Ransomware evolves. More important, the tactics criminals use and the ways in which they monetize ransomware evolve in response to changing conditions.
Many analysts are noting that ransomware criminals are now trending away from the classic strategy of encrypting data and demanding a ransom, and finding other ways to profit from the malware that they unleash upon their victims.
Traditional ransomware is used by criminals to infiltrate target networks and seek out valuable or business-critical data. It then allows the crooks to encrypt the data and delivers a ransom demand. In exchange for payment of the ransom, the criminals promise to deliver a decryption key to recover the data. Often this promise goes unfulfilled.
Security measures against ransomware have been evolving — and so have ransomware tactics and techniques.
Because a reliable backup system offers good protection against ransomware — victims can wipe the encrypted data and recover it from backup without paying ransom — ransomware has been developed that is increasingly good at seeking out and compromising backup systems. And, in response, the most advanced backup solutions keep fully encrypted backup files and disguise themselves to prevent detection by ransomware.
Criminals have responded by moving away from traditional encrypt-and-ransom techniques. That’s because it’s becoming too complex to both seize control of a target’s data and ensure the target can’t access that data in other ways.
It turns out that it’s far easier to simply copy and steal the data and then demand payment for not making the data public. Or, offer it for sale on the dark web. This is what one criminal did with data stolen in a breach of Volvo Cars last December.
And in a memorably devious effort back in 2018, a systems analyst who was helping in his company’s response to a ransomware attack actually went in and altered the payment address on the ransom demand and impersonated the actual attacker in hundreds of emails demanding payment. He was arrested and convicted.
Note that with these new monetization techniques, it doesn’t matter whether the target still has their data — all that matters is that the criminals have it too.
“Ransomware will stop concentrating primarily on encryption in 2023. The capacity of ransomware victims to recover their data without having to pay the attacker for a decryptor is getting better … Cybercriminals have discovered that a ransomware event’s ‘hack and leak’ component offers a second extortion alternative or another revenue stream. As rules and governance requirements become more prevalent, this becomes more obvious.”
Encryption is not going away, but it is becoming a less central part of the effort to monetize ransomware. Of course, if attackers are still able to destroy or encrypt targets’ data while also stealing the data, they will still attempt to sell it back to the target. But the primary threat now is not so much that the target will no longer have their critical data; it is that the data will be breached and exposed.
In today’s increasingly complex regulatory environment, the costs of a major data breach can be astronomical — the average cost globally in 2022 was $4.35 million, and in the U.S. it reached $9.44 million. This provides a lot of incentive for companies that face this kind of extortion to pay up — even if experience shows that this often just leads to more payment demands.
Ransomware can infiltrate your network using many different vectors, and even combinations of vectors. This means that to prevent ransomware from getting into your systems, you need to employ a comprehensive, integrated set of solutions and platforms to protect email, applications, network traffic, web interactions, and data wherever it resides.
Barracuda Email Protection, Application Protection, Network Protection, Backup, and Cloud-to-Cloud Backup bring comprehensive, platform-based security that offers the best protection against allowing ransomware into your network.
By Tony Burgess
This article originally appeared on Journey Notes, the Barracuda blog.
Back