Intro
Glancing at the present-day threat landscape, ransomware is top of mind whenever an incident starts flooding the news cycle. It is a constantly growing problem that seems to know no bounds, no organization is immune, and everyone is a potential target. The large number of companies leveraging cloud services and systems always connected to the internet equates to a target-rich environment. Though most actors tend to lean towards financial gain, the interconnectivity of systems across different industries and their associated verticals provides a wide variety of opportunities for impact based on other motives. This is especially worrisome with election cycles on the horizon and the need to secure the systems vital to fair elections. The growth of ransomware has escalated to the point of third-party actors offering ransomware-as-a-service and other illicit products via underground markets for would-be attackers.
Past to Present
Ransomware has been a problem since the [1989 AIDS Trojan, also known as PC Cyborg], which was delivered via floppy disks. The demanded ransom was in the range of hundreds of dollars. A paltry sum compared to the amount listed in ransom notes seen on impacted systems today. Email-based phishing scams were uncommon at the time to paint a picture of the threat landscape in the late 80s/early 90s. Fast forward to today, and we see ever-increasing complexity in the file tradecraft used. Emails with malicious attachments remain the most prevalent, though more sophisticated adversaries have been observed obtaining privileged access such as the case with the Colonial Pipeline event where attackers gained VPN access through an exposed employee password from a previous data breach event.
The Human Cost
Due to the scale of present-day ransomware incidents, recovery and resuming operations can be costly even in cases where ransoms are paid. The time put into remediation and bolstering security after the breach are additional costs that are not often reported in depth. This is particularly problematic for organizations in sectors where ransoms are unlikely to be paid such as government, healthcare, and education. The downstream effects are devastating, costing countless man-hours and in the case of hospital breaches, lives. During the height of the COVID-19 lockdown, several ransomware gangs agreed not to target hospitals to minimize loss of life. Operators associated with cl0p and Maze at the time spoke out against targeting patient-facing health organizations, insisting that their targets are primarily commercial labs and pharmaceutical entities that can afford the hefty ransoms.
Ransomware As An Economy
Like other commercially distributed malware and related “tools”, anything from payloads to fully configured and ready-to-execute ransomware campaigns are available via underground markets with a variety of payment models that rival legitimate software as a service (SaaS) products. Like SaaS offerings, RaaS empowers criminals with low technical aptitude to carry out ransomware attacks for a modest fee or subscription plan. Individual components such as obfuscation tools designed to decrease the likelihood of detection, initial access resources, and exfiltration tools are available and can be customized to an attacker’s specifications and needs. So long as these attacks yield success, a secondary market will exist to facilitate future incidents.
Parting Thoughts
Without a doubt, the most impactful way to defend against ransomware and data extortion actors is to prevent the intrusion in the first place by heading off attacks in the early phases. While prevention is not always possible, it is critical to detect and disrupt attacks as early as possible in the attack lifecycle. Critical intelligence about the ecosystem of ransomware operators and RaaS affiliates shows that partnerships with initial access brokers (IABs) are the enabling element for the vast majority of these attacks.
