Euro Security Watch with Mathew J. Schwartz

Fraud Management & Cybercrime , Governance & Risk Management , IT Risk Management

Ransomware: Cybercrime Public Enemy No. 1

Criminal Innovation and Underreporting by Victims Hampering Response
Ransomware: Cybercrime Public Enemy No. 1
Excerpt from the Sodinokibi ransomware-as-a-service operator's auction site for stolen data (Source: Europol's IOCTA 2020 report)

Ransomware continues to solidify its position as the No. 1 online threat targeting public and private organizations.

See Also: How to Take the Complexity Out of Cybersecurity

Seeking maximum returns, more gangs have moved beyond opportunistic attacks to target organizations with what experts call "post-intrusion ransomware." Meanwhile, many victims fail to report such crimes to police, hampering their ability to disrupt these attacks.

"The biggest problem that we face right now ... is ransomware," Ciaran Martin, who until Aug. 31 served as CEO of the U.K.'s National Cyber Security Center - the public-facing arm of Britain's GCHQ intelligence agency - said on Wednesday.

Martin was speaking at a virtual event organized by the Scottish Business Resilience Center, which helps coordinate better cybersecurity and resiliency practices across the public and private sectors.

The professor of practice in the management of public organizations at Oxford University's Blavatnik School of Government noted that the impact of ransomware has continued to surge. "To my very last hours at the NCSC, if the phone rang in the middle of the night and said there's something happening and you need to pay attention to it, I would have thought: 'This is a ransomware attack and it has disrupted a public service,'" he said.

Ciaran Martin, a professor of practice in the management of public organizations at Oxford University's Blavatnik School of Government, talks about ransomware trends.

This week, incident response firm Kroll said that, so far this year, of the many security incidents it has investigated for clients, ransomware has been the leading cause, accounting for 35% of incidents, followed by email compromise at 32%, unauthorized access at 17% and web compromise at 7%.

Cause of cybersecurity incidents investigated this year by Kroll

Unfortunately, some ransomware attacks now appear to have turned deadly. German police have opened a negligent homicide investigation into the death of a woman in critical condition whose ambulance had to be diverted, en route to Düsseldorf University Hospital, because the hospital's operations had been compromised by a ransomware attack. While traveling to the more distant hospital, the woman died.

Ransomware attacks, in other words, are not just a risk to businesses, but also to individuals who rely on services - including emergency healthcare - as they go about their lives.

Last year, for example, an attack against Eurofins Scientific, one of the largest forensic labs in the U.K., created a backlog of 20,000 forensic samples - including DNA and blood samples - that needed analyzing as part of ongoing criminal cases. Even after the lab paid a ransom to its Ryuk-wielding attackers, getting its systems restored and the backlog cleared led to months of delays.

'Their Execution Evolves Constantly'

You don't need an MBA to divine the driver for attackers: Ransomware continues to generate massive revenue, thanks to many organizations opting to pay a ransom in return for a decryption tool or a promise from attackers to destroy stolen data or to not leak it. Thus, an illicit business model continues to be validated and to draw new adherents.

"While ransomware, business email compromise and social engineering are familiar cybercrime threats, their execution evolves constantly and makes these criminal activities more complex to detect and to investigate," the EU's law enforcement intelligence agency, Europol, says in its latest Internet Organized Crime Threat Assessment, released on Monday.

"Ransomware in particular remains a priority threat encountered by cyber investigators across the EU" and beyond, Europol says.

Rise in 'Post-Intrusion Ransomware'

Driven by the massive potential profits, cybercriminals also continue to create more sophisticated attack code and tactics.

"The highest-impact threat we're seeing is what I'd call post-intrusion ransomware," Chris Yule, director of threat research capability at security firm Secureworks, said at least week's Edinburgh, Scotland-based ScotSoft conference, which was held virtually this year.

Post-intrusion ransomware attacks are surging, says Chris Yule, director of threat research capability at Secureworks.

Post-intrusion ransomware is distinct from more opportunistic crypto-locking malware attacks, in which individual users might open an attachment that would encrypt everything on their PC, delete the originals and then flash a ransom note (see: Ransomware 2.0: Cybercrime Gangs Apply APT-Style Tactics).

"Criminal groups ... cottoned on about two years ago that there was a lot more money to be made if you could target entire organizations at once," Yule said. "So, really, [they're] following what we would class as APT-style tactics that we used to attribute to nation-states, [to do] things to get into environments, get complete control of the environment and then take it over. And we've seen that in the news a lot, and we're rapidly seeing much more post-intrusion ransomware incidents across our customer base."

Data Leaks: Added Pressure

Data leaks by ransomware gangs (Source: PwC, September 2020)

Another innovation has been to steal data before crypto-locking systems and then threaten to leak the stolen data unless victims pay.

Ransomware incident response firm Coveware has reported that, from April to June, based on the thousands of incidents it investigated for clients, 22% of ransomware cases involved data exfiltration.

In August, attorney Craig Hoffman, co-leader for the digital risk advisory and cybersecurity team at BakerHostetler, told me that in at least 25% of the recent ransomware cases his firm has helped investigate, attackers claimed to have not just crypto-locked systems but also to have exfiltrated data.

Kroll says that, of the security incidents it has investigated this year, 42% of the ransomware cases have been tied to a ransomware variant "connected to a ransomware group actively exfiltrating and publishing victim data." Increasingly, suffering a ransomware attack means organizations have also experienced a data breach.

More than a dozen ransomware operators now have name-and-shame sites or use leaking or auction sites to try and pressure victims into paying. These include Maze - which kicked off the trend - as well as Sodinokibi, Ryuk and Egregor.

Underreporting of Attacks Continues

One challenge involved in attempts to disrupt ransomware attacks is that many organizations opt to not alert police, especially if they are paying a ransom.

As Europol says in its new report: "Considering the scale of damage that ransomware can inflict, victims also appear to be reluctant to come forward to law enforcement authorities or the public when they have been victimized, which makes it more difficult to identify and investigate such cases."

As ransomware attacks continue to surge, then, here's the message from law enforcement agencies to ransomware victims: Please come forward.



About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.