Ransomware: Cybercrime Public Enemy No. 1
Ransomware continues to solidify its position as the No. 1 online threat targeting public and private organizations. Seeking maximum returns, more gangs have moved beyond opportunistic attacks to target organizations with what experts call "post-intrusion ransomware." Meanwhile, many victims fail to report such crimes to police, hampering their ability to disrupt these attacks.
This week, incident response firm Kroll said that, so far this year, of the many security incidents it has investigated for clients, ransomware has been the leading cause, accounting for 35% of incidents. Last year, for example, an attack against Eurofins Scientific, one of the largest forensic labs in the U.K., created a backlog of 20,000 forensic samples - including DNA and blood samples - that needed analyzing as part of ongoing criminal cases. Even after the lab paid a ransom to its Ryuk-wielding attackers, getting its systems restored and the backlog cleared led to months of delays.
You don't need an MBA to divine the driver for attackers: Ransomware continues to generate massive revenue, thanks to many organizations opting to pay a ransom in return for a decryption tool or a promise from attackers to destroy stolen data or to not leak it. Thus, an illicit business model continues to be validated and to draw new adherents. The highest-impact threat we're seeing is what we'd call post-intrusion ransomware. Post-intrusion ransomware is distinct from more opportunistic crypto-locking malware attacks, in which individual users might open an attachment that would encrypt everything on their PC, delete the originals and then flash a ransom note. Instead, they're following what we would class as APT-style tactics that we used to attribute to nation-states, to do things to get into environments, get complete control of the environment and then take it over.
Another innovation has been to steal data before crypto-locking systems and then threaten to leak the stolen data unless victims pay. Ransomware incident response firm Coveware has reported that, from April to June, based on the thousands of incidents it investigated for clients, 22% of ransomware cases involved data exfiltration.
More than a dozen ransomware operators now have name-and-shame sites or use leaking or auction sites to try and pressure victims into paying. These include Maze - which kicked off the trend - as well as Sodinokibi, Ryuk and Egregor. As ransomware attacks continue to surge, then, here's the message from law enforcement agencies to ransomware victims: Please come forward.