Have you seen the latest ransomware numbers? Recent research commissioned by Cohesity found that most companies polled paid a ransom in the past two years—with 79% of respondents saying their company was the victim of a ransomware attack between June and December 2023.
- All respondents said they needed over 24 hours to recover data and restore business processes.
- 94% said their company would pay a ransom to recover data.
- 90% said their organization paid a ransom in the prior two years.
Now, there’s a big headline from a new report from blockchain analyst Chainalysis. Ransomware gangs took more than $1.1B from their victims in 2023.
Does this staggering figure say more about a sophisticated adversary? Or is it an indictment of our resilience to cyberattacks? Well, it’s a bit of both.
Ransomware history
The ransomware—or digital extortion—business is thriving globally and gaining the kind of funds that attract new players and pay for new techniques and resources. Neither the U.S. government’s attempts at sanctions last year nor investigative successes against a number of ransomware groups have prevented record payouts. Company managers must expect that ransomware gangs will continue to adapt their extortion techniques.
It all began with the encryption of files, the origin of the ransom idea can be traced back to the AIDS Trojan from 1989, which demanded the transfer of a modest $189 US dollars to a post office box in Panama to receive the decryption key. Because ransom payments like this couldn’t be scaled easily, these attacks remained largely a niche for just over 20 years. The invention of cryptocurrencies in 2010 made it easier for ransomware gangs to collect ransoms.
Today, ransomware gangs blackmail their victims twice over: First, the victim’s data is encrypted, and if they don’t pay the ransom to decrypt it. Then the data is exfiltrated from the company network and they’re threatened again that it will be published online.
Inhumane scams create even more pressure
In the meantime, cybercriminals have found new ways to put even more pressure on victims. Another scam: triple blackmail. Here, the data is not only encrypted, then threatened with publication, but in a third attempt to extract cash—the criminals target everyone whose data has been stolen and harass them to exert even more pressure on the victim organisation.
Several cases in the U.S., in which hospitals were blackmailed, show just how ruthless the groups are. The hackers used stolen patient data to threaten these people with swatting. Swatting involves reporting a serious crime with weapons to the police at the target’s place of residence so that police SWAT teams travel to the alleged crime scene heavily armed. People have been killed in swatting operations in the U.S.
Recently, ransomware groups have involved authorities in their tactics. To promote transparency in cyber incident reporting, regulators are introducing much stricter breach notification rules, one example being the U.S. Securities and Exchange Commission (SEC). Shortly after the new reporting requirement was published, the first case of quadruple extortion occurred. After the usual encryption, extortion, and threats to publish data, the ransomware gang involved then threatened to denounce the victim organisation to the regulator for failing to comply with the reporting requirement for successful cyberattacks.
Imagine being hit by ransomware. Then threatened. Then the attackers file an SEC complaint against you.
Generative AI use by ransomware gangs
All these new developments have massively increased the pressure on organisations to pay ransoms. However, they are by no means the most worrying trend in ransomware. The use of generative AI by ransomware gangs has made detecting phishing by trained users and technical means much more difficult. And the evolution of the entire ransomware business to a ransomware as a service (RaaS) model is disruptive.
Thanks to the economies of scale of the RaaS platform and its thousands of paying subscribers, its operators can now afford to exploit vulnerabilities much faster than even organisations with the most efficient vulnerability management system can. This has led to several highly effective campaigns targeting file transfer services and internet fraud infrastructures over the past year. Such RasS platforms also have resulted in many new entities conducting ransomware attacks, as these “affiliates” no longer need the prerequisite technical expertise to conduct the attacks.
Neglected stress tests at companies
And then there’s the other side of the equation, which is how are organizations equipped to respond to and recover from ransomware. Many IT operations teams and backup administrators prepare for cyber incidents as they would for a business continuity or disaster recovery scenario. The problem? BC/DR incidents have a limited number of root causes that can be quickly identified, so for those types of incidents, we can largely orchestrate and automate the response and recovery efforts.
In cyber incidents, we are dealing with an adversary that is constantly adapting. We need to fully understand the incident first before we can take the appropriate steps to mitigate the risk of further attack before we bring the systems back online:
- What are my regulatory obligations to notify data subjects and regulators based on data exfiltrated?
- What controls were missing, failed to stop or detect the attack, or were circumvented?
- What persistence mechanisms were added by the attacker to re-propagate the ransomware?
- What malicious accounts were added? And other artifacts?
The importance of ransomware preparedness
Taking these investigatory steps when your communications, collaboration, security tools, and backups have been compromised by ransomware is a challenge. Trying to use endpoint security agents for investigation when you have quarantined your network to contain the spread of the ransomware, or trying to classify impacted data to determine reporting requirements after it has been encrypted is impossible. Many organisations think their RTO to a cyber incident is down to the speed of disk, pipe, and recovery solution—yet they often fail to factor in the time the response process will take.
Ransomware preparedness is the single most important success factor organisations can take to increase their cyber resilience by ensuring both their response and recovery processes are effective and efficient. There are invaluable lessons from taking part in a realistic tabletop exercise conducted by resources who have dealt with ransomware outbreaks, such as those Cohesity is running, that allow business decision-makers to go through a simulated ransomware attack and allow them to find out whether they are well prepared, where they have gaps, and what suitable practices exist to close these gaps.
Learn more: