The rising stakes of ransomware attacks

Ransomware is the defining cyberattack of our era. Over the last two decades, threats have evolved from the worm era, which lasted from 2000-2004 and was characterised by software like the infamous ILOVEYOU, through to the monetisation era from 2005-2012, and now the age of ransomware.

COVID-19 has amplified ransomware attacks, with many vectors for the malware coming in phishing emails referencing the pandemic. However, ransomware and the tactics used by cybercriminals are also evolving. Where criminals were once happy to gain access to a system, encrypt the data, and demand a ransom, they’re now also extracting the data and holding it hostage.

This data theft means that ransom fees are rising, and many companies are paying up in a bid to avoid the regulatory scrutiny (along with associated fines and reputation loss) that comes with their data being stolen and then released publicly.

The rising cost of ransomware

In Singapore, the number of ransomware cases reported to the Cyber Security Agency of Singapore has risen by 154% over the last year. Small- and medium-sized enterprises were reported to be affected the most, alongside sectors such as manufacturing, retail, and healthcare.

According to the latest The State of Ransomware in 2021 report by Sophos, the total bill for rectifying a ransomware attack in Asia-Pacific and Japan (APJ) was US$2.76 million – a figure found to be higher than the global average of US$1.97 million. In Singapore alone, the average cost of remediating a ransomware attack, including business downtime, lost orders, operational costs, and more, has more than quadrupled from US$832,423 in 2020 to US$3.46 million in 2021.

The report also found that the average ransom paid by organisations in APJ was US$123,634. However, even after paying the ransom, only 5% of organisations were reported to have gotten back all their data, with 19% getting back no more than half of their data.

The motivation behind ransomware attacks

With numerous recent high-profile attacks on businesses in Singapore over the last few months, it has become clear that the business model for ransomware is evolving rapidly and its influence over the threat landscape is increasing.

The ransomware landscape is becoming both more modular and more uniform, and is so effective and lucrative for attackers that they are pulling in other cyberthreats such as Initial Access Brokers (IABs), loaders, and droppers to create one massive, interconnected ransomware delivery system.

Adversaries are now offering different elements of an attack “as a service” and provide playbooks with tools and techniques that enable different criminal groups to implement very similar attacks. Some of the most high-profile ransomware attacks of 2021 involved ransomware as a service (RaaS), including an attack against Colonial Pipeline in the United States by a DarkSide affiliate.

Another case in 2021 involved an affiliate of Conti ransomware, which leaked the implementation guide provided by the operators, revealing the step-by-step tools and techniques that attackers could use to deploy the ransomware.

Looking ahead, throughout 2022, RaaS developers will begin investing their time and energy into creating sophisticated code and determining how best to extract the largest payments from victims, insurance companies, and negotiators.

These malware creators will start offloading to others the tasks of finding victims, installing and executing the malware, and laundering the extorted cryptocurrencies. Once they have the malware they need, RaaS affiliates and other ransomware operators can turn to IABs and malware delivery platforms to find and target potential victims.

Before we know it, “commodity” cyberthreats such as loaders and droppers will become increasingly focused on delivering ransomware (alongside or instead of other malicious payloads such as adware, click fraud, spam, financial malware, and more).

Extortion to form part of the overall ransomware threat

In 2021, Sophos incident responders catalogued 10 different types of pressure tactics. These ranged from data theft and exposure, to threatening phone calls, distributed denial-of-service attacks, and more. What this shows is that ransomware is now evolving from being a threat that targets technology, to becoming a threat that is starting to target people.

So, what does that mean for security teams?

With the ever-changing media landscape, it is no longer enough for organisations to assume that they are safe by simply monitoring security tools and ensuring they are detecting malicious code.

Think of the cybersecurity system and its warnings as the modern equivalent of a burglar breaking a vase as he is climbing through the window of a home. There ultimately needs to be certain combinations of detections, or even warnings to alert organisations to even the smallest of breaches.

Defenders must investigate all alerts, even ones that in the past may have been insignificant, as intrusions through commodity malware have blossomed into the foothold necessary to take control of entire networks.

Ransomware is evolving to become the defining attack of our era. The fact that ransomware operators no longer confine their attacks to encrypting files that targets can often restore from backups, shows just how important it is for defenders to take a defence-in-depth approach to security, which includes combining advanced security with employee education and awareness.