Complex RansomOps fuel explosion in 2021 ransomware economy, reveals Cybereason

Cybereason, the XDR company, has released a new report titled RansomOps: Inside Complex Ransomware Operations and the Ransomware Economy, which examines how ransomware attacks evolved from a cottage industry less than ten years ago to a multibillion-dollar mega industry today. Ransomware syndicates are reaping record profits as the sophistication of RansomOps attacks grows, making it open season on public and private sector organizations of all sizes.

Early on, ransomware attackers relied on “spray-and-pray” tactics to target mostly individuals when ransom demands were relatively low compared to what we saw in 2020-2021. Ransomware attacks have become more difficult to defend against for most organizations, thanks to the emergence of RansomOps that are complex and akin to the stealthy operations conducted by nation-state threat actors, and emboldened threat actors have raised their ransom demands as more and more organizations choose to pay.

“A shift by the ransomware gangs from wide-spread to targeted attacks against organizations that have the ability to pay multi-million dollar ransom demands has fueled the rise in attacks in 2021. No two RansomOps attacks garnered more publicity last year than those on Colonial Pipeline and JBS Foods. Unfortunately, we can expect to see a continued increase in attacks in 2022, with ransom demands increasing and critical infrastructure operators, hospitals and banks having targets on their backs,” said Lior Div, Cybereason CEO and Co-founder. 

The new report details the four components of RansomOps:

• Initial Access Brokers (IABs): Infiltrate target networks, establish persistence and move laterally to compromise as much of the network as possible, then sell access to other threat actors 

• Ransomware-as-a-Service (RaaS) Providers: Supply the actual ransomware code, the payment mechanisms, handle negotiations with the target and provide other “customer service” resources to both the attackers and the victims 

• Ransomware Affiliates: Contract with the RaaS provider, select the targeted organizations and then carry out the actual ransomware attack 

• Cryptocurrency Exchanges: Launder the extorted proceeds

To Pay or Not to Pay

A previous Cybereason report, titled Ransomware: The True Cost to Business, revealed that 80% of organizations that paid a ransom were hit a second time, often by the same threat actors. Instead of paying, organizations should focus on early detection and prevention strategies to stop ransomware attacks before critical systems and data are jeopardized. Other reasons for not paying include:

• No guarantees of retrieving data: Paying the ransom doesn’t mean that you will regain access to your encrypted data. The decryption utilities provided by those responsible for the attack sometimes simply don’t work properly. In the case of Colonial Pipeline in 2021, the company paid a $4.4 million ransom, received faulty decryption keys from the DarkSide Group and had to activate their backups to restore systems. 

• Legal implications: Organizations could end of paying steep fines from the U.S. government for paying ransomware actors that sponsor terrorism. In addition, supply chain ransomware attacks that impact an organization’s customers or partners would result in lawsuits from the impacted organizations. 

• Incentivizing ransomware attacks: Organizations who pay ransomware attackers send the message that the attacks work and it continues to fuel more attacks and higher ransom demands. Like Cybereason, the FBI advises that organizations refrain from paying ransoms because it simply emboldens malicious actors by telling them that extortion works. 

“Ransomware remains the top cybercrime threat and continues to cause significant damage, disruption and financial losses. With criminals seeking to maximise their illicit gains by exfiltrating and exploiting the victim’s data before it gets encrypted, ransomware is an evolving threat and presents a serious cybersecurity risk that requires a networked response. This must include law enforcement and public-private-partnerships such as the No More Ransom initiative,” added Phillip Amann, Head of Strategy European Cybercrime Centre (EC3), Europol.