Ransomware becomes increasingly professionalized
The world of ransomware is becoming increasingly professional and it’s easier than ever for new entrants to get into the business.
A new report from Tenable looks at the ransomware ecosystem and how it has become one of the biggest threats to organizations as well as being lucrative for the criminals behind it.
In 2020 alone, ransomware groups are thought to have earned $692 million from their collective attacks, around five times more than the combined figure for the previous six years.
One of the main reasons for ransomware's success is the rise of the as-a-service model which has attracted more players and lowered the entry barriers. Ransomware groups provide the software, then others known as affiliates do the work of gaining initial access into an organization before deploying the ransomware.
"If you're a cyber criminal that just wants to get into the game you don't have to actually learn the skills to develop ransomware," says Satnam Narang, senior staff research engineer at Tenable. "You can go and purchase a kit from any one of these ransomware groups and they incentivize you to come and join their efforts because they want to entice you to become an affiliate. By being an affiliate, you're guaranteed anywhere from 70 to 90 percent of the profits from the ransom."
Other changes include the pioneering in 2019 of double extortion, which involves threatening to leak stolen data online if companies won't pay a ransom to unlock their files. This is part of an increasingly layered approach to extortion.
"Attackers know that the more pressure placed on businesses, the more likely they are to actually pay the ransom demand," adds Narang. "So if you DDoS a victim of your ransomware and you prevent their website from being accessed, customers start complaining. There's no way for them to provide any sort of centralized updates about downtime affecting the business. Or if you contact customers of these businesses, for example, that's another technique that's very interesting because you're going after their business and saying, 'Hey, this company that you work with was hit by ransomware and your data is in that cache that we stole, and we're gonna leak that data. So if you don't want that data leak, you need to apply pressure on your company that you're partnering with, to pay the ransom.'"
Another key part of the ransomware business model is the rise of Initial Access Brokers (IABs), groups that specialize in gaining access to organizations to allow ransomware affiliates to follow up with a malware infection.
The new professionalism is even reflected in the way ransomware operators works says Narang, "Researchers that have actually analyzed some of these ransomware groups found that they work like a regular business working normal business hours, you clock in, you do your work and then you clock out."
You can read more in the full report available from the Tenable site.