A ransomware is a software which blocks information systems pending a ransom. It has become the primary threat in the cybersecurity field. Ransomware attacks have a serious impact on companies and often allow cybercriminals to pocket tens if not hundreds of millions of euros in ransom payments. These attacks succeed for two reasons: the high profitability of operations and the perpetrators’ virtual impunity.
In March, The Record interviewed Unknown from the REvil/Sodinokibi group, which offers ransomware-as-a-service to criminals to carry out extortion, data theft, and system destruction attacks to gain money from victims and/or buyers. In response to the question of whether it targets those carrying cybersecurity insurance policies, Unknown responded, “Yes, this is one of the tastiest morsels. Especially to hack the insurers first — to get their customer base and work in a targeted way from there. And after you go through the list, then hit the insurer themselves.” Not long after, Chicago-based commercial insurer CNA got hit with a ransomware attack. The latest update from CNA in April confirms a “sophisticated ransomware” attack occurred. It has also committed that “once our investigation is complete, we will notify any impacted parties as appropriate.”
What we know at this point is criminals have developed sophisticated tactics (the ransomware), distribution mechanism (like REvil), and patience for bringing down bigger prey (like CNA.) The ability to breach one of the largest organizations that exist to underwrite cybersecurity risk is compelling evidence that the bear is now chasing the faster, tastier runners. If the criminal networks possess a listing of companies insured and the amount that they are insured for, they have created a menu of the tastiest morsels to target.
Along with the rise of big-game hunting in 2020, we saw the emergence of a number of high-profile groups in the ransomware world. Criminals discovered victims would be more likely to pay ransoms if they could establish some form of reputability beforehand. To ensure that their ability to restore encrypted files would never be questioned, they cultivated an online presence, wrote press releases and generally made sure their name would be known to all potential victims. But by placing themselves under the spotlight, such groups hide the actual complexity of the ransomware ecosystem. From the outside, they may appear to be single entities; but they are in fact only the tip of the spear. In most attacks there are a significant number of actors involved, and a key takeaway is that they supply services to each other through dark web marketplaces.
Botmasters and account resellers are tasked with providing initial access inside the victim’s network. Other members of this ecosystem, which we’ll name the red team for the purpose of this discussion, use this initial access to obtain full control over the target network. During this process, they will gather information about the victim and steal internal documents. These documents may be forwarded to an outsourced team of analysts who will try to figure out the actual financial health of the target, in order to set the highest ransom price that they are likely to pay. Analysts will also keep a lookout for any sensitive or incriminating information which may be used to support their blackmail tactics – the goal being to put maximum pressure on decision-makers.
When the red team is ready to launch the attack, it will purchase a ransomware product from dark web developers, usually in exchange for a cut of the ransom. An optional role here is thepacker developer, who may add protection layers to the ransomware program and make it harder for security products to detect for the few hours it needs to encrypt the whole network. Finally, negotiations with the victims may be handled by yet another team and when the ransom is paid out, a whole new set of skills is needed to launderthe cryptocurrency obtained.
An interesting aspect of all this is that the various actors in the “ransomware value chain” do not need to personally know each other, and in fact they don’t. They interact with each other through internet handles, paying for services with cryptocurrency. It follows that arresting any of these entities (while useful for deterrence purposes) does little to slow down the ecosystem, as the identity of co-perpetrators cannot be obtained, and other suppliers will immediately fill the void that was created.
The end of 2019 and the emergence of the Maze criminal group, ransomware attacks coupled with data theft and blackmail to ensure non-disclosure are commonplace and have given rise to direct negotiations between the attacker and the victim. This type of attack is now widespread: in its report on the threat posed by ransomware in France in 2020, the French National Agency for Information Systems Security (Anssi) registered a 255% increase in reported attacks compared with 2019.
These attacks have had many targets. They have been aimed at large groups in particular, but smaller structures have also been targeted. However, while only assaults on local authorities or hospitals have received media coverage, numerous other attacks have targeted all sectors. These attacks were predominantly opportunistic in nature, nevertheless some were planned specifically to guarantee the payment of a ransom. Cybercriminals choose their targets based on the assailed company’s solvency, its operational status or the fragility of its information systems.
Increasingly, profits generated by these attacks and the feeling of impunity – due to the authorities’ limited ability to punish cybercriminals – have led to the emergence of a real ransomware ecosystem within cybercrime (the next article will address the details of this ecosystem).
It should be noted that, in early 2021, law enforcement operations destabilized this ecosystem by dismantling and arresting well-established groups (e.g., Emotet and Netwalker), and by conducting targeted operations on users of these attack systems (e.g., those that hit Egregor). These operations are crucial: they have had a direct (and major) impact on the groups involved, as well as a deterrent effect on others. After Netwalker was dismantled, Ziggy and Fonix announced they were ceasing their cybercriminal activities. Despite this very promising development, dozens of platforms could replace them, and the medium-term effects remain uncertain.