to cripple an organisation and of course, elicit bigger ransoms. On top of this, the encryption of data is usually accompanied by the theft of sensitive data as well, the details of which are often published online, giving ransomware gangs a ”double leverage” when demanding a ransom.
Today’s ransomware criminals are incredibly professional. The top gangs work office hours, safe in the knowledge that they won’t face prosecution. They form cartels, affiliate programs and complicated “corporate” alliances with other criminals, and anything they can’t use they fence on the dark web to lower-level criminals who can gain access to critical infrastructure for the price of a cup of coffee.