Five years ago, a massive cyber assault named WannaCry hit organisations (most famously, the NHS), bringing them to a standstill by locking data in exchange for payment. Said to have been perpetrated by North Korea, WannaCry continued to make headlines for months, mainly due to the wide-scale damage it caused.
Back in 2017, this type of breach was rare, but fast forward five years, and ransomware is part of nearly a quarter of all cyber attacks, according to the 2023 Thales Data Threat Report. Meanwhile, security outfit Checkpoint found that ransomware attacks hit one out of every 44 organisations worldwide weekly during the second quarter of 2023.
No one is immune to ransomware, as multiple government organisations and firms such as Royal Mail and ION have discovered over the last year. And lack of immunity is a costly business, as ransom demands have reached millions of pounds and companies are often left with no option but to pay.
Ransomware is a type of malware used to hold data to ransom in exchange for digital currencies such as Bitcoin, making it a very lucrative business for adversaries. So much so that the data-locking malware has spawned an entire business model, with cyber criminal groups offering neatly packaged ‘ransomware as a service’ (RaaS) to an increasing pool of buyers.
As criminals flock to ransomware to make easy money, the malware itself is getting better at what it does. Ransomware has evolved to employ more sophisticated encryption algorithms to lock data, says Craig Jones, vice president of security operations at Ontinue.
This gives criminals an advantage because it makes it extremely difficult for firms to decrypt files without the key, making paying the only option for many desperate companies.
Techniques are changing, with cyber criminals adopting a tactic known as “double extortion”, where they encrypt files and steal sensitive data before locking it. “This gives them additional leverage as they will threaten to leak or sell the data if the ransom is not paid, increasing the pressure on victims to comply,” Jones says.
At the same time, criminals and nation-states are becoming increasingly choosy in their targeting – selecting organisations they deem to be more lucrative. “There has been a rise in targeted ransomware attacks, where adversaries focus on specific organisations or industries,” Jones says.
Ransomware attackers also target supply chains and cloud service providers as a stepping stone into other businesses. This approach has led to large-scale attacks that can result in “significant financial losses,” Morgan Wright, chief security advisor at SentinelOne, warns.
Well-known ransomware criminal groups include Blackcat, REvil, Conti, DarkSide, and Ryuk. State-sponsored gangs include Lazarus Group, associated with North Korea, while APT29 – or Cosy Bear – is believed to be linked to Russia.
Like any business, ransomware has evolved to ensure everyone in the ecosystem can profit, even if they lack technical skills. Today’s ransomware groups are enormous organisations with “clear business goals and operations” – from HR and payroll to training and sales teams, says Azeem Aleem, MD of UK and Northern Europe, Sygnia.
“Double extortion gives them additional leverage as they will threaten to leak or sell the data if the ransom is not paid” Craig Jones
It’s paved the way for ransomware-as-a-service platforms and kits that can be bought on the dark web, “making less sophisticated cyber criminals into experts overnight”, says Aleem. “The kits can include how-to guides, ratings by others who have used them and technical support. We could even see ‘prime-day’ like offers in the future.”
Jones says that RaaS platforms allow cyber criminals to easily access and deploy ransomware through pre-built malware and infrastructure in exchange for a share of the profits. “These allow even novice cyber criminals to launch ransomware attacks.”
For example, he explains that affiliates of the GandCrab group would only take home about 60% to 70% after being charged “anywhere from $500 to $1,200” for access to the ransomware service.
Ransomware groups obtain access to organisations through one of three ways, says Daniel Dos Santos, head of security research at Forescout. The first is phishing, where employees will be encouraged to click on a malicious link or download a malware-ridden attachment. Attackers can also take advantage of credentials sold in underground markets or vulnerabilities in software to plant ransomware.
The signs are already there, so it won’t be surprising that ransomware will likely become more sophisticated in the future. Ransomware will employ advanced techniques to evade detection, with encryption methods that make decryption “even more challenging”, Jones says.
He predicts ransomware attacks on critical infrastructure such as power grids, healthcare systems and transportation networks could increase, leading to “severe consequences” and “potential disruptions”.
Jones warns that ransomware attacks could increasingly target emerging technologies and industries, such as Internet of Things (IoT) devices, cloud infrastructure and cryptocurrency exchanges.
“Ransomware is a geopolitical tool in addition to being malware”Morgan Wright
Meanwhile, successful criminal groups are working together to become more efficient, says Laurance Dine, managing director at FTI Cybersecurity. He thinks this could see groups “divvying up the work even further to enhance efficiency”.
“For example, one group would gain access, one could deploy malware, and another might negotiate payment. Another version of this could involve one group which does everything but has dedicated internal teams to handle each task.”
It’s also possible that ransomware gangs – especially those operating out of countries such as Russia – will expand their role as “proxies” in cyber warfare, Wright predicts. “Ransomware is a geopolitical tool in addition to being malware,” he says, citing the example of the Clop group, which included specific language in its coding instructing against attacking Russian-linked interests.
Ransomware is accessible to most people now, but generative AI such as ChatGPT will soon make unsophisticated attackers even more powerful, experts predict. “They can leverage tools such as ChatGPT to write malicious code that can easily evade detection, as well as exploit newly discovered vulnerabilities easily,” warns Aleem.
In fact, he says, his company Sygnia has negotiated with an attacker who openly admitted to using generative AI tools: “He used this to search the enterprise’s data repositories and identify sensitive information to be used for extortion.”
Ransomware attacks are not going to go away, so the best thing you can do is be aware of the data-locking malware and take steps to avoid it having an impact. Backups are essential, but remember the basics, such as patching and two-factor authentication via a physical security key, one-time code or authenticator app, and a password.
At the same time, businesses must prepare for the “very real possibility of an attack” by making a plan, says John Davis, director of UK and Ireland at the SANS Institute. “This will eliminate panic and allow for a rational response.”
Meanwhile, employee training is critical and needs to be simple to comprehend. Organisations must make it far easier for staff to understand why they need to do certain things and the benefits this will bring in the long term, says Davis. “Unlocking and promoting the benefits of a positive cybersecurity culture where each individual takes some ownership over their cyber hygiene is the new gold standard.”