2021 is likely to go down in cybersecurity history as the year of ransomware. The global list of prominent victims ranges from pipeline operators and entire districts to publishers and retail chains.
The Varonis Threat Labs have identified three key trends that will also keep us busy in 2022. Because one thing is for sure: we will have to deal with ransomware again this year, probably even stronger and with even more attacks than 2021.
Ransomware-as-a-Service
In the past year, there has been a significant shift towards the ransomware-as-a-service (RaaS) business model, where groups recruit partners to run certain parts of the operations. These multiple offerings give even less-savvy cybercriminals access to powerful malware and malicious toolkits, lowering the barrier to entry for many would-be attackers.
There are essentially two different models: On the one hand, subscriptions, where ransomware can be used for a fee, and on the other hand, percentage shares in the profits. The second variant in particular generates an entire ecosystem of individual partners, so-called affiliates, and sub-groups that specialize in certain areas of attack.
Mass scanning techniques seek access
An example of the increasing distribution of tasks and specialization are "Initial Access Brokers" (IAB). Although these are not a new phenomenon, they are currently experiencing a certain boom. They typically employ mass scanning techniques to identify vulnerable hosts and thus gain initial access into potential victims' systems. Traditionally, these accesses are sold through underground forums and marketplaces, with prices based on perceived value: for example, accessing a large, well-known, and financially strong company is more expensive than accessing a small company. This allows ransomware groups to target their victims in a very targeted manner. Many IABs are now also affiliating or partnering with ransomware groups, becoming subcontractors. In return, they receive a share of the ransom. This is usually more lucrative than the classic sales model.
A high profit share always reflects a higher risk. Ultimately, the partners as "executing bodies" run a higher risk of being discovered, while the RaaS providers in the background are far less at risk, especially since they often hide their identity from their partners. Should they nevertheless be the focus of criminal prosecution authorities, the groups generally go into hiding for a short time only to regroup later, usually under a different name.
Custom ransomware
Varonis Threat Labs has identified an increasing number of ransomware designed specifically for specific victims over the past year. This should make detection much more difficult and increase the effectiveness of the attack.
Most ransomware threats are executable files that target Windows and are often distributed using botnets. However, attacks are also increasingly directed at Linux-based hosts, including those used for file storage and virtualization (such as VMware ESX).
ALPHV (BlackCat) tailors ransomware
The recently identified ALPHV (BlackCat) ransomware group is developing both Linux and Windows variants. The ransomware is recreated for each victim. This includes, for example, the type of encryption used (such as only encrypting parts of large files) or embedding victim credentials to allow automatic propagation of the ransomware to other servers.
But not only the ransomware itself, but also the amount of the ransom demanded is specifically tailored to the victim: The captured financial data of the company is analyzed in order to determine a fundable sum. In some cases, even the cyber insurance policies are examined in detail for the amount of damage covered, which is then made as a claim by the cyber criminals.
Double extraction becomes the standard
With the "double extortion" approach, the data is also stolen before encryption in order to threaten to publish it and thus put even more pressure on the victims. Ultimately, it is not encryption and the resulting system failure that poses the greater threat to companies, but data theft: The theft and publication of personal data (PII) is not only damaging to reputation, but can also result in GDPR fines. Cyber criminals are now even explicitly threatening to involve the relevant supervisory authorities. But intellectual property leaks can also cause enormous damage if innovative developments are also accessible to competitors as a result.
The tactical development is by no means over with the double blackmail. Ransomware groups are constantly evolving their extortion methods, from beginning with a simple ransom note, to "steal, encrypt, and publish" tactics, to contacting customers, employees, authorities, and the press to inform them of the compromise. To add even more pressure, many groups refuse to work with negotiators and advise victims to pay the money without involving cybersecurity vendors and law enforcement agencies. Otherwise victims would risk higher ransom demand or permanent data loss.
Escalation levels as a means of pressure to pay
Some cybercriminals also add another escalation level: With this "triple extortion", either affected partners or customers are then informed, or further attacks such as DDoS attacks are threatened. All of these measures ultimately serve to significantly increase the pressure on the victims in order to persuade them to pay quickly. And apparently with success: it is estimated that ransomware caused damage of 2021 trillion US dollars worldwide in 6. For comparison: The gross domestic product of the Federal Republic of Germany was “only” 2020 trillion US dollars in 3,8.
More at Varonis.de
About Varonis Since its founding in 2005, Varonis has taken a different approach than most IT security providers by placing company data stored both locally and in the cloud at the center of its security strategy: sensitive files and e-mails, confidential customer, patient and Employee data, financial data, strategy and product plans and other intellectual property. The Varonis data security platform (DSP) detects insider threats and cyber attacks through the analysis of data, account activities, telemetry and user behavior, prevents or limits data security breaches by locking sensitive, regulated and outdated data and maintains a secure state of the systems through efficient automation .,