Digital Hostage-Taking: The What, How, and Why of Ransomware

The first half of 2021 saw 151% more global ransomware attacks than the first half of 2020.

Ransomware is well and truly on the up and up. SonicWall recorded an unprecedented 304.7 million attempted ransomware attacks in the first half of 2021, stating in their Mid-2021 Cyber Threat Report:

Even if we don’t record a single ransomware attempt in the entire second half [of 2021] (which is irrationally optimistic), 2021 will already go down as the worst year for ransomware SonicWall has ever recorded.” – SonicWall Mid-2021 Cyber Threat Report

Though the US seems to bear the brunt of this increase in terms of sheer volume of attacks, it doesn’t mean that we on the other side of the pond can breathe easy. The same report shows that though North America suffered an 180% increase in ransomware, ransomware attacks in Europe increased by 234%.

So that’s the eye-watering scale of the issue… but what exactly is ransomware? And how did the problem get quite this dire? Let’s find out.

What is Ransomware?

Ransomware is a kind of malware virus that effectively threatens crucial data and/or IT systems in order to extract a “ransom” payment from infected victims. Ransomware is often designed to encrypt valuable data or block access to crucial IT assets unless a payment is received, effectively holding those assets to ransom. Though as we’ll discover, there are numerous ways that criminals use ransomware to extort payment from victims.

How Ransomware Works

Ransomware is malware, so it can reach you in any way that a computer virus can: through dodgy links, infected emails, targeted code-injection attacks, remote access vulnerabilities, baiting attacks, and more. Ransomware can be used in targeted attacks against a particular victim or group, or it can be released to the wild to cause indiscriminate damage across the web.

Once infected, each device will generally display a message that explains the criminals’ intentions and provides instructions on how to pay their ransom. In order for attackers to preserve their anonymity, ransom payments are usually demanded in the form of cryptocurrency.

There are numerous ways criminals try to extort payments from organisations through ransomware, but encrypting important data until a ransom is paid is commonly part of the grift. Once a device is infected, ransomware is usually designed to spread across networks like wildfire and can take down whole premises, companies, even supply chains in a matter of minutes.

Even if the victim pays the ransom, there’s no guarantee that the criminals will simply decrypt the affected data or otherwise settle things in the victim’s favour. They’re criminals, after all, they’re not exactly known to keep promises.

In cases of encryption ransomware, the victim theoretically could revert to a backup. But without forensically knowing when the malware first breached their systems, they could end up rolling back to a time where the infection was simply lying dormant on their network. This is why evasion measures and forensic security monitoring are so important in the fight for cybersecurity.

Ransomware Trends: Double-Extortion and Triple Extortion

Blocking access to data and IT systems through encryption is often enough to elicit a ransom payment out of victims. However, cybercriminals are increasingly aware that organisations with good backups can effectively restore order without having to spend a single penny. It’s likely for this reason that criminals are moving away from ransomware that relies on a single point of extortion (like just encrypting data) and are increasingly hatching insidious double-extortion and triple-extortion schemes.

For example, a double-extortion ransomware attack may steal data from an infected machine before encrypting the victim’s copy of the data. Then the criminals have both the stolen data and the encrypted systems as leverage over their victims. Because that’s two extortion methods, that’s double-extortion.

In this case, even if the victim is able to reinstate their systems from a backup, the criminals still have a failsafe: they can threaten to release the stolen data to the public if the ransom isn’t paid. This may include confidential intellectual property or personal data belonging to employees or customers, so such a release could get messy for the victim.

Theoretically, criminals can layer as many extortion factors as they like into a single ransomware attack, enacting triple-extortion attacks, quadruple-extortion attacks, and more. Additional extortion factors can involve threatening to infect a supplier or associate company with malware; pressurising the victim by going/threatening to go to the press; or using/threatening to use DDoS attacks to hamper operations; and other evilly inventive ways to create extra leverage.

Some High-Profile Ransomware Attacks

WannaCry Attack

This encryption ransomware attack was felt throughout the world, affecting numerous private and public bodies including the UK’s NHS, numerous state governments in India, Germany’s national railway service, Boeing Commercial Airplanes, as well as countless universities, law enforcement agencies, and international brands.

Within a day of its release in May 2017, WannaCry had reportedly infected over 230,000 computers across more than 150 countries. Any PC without Microsoft’s security update released that March was susceptible to encryption and ransom. For all of the media hubbub about organisations’ reliance on older, unsupported versions of Windows, Kaspersky Labs found that 98% of infections happened to PCs running Windows 7, which was current at the time. With such a wide-scale attack, there’s no single outcome to report here. Some victims will have paid up, some will have used the kill-switch promptly discovered by MalwareTech, and others will have been able to restore their systems from backups. There are far too many tales to tell!

Kaseya VSA Attack

Kaseya is a Florida-based software company which develops software to help manage networks and IT infrastructure remotely. Kaseya’s VSA (Virtual System Administrator) software is used by managed service providers around the world to manage their clients’ IT. In July 2021, this VSA software was compromised and reconfigured to distribute a malicious ransomware payload to the clients of MSPs using Kaseya VSA.

Kaseya reported that between 800 and 1,500 businesses were affected by the attack and infamous Russian hacking group REvil took credit for it. Kaseya was later able to release a decryption tool that they obtained from a “trusted third party”.

The Colonial Pipeline Attack

The Colonial Pipeline provides the US’s east coast with about 45% of all of its fuel. In May 2021, a ransomware attack hit the Colonial Pipeline Company’s billing systems, encrypting their data and threatening to release 100 gigabytes of data stolen from them unless they paid a ransom – a textbook double-extortion attack.

Though the attack didn’t directly impact flow or pumping systems, the pipeline was shut down as a precaution to prevent the infection from spreading to pumping hardware – and also reportedly due to an inability to bill their customers. This shutdown caused a rash of panic buying at petrol stations across south-eastern states, resulting in fuel shortages.

Alas, the company were compelled to pay the ransom of nearly 75 Bitcoins ($5 million) and in return they got an insultingly slow decryption tool that was promptly outpaced by the firm’s own backup measures.

Why Are Ransomware Attacks Increasing?

view, the current prevalence of ransomware is due to a culmination of various factors:

  • Companies Are Poorly Prepared: Unfortunately, many companies still suffer from an “it’ll never happen to me” mindset – regardless of their size or importance! And companies who don’t have a sound plan of action ready to go when ransomware strikes will naturally be more tempted to pay up.
  • One Attack Can Mean Big Bucks: Ransomware has become quite the “low effort, high return” endeavour for criminals. Activities like credential theft and social engineering can involve a lot of preliminary work; and besides, with users and filtering tools becoming savvier, it’s more of a gamble as to whether those attacks will pay off. However, many organisations will sit up and take notice when threatened with such a direct threat to data or productivity.
  • Ransomware-as-a-Service Exists: Cybercriminal operations are now run much like legitimate businesses. Would-be hackers can basically outsource the whole ransomware creation, deployment, and payment-receiving process much like any professional service you care to mention. Yikes.
  • We Rely on Tech More Than Ever: As more and more of our professional and personal lives are tethered to technology, the more likely we are to drop the ball, let our guard down, and let an exploit in. And as above, if we don’t have a plan to get our data back or secure our privacy, we’re more likely to pay a ransom.
  • Cryptocurrency Is Gaining Legitimacy: For better or worse, cryptocurrency is becoming somewhat mainstream. Generally, cryptocurrencies allow payments to be made and received with surprising levels of anonymity. Cybercriminals no longer need to risk highly visible bank transfers or scammed gift card codes – they can instantly receive as much as they like through a relatively anonymous payment channel.
  • Crypto Makes it Harder to “Follow the Money”: When law enforcement investigates organised crime, one of the main tactics they’ve used in the past is to “follow the money”. However, with cryptocurrencies being somewhat anonymous and notoriously hard to trace, this crucial tactic has become far more difficult. Yet despite this, cryptocurrencies can technically be traced… but only with a considerable amount of effort and resources. All the more for hackers to be happy about.

Double- and Triple-Extortion Increases the Threat: As we’ve discussed, criminals can increase their leverage over a victim by threatening their access to their data, the privacy of their data, and really put the pressure on them to pay up, all without blowing their cover.

These factors all lead to a perfect storm. Ransomware is a criminal’s easy, safe, and lucrative option – and one that hits the underprepared hardest.

Need some help keeping the cyber-nasties off your network? Or maybe you need to put together a pre-emptive cyber-incident response plan? Don’t fret – get in touch with the friendly experts at Just Firewalls and claim your free discovery call. Request a call back today!