Ransomware has become the most chronic and common threat to digital networks. At a time when 41% of all cybersecurity insurance claims flow from ransomware attacks, it’s no surprise that ransomware is top of mind for leading security experts, government officials and law enforcement leaders.
“I think ransomware is going to get worse and I hate to say it, but it’s almost the perfect crime,” Mark Weatherford, chief strategy officer and board member of the non-profit National Cyber Security Center, told attendees at the third annual Hack the Capitol event. “It’s easy to pull off and it’s almost impossible to get caught.”
While major ransomware events grab all the headlines, Weatherford worries about the smaller victims of ransomware attackers. “Small- and medium-sized businesses simply don’t have the resources or the technical acumen to understand the threat environment that they live in,” he said.
Sometimes it can seem like a ransomware attack is inevitable. “A lot of my friends in companies that I talk to on a regular basis literally are waiting for that shoe to drop when they are the victim of a big ransomware event,” Weatherford said.
Ransomware is a big deal and getting worse
“Ransomware is actually a big deal,” Rex Booth, chief cyber threat analysis at the US Department of Homeland Security’s (DHS’s) Cyber and Infrastructure Security Agency (CISA), said at CISA’s annual Cybersummit. “It may not be the most exciting kind of compromise; it may not always be the most sophisticated. Sometimes it’s honestly easily preventable,” Booth said.
“When you’re suffering through a ransomware incident, none of that matters. It’s a big deal. You can’t access your data. You can’t use your systems, and you don’t know if you’re going to get them back and you’re upset. You’re freaking out.”
Ransomware attacks are increasing in number, ferocity level and origin points, according to Jonathan Holmes of the FBI’s Major Cyber Crimes Unit in Washington, DC. “Over the last year or so, we’ve really seen an explosion in ransomware,” he said at the DHS Summit. “We’ve seen numerous new ransomware groups victimizing individuals. We’ve seen those ransom demands increasing from tens of thousands of dollars in 2015 to hundreds of thousands of dollars. Most recently we’ve seen ransom demands in the millions of dollars range.”
The attackers are also changing their tactics, making it difficult to defend against them. “Those tactics include things like not just encrypting victims’ computer networks but also exfiltrating data on those victim networks,” Holmes said. “Now when victims realize they’ve become a victim of a ransomware attack; it’s not just that their data is encrypted. It’s also that they’ve lost all their — or much of their — information. The ransomware actors are holding that data at risk and telling victims if they don’t pay the ransom, they’re going to leak that data to the public.”
Ransomware actors are forming cartels
Perhaps not surprisingly, ransomware attackers are starting to band together, Holmes said. “We’ve seen some of these ransomware actors entering into a cartel with one another. Under this cartel model, they’ll share information amongst the group members and share intelligence and share techniques. It’s a bit concerning to us as well [because] it shows a major shift change among the ransomware actors.”
The ransomware cartels are forming into business-like organizations with specialization of labor, Jason Conboy of DHS’s Investigations division said. “You have your malware office… and they have effectively built skills to write that malware. You’ve got your money mules. You’ve got the ones that are going to communicate with the victim, try to negotiate a ransom payment. Then they’re going to have the job of moving the money for the bigger organization.” Some ransomware organizations, he adds, have customer service members that help you work with the threat actor.
Global economic downturn could accelerate ransomware attacks
“I just like ransomware so much because it’s just such a violent crime to the network,” Mike Moran, who works in major case investigations at the US Secret Service said at the CISA Summit. “Some people think it’s pretty simple, but it’s actually pretty sophisticated. It’s kind of both. I guess the sophistication might be in its simplicity.”
Like most other law enforcement specialists, Moran doesn’t see an end to the growing ransomware epidemic. “These trends are going to continue just like bank robberies are going to continue until there’s no cash at the bank,” he said. “If people keep paying the ransom…there’s profit to be had in this opportunity.”
Even worse, the coronavirus pandemic could see a lot of non-criminals seeking to keep food on the table for their families start playing the ransomware game, Moran warned. “If we’re really going to be going into a global economic downturn as a result of the coronavirus and all other geopolitical issues, people are going to get more desperate and they’re going to try to go where they can generate income.”
Fueling this potential rise could be the advent of ransomware as a service (RaaS). “You can actually even as a non-techie purchase ransomware as a service to then deploy on any existing computer networks that you might have access to. The elite level of sophistication needed to perpetuate a ransomware attack is almost not necessary,” Moran said.
Finding ransomware actors a challenge for law enforcement
Trying to find these threat actors is a growing challenge for law enforcement. “The tools and techniques that these actors are using are all supported by anonymization,” the FBI’s Holmes said. The ransomware actors are often using the anonymizing Tor network to communicate with one another and to communicate with victims. “That creates problems for law enforcement to identify that infrastructure the bad guys are using.”
Moreover, they use virtual currency such as Bitcoin to receive payments that can be very challenging to investigate, Holmes said. Sometimes they rely on email providers that don’t keep logs that could otherwise help law enforcement can access to information about the accounts they use. “It makes our ability to investigate those cases very, very difficult,” Holmes said.
Despite these hurdles, victims should work with law enforcement if they come under a ransomware attack. “We’re putting the pieces together across our own agencies and reaching across to other agencies,” Secret Service’s Moran said. “We can sometimes, but not most of the time, provide decryption key from some of the earlier forms of ransomware and some of the less sophisticated forms.”