The willingness of affected companies to pay ransom demands is making the ransomware industry grow into a multi-billion dollar industry. Germany is among the top 3 countries that suffered from the most ransomware attacks in 2021.
Cybereason, the XDR company, today published a new whitepaper entitled “RansomOps: Inside Complex Ransomware Operations and the Ransomware Economy”. It examines how ransomware attacks have evolved from niche to multi-billion dollar mega-industry over the past decade. As RansomOps attacks continue to evolve, ransomware syndicates are enjoying record profits, targeting public and private sector organizations of all sizes.
Ransomware: multi-billion dollar business
Attackers initially used the watering can principle to primarily attack individuals. Compared to what was seen in 2020-2021, the ransom demands back then were relatively small. With the advent of sophisticated RansomOps, akin to the covert operations of government threat actors, most organizations that are now the target of attackers have found it more difficult to defend against ransomware attacks. And as more companies choose to pay ransoms, attackers have ramped up their demands.
“The shift from broad-based ransomware campaigns to targeted attacks on organizations able to pay multimillion-dollar ransom demands has fueled the surge in attacks in 2021. Two RansomOps attacks in particular have attracted a lot of attention over the past year: the attacks on Colonial Pipeline and JBS Foods. Unfortunately, a further increase in attacks is to be expected in 2022. Ransom demands will increase and critical infrastructure operators, hospitals and banks will be targeted,” said Lior Div, CEO and co-founder of Cybereason.
Report describes the four components of RansomOps
- Initial Access Brokers (IABs): They infiltrate target networks, establish persistence, and move laterally to compromise as much of the network as possible. They then sell access to other attackers.
- Ransomware-as-a-Service (RaaS) Providers: They provide the actual ransomware code and payment methods. Also, they handle the negotiations with the target and provide other “customer services” to both the attackers and the victims.
- Ransomware Affiliates: They contract with the RaaS provider, choose the target organizations, and then perform the actual ransomware attack.
- Cryptocurrency Exchanges: This is where the extorted proceeds are traded and laundered.
To pay or not to pay?
A previous Cybereason report, titled "Ransomware: The True Cost to Business," shows that 80 percent of companies that paid a ransom were attacked a second time -- often by the same attackers. Instead of paying, organizations should focus on early detection and prevention strategies to end ransomware attacks at the earliest possible stage—before critical systems and data are compromised. In addition, there are a number of other reasons not to pay, such as:
No guarantee of data recovery
Paying the ransom does not mean companies regain access to your encrypted data. The decryption programs provided by the attackers sometimes just don't work properly. In the case of Colonial Pipeline in 2021, the company paid a $4,4 million ransom. As a result, the company received faulty recovery keys from DarkSide Group and had to activate its backups to restore its systems.
Legal issues
In the US, companies are already facing hefty fines if they pay ransomware actors who support terrorism. Similar regulations are also conceivable in the EU in the future. In addition, ransomware attacks on supply chains that affect a company's customers or partners could result in lawsuits from the affected companies.
Promotion of ransomware attacks
Companies that pay ransomware attackers send the message that the attacks are working. This leads to more attacks and higher ransom demands. Like Cybereason, the FBI advises that companies should not pay ransoms, as doing so only emboldens attackers by showing them that extortion works.
The full report “White Paper: Inside Complex RansomOps and the Ransomware Economy” is available online for free.
More at Cybereason.com
About Cybereason Cybereason offers future-proof protection against attacks by means of a uniform security approach, across all endpoints and across the company, wherever the attack scenarios are relocated. The Cybereason Defense Platform combines the industry's best detection and response methods (EDR and XDR), next generation antivirus solutions (NGAV) and proactive threat hunting to provide contextual analysis of every element within a Malop ™ (malicious operation). Cybereason is a privately held international company headquartered in Boston with customers in over 45 countries.