Ransomware - the threat that never went away

While many industry reports claim that the number of ransomware attacks worldwide has been dropping in favour of the easier and less time-consuming cryptomining operations – and this may well be the case – it is nevertheless true that cyber criminals are continuing to target organisations with ever evolving varieties of malware, and successfully demanding and receiving payments for the release of encrypted or stolen data.

One reason for this is that it is relatively easy for even novice hackers to carry out an attack: ransomware kits can be found, downloaded and used quickly. If the payment demand is kept reasonably low, the cyber criminals can expect a quick return for their efforts.

The popularity of this type of cyber attack is also due to the fast evolution of the malware on offer. In recent months we have reported on several types of ransomware that developers have enhanced with new capabilities.

In May 2018, for example, several new variants of the GandCrab ransomware were identified by security researchers. Three separate variants of GandCrab version 2.1 were discovered as payloads in one single spam campaign. All the phishing emails featured similar subjects concerning payments, tickets, invoices or orders, and contained a Javascript attachment which, when executed, downloaded GandCrab from a malicious URL.

In July another new variant - GandCrab v4 - was released. There were a number of changes and enhancements that had been made to the functioning of the ransomware, including different encryption algorithms, a new .KRAB extension, a new ransom note name, and a new TOR payment site. In a further important development, it was found that this latest version no longer requires a C&C server, meaning that it can operate in airgapped environments.

Also in July, some recent changes to the Magniber ransomware were identified: its source code had been refined and it is now capable of leveraging various obfuscation techniques, and is no longer dependent on a C&C server or hardcoded key to carry out its encryption process. Importantly, while it had previously only been targeting organisations in South Korea, it is increasing its expansion across Asia and has been seen in Hong Kong, Malaysia and Taiwan.

In 2017, the WannaCry and NotPetya ransomware attacks made worldwide headlines. Losses from WannaCry were estimated to total at least $4 billion, while high profile companies such as Maersk claimed NotPetya had cost them from $200-300 million.

One of the most widely reported ransomware attacks this year – and what is believed to be the worst cyber attack on any US city - hit the Atlanta City Government in March, when systems were targeted with a variant of SamSam. The hacker(s) demanded a payment of $51,000 to unlock the data.

While officials did not disclose whether or not a ransom payment had been made, they did admit that the overall cost of the attack reached at least $2.7 million. The head of Atlanta Information Management said more than one third of the 424 software programs used by the city were affected by the attack, with 30 percent of those considered to be "mission critical". The department may need an additional $9.5 million of funding in the coming year to deal with the impact on systems.

This illustrates well that the value of the actual ransom payment itself has been minimal - at least until recently - and explains why organisations will typically choose to pay the hacker to retrieve data as quickly as possible. Some companies have also been reportedly stocking up on Bitcoins or Monero, so that payments to cyber criminals can be made more speedily and data recovered more quickly.

Organisations operating across all sectors are therefore increasingly aware of the real costs a ransomware attack can entail. It is not only about the amount of money that the hackers will demand to return the data. Other factors to take into account include investigating the cause of the attack, operational difficulties, legal fees and of course the hugely important reputational damage. Then there is also the question of possible fines for data breaches, particularly those that fall under the remit of GDPR - (4% of annual turnover or €20m whichever is greater), all payable when personal information has not been adequately secured and protected.

The huge costs that can be incurred in dealing with ransomware attacks have persuaded a growing number of organisations to take out cyber insurance policies, and it is here that we can draw some comparisons with extortion campaigns in the physical world. These have tended to follow a clear pattern: kidnappers or hostage takers carrying out successful attacks will typically increase their monetary demands for their next operation. This can clearly be seen in the example of the Somali piracy campaign.

Somali pirates have posed a major threat to the international shipping sector since 2000. Local armed groups initially hijacked commercial vessels that were illegally invading fishing grounds; this soon grew into a very lucrative trade, with ever increasing ransom payments being demanded for the returns of the vessels or hostages. The average ransom demand was around $150,000 in 2005; by 2010 it had grown to $5.4 million.

Shipping companies hit by Somali piracy attacks were accused of failing to implement better security practices because they knew their insurers would pay out, thus keeping both financial and reputational damages to a minimum.

The publicity surrounding ransomware attacks has doubtless led to more and more companies taking out cyber insurance policies in their efforts to keep financial losses to a minimum. Cyber criminals will be only too well aware of this, and are likely to view the situation as an opportunity to increase their payment demands, much as the Somali pirates did as the success of the piracy campaigns became apparent.

CFC Underwriting has estimated the average cost of a cyber insurance claim for an SME hit by a ransomware attack to be in the region of $15,000 - $65,000; most of that goes towards cleaning up the systems, rather than in the payment of the demand. (source)

However, our own research has shown that the actual payments given to ransomware hackers in recent months have increased in value much more quickly than anticipated, with some now totalling between 10 and 15 Bitcoins ($82,353 - $123,529 at the time of writing).

It is also worth noting that the ransomware threat continues to develop. State-sponsored APT groups have typically focused on cyber espionage operations designed to penetrate networks and steal valuable data and intellectual property. Recent activity shows that those groups are moving towards concentrating their efforts on using sophisticated ransomware to attack major corporations or government organisations, and we are in some cases seeing demands totalling millions of dollars in return for restoring encrypted data.

In other words, those ransom demands currently doing the rounds may evolve into something far more serious over the next few months.

Organisations are advised to carry out regular cyber security audits, patch systems as quickly as possible, and ensure staff are properly trained and reminded of the dangers that may be awaiting them when opening emails or attachments from unknown or untrusted senders. And finally, a culture of sharing information about vulnerabilities and breaches should be encouraged across all sectors.