By: Mohammed Al-Moneer, Regional Director, Middle East, Turkey & Africa at Infoblox
Ransomware is once again front and center. This year has turned out to be one of the worst years for ransomware. Why? Because that’s where the big money is. Large potential return on investment makes ransomware extortion activities highly compelling for threat actors. Verizon’s 2021 Data Breach Investigations Report notes, “The novel fact is that 10 percent of all breaches now involve ransomware.”
Cybereason’s recent ransomware study of nearly 1,300 security professionals reveals that more than half of organizations have fallen victim to ransomware attacks. In addition, 80 percent of businesses that have paid ransoms have suffered second ransomware attacks, often from the same threat actors. 66 percent of organizations surveyed reported significant loss of revenue after a ransomware attack, 53 percent of organizations indicated that their brand and reputation were damaged as a result of a successful attack, and 32 percent reported losing C-level talent as a direct result of ransomware attacks. As many as 26 percent of organizations reported that ransomware attacks forced their businesses to close temporarily.
The ransomware attacks on JBS and Colonial Pipeline are examples of criminal organizations using RaaS platforms. Many potential threat actors lacking the skills to build and launch their own ransomware attacks can buy what they need through the dark web. Nearly two-thirds of ransomware attacks during 2020 came from RaaS-based platforms.
RaaS platforms include support, community forums, documentation, updates, and more. They are closely modelled after the type of support offered with legitimate SaaS products. Some RaaS websites offer supporting marketing literature and user testimonials. The cost is relatively low. In some cases, affiliates can sign up for a one-time fee or for a monthly subscription. Some RaaS platforms are set up without any initial fees and share the fees associated with a successful attack. Other platforms might have charges for special features, such as the view of a status update of active ransom infections, the number of files encrypted, and payment information.
The use of highly targeted RaaS attacks has been lucrative for threat actors. RaaS attacks that target large organizations can, in turn, ask for large ransoms. In these highly targeted cases, threat actors sometimes use carefully researched social-engineering tactics, such as well-crafted emails to entice targets to click dangerous URLs or open malicious attachments. In other cases, threat actors may target a vulnerability that is particular to or commonly used by their target victim group.
Threatening to post a victim’s data on a data-leak site increases the leverage of a ransomware threat actor and is another part of their strategy, in addition to encrypting a victim’s files. The damage of this exposure might be greater than the financial damage of agreeing to pay the ransom the actor has demanded.
Attackers continue to use tried and true ransomware distribution methods – their tactics, techniques, and procedures work well for them and these attack vectors continue to bring them success. The four distribution methods are malicious websites, malspam email, the remote desktop protocol, and USB memory sticks. Depending on the report cited, time period, and companies surveyed, the percentages of ransomware attacks that use these distribution methods have varied significantly.