For more than a decade, ransomware has been an online criminal’s most direct path to revenue and profit. Strategies and innovations such as ransomware-as-a-service have fostered an evolution of these attacks. Targeting of victims has shifted as well from individuals in ransomware’s early days to Cryptolocker’s 2013 transformation of these attacks into for-profit campaigns.
On this episode of the Nexus Podcast, Rapid7 Senior Director of Threat Analytics Christiaan Beek explores the economics of ransomware and the continued profitability and success of it as an attack vector.
“[The security industry] has put a lot of effort into innovation, and we’re very good at it I would say, and still they are steps ahead of us,” Beek said, adding that the lucrative nature of ransomware continues to attract threat actors, especially those in areas of the world where extradition and collaborative legal takedown efforts are difficult.
Cryptolocker showed the way to profitability with a long-ranging campaign starting in 2013 that spread over email and the Zeus botnet seeking to encrypt files on local and network drives. Victims inside enterprises were given a deadline to meet a ransom demand and payments had to be made using Bitcoin.
“Cryptolocker adding Bitcoin to anonymize and hide transactions made it interesting for criminals to get into this model,” Beek said. “That was the spike that kicked off this model.”
Since then, ransomware has cost companies in every critical infrastructure sector billions of dollars in downtime and recovery costs, including payments to ransomware gangs and companies acting as negotiation intermediaries between victims and criminals.
Ransomware tactics, meanwhile, have evolved in parallel. Today, ransomware usually is part of a double-extortion campaign where a threat actor gains access to a victim’s network, stealthily moves laterally on the network copying customer or proprietary data, and setting up a leak site where stolen data is hosted. Victims are threatened with an embarrassing data leak and encrypted systems, putting companies on the mat in a hurry to make a decision about whether to pay.
Beek warns of several new innovations that enterprises worldwide must be wary of.
“They are going to the edge of networks, compromising firewalls, routers, or your file-transfer systems and if you are on that device, you can go directly to the network and stay under the radar. They are sophisticating on that front,” Beek said, explaining that an attacker on a VPN can create an account and look like normal network traffic. “Part of that is of course since people keep paying the ransoms, we are giving them the money to buy zero-days.”
The BlackBasta ransomware gang’s leaked chats demonstrated this dynamic, Beek said.
“They state ‘Yes, we bought a zero-day for $200,000.’ All funded by victims, and at the same time make more victims because when a zero-day hits, you’re toast,” Beek said.
Another concerning ransomware innovation on the horizon are attacks targeting hardware, particularly deep in the BIOS. Some chatter from the Conti leaks has surfaced about UEFI-based attacks that persist reboots and give a threat actor undetectable persistence on a machine.
“We can’t clean it, it’s hard to detect,” Beek said. “Maybe if we’re lucky, we can detect in memory, but a lot of people don’t want (security technology) to scan memory.”
Beek advises organizations to lock down basic security hygiene, especially on edge devices, and ensure protections such as multi-factor authentication are implemented and configured properly. He also advises work be done on the internal policy level such as incident response activities, tabletop exercises, and more.
Michael Mimoso is Director of Influencer Marketing at Claroty and Editorial Director of Nexus.
