Cybercrime , Cybercrime as-a-service , Fraud Management & Cybercrime

Ransomware Gangs' Ruthlessness Leads to Bigger Profits

Both the Volume of Successful Attacks and Victims' Payoffs Have Been Rising
Ransomware Gangs' Ruthlessness Leads to Bigger Profits
Partial heat map of ransomware attackers' tactics, techniques and procedures, from red (most prevalent) to green (Source: Group-IB)

Criminals continue to tap ransomware, backed by more advanced network penetration techniques, hitting larger targets and leaking data in an attempt to maximize their illicit paydays.

See Also: Webinar | Everything You Can Do to Fight Social Engineering and Phishing

In a new report into ransomware attackers' tactics, cybersecurity firm Group-IB estimates that the volume of ransomware attacks increased 40 percent from 2018 to 2019. Group-IB's Oleg Skulkin, a senior digital forensics analyst, says 2019 was when we saw ransomware attackers "shifting to larger targets and increasing their revenues."

The increase in attacks and revenue is significant because many criminals had begun shifting away from ransomware attacks in late 2017, preferring to focus instead on stealing cryptocurrency and installing illicit cryptocurrency-mining software. But with the crash in the value of bitcoins and other digital currencies, many criminals have once again adopted ransomware.

Ransomware-wielding criminals are also growing increasingly ruthless, based on the size of their extortion demands and increasing propensity to leak data in an attempt to force victims to pay, say attorneys David Kitchen and Anthony P. Valach, who are both partners at BakerHostetler (see: Crypto-Lock and Tell: Ransomware Gangs Double Down on Leaks).

Source: BakerHostetler's investigations into 2019 breaches (n=1,000+)

Based on the more than 1,000 incidents investigated by their law firm in 2018, the average ransom paid was $28,920 and the largest payment was $250,000. In 2019, however, the average ransom paid jumped to $302,539 while the largest single payment was $5.6 million.

"Questions had arisen in years past as to why ransomware demands seemed relatively low. By deploying ransomware, the threat actors were crippling a company’s ability to function but would often settle for a five-figure ransom while the victims were losing hundreds of thousands or millions of dollars a day due to the business interruption," they write in a report analyzing 2019 data breaches. "Whatever the reasons, threat actors changed their approach, and 2019 was the year they were ready to increase the stakes. And 2020 has only seen these trends continue."

Competition Drives Upskilling

With more competition among gangs for targets, both attackers and ransomware suppliers have upped their game, technically speaking. Experts say some gangs, using their own ransomware code or ransomware-as-a-service offerings, are hacking targets using advanced network penetration tactics that until recently would have been the domain of advanced persistent attackers with nation-state ties, rather than run-of-the-mill crime gangs (see: Ransomware 2.0: Cybercrime Gangs Apply APT-Style Tactics).

Click to expand: Heat map of ransomware operators' tactics, techniques and procedures (TTPs) based on MITRE’s ATT&CK matrix, ordered from the most commonly used (red) to the least commonly used (green). Source: Group-IB

Since 2018, more sophisticated RaaS service offerings, such as GandCrab, have enabled criminals to procure high-quality crypto-locking malware from third-party developers, in return for affiliates sharing a cut of any ransom paid with the operators. Security experts say that's opened up the market and lowered barriers to entry to less-skilled criminals, who often see a significant return on their investment.

And ransomware continues to improve. After GandCrab's supposed retirement 12 months ago, the operators behind what may be its spinoff, Sodinokibi - aka REvil, have taken up the RaaS mantle. Beyond continuing to refine the malware to make it tougher to detect, the operators' innovations include providing the ability for a victim to pay one ransom to receive an unlock tool for all crypto-locked systems inside their organization. Following in the footsteps of the Maze gang and others, Sodinokibi's operators have also created a dedicated leak site to help affiliates automatically name and shame victims and begin leaking stolen data if they don't pay attackers' ransom demand (see: Crypto-Lock and Tell: Ransomware Gangs Double Down on Leaks).

Attackers wielding Sodinokibi apparently are second only to Ryuk in terms of the size of the average ransom payment they're seeing from victims, when they pay (see: Ransomware Reminder: Paying Ransoms Doesn't Pay).

Another measure of ransomware's success: From the last quarter of 2019 to the first quarter of 2020, ransomware incident response firm Coveware reports that. based on the more than 1,000 incidents it investigated, the average enterprise ransom payment increased by 33% to reach more than $111,000.

Source: Coveware

But it said the median payment has remained relatively stable, at about $44,000 in the first quarter, up just slightly from the final few months of 2019 (see: Ransomware: Average Business Payout Surges to $111,605).

The rise in the average payment reflects not just the large quantity of attacks taking place, security experts say, but also the increasing frequency of some gangs scoring extra-lucrative hits. For now, that trend looks like it will continue.

'Big-Game Hunting'

In 2019 as well as this year, security experts say, more ransomware gangs have been practicing what industry watchers sometimes call "big-game hunting," meaning taking down larger targets.

The shift to larger targets has been driven by ransomware-wielding attackers seeking bigger ransom payments, Group-IB says. Starting in 2019, "ransomware-as-a-service advertisements opted to focus their attacks on big enterprise networks rather than individuals," it notes.

Beyond bringing more APT-type tactics to bear, more attackers also started targeting supply chains and exploiting one organization to gain access to a partner organization, it says.

Click to enlarge: Ransomware attacks against the financial sector, outside the U.S. (Source: Recorded Future)

One reflection of this trend to hit bigger targets has been attackers focusing more on financial services firms, at least outside the U.S. "Attacks on non-U.S. financial institutions have been on the rise, and the attacks have been spread across all major ransomware gangs," Allan Liska, a senior solutions architect at threat intelligence firm Recorded Future, tells Information Security Media Group.

"There is not a single ransomware threat actor that is focusing on these targets more than other groups; they are all looking for any way to make money through the attacks," Liska says.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.