Discover more from The Cyber Why
Ransomware Is Irrelevant (Wait WHAT?!)
Point solutions can't solve ransomware - because extortion is a moving target
I didn’t say “ransomware is dead” because it isn’t. Dead vs. irrelevant is an important distinction that we’ll get to later in the article.
Ransomware is hard to shake because it’s not simply a new strain of malware; it’s a radical innovation in cybercrime business models. The term ransomware is very overloaded. It is simultaneously used to refer to:
file encrypting ransomware attacks that target individuals
file encrypting ransomware attacks that target large organizations
non-file encrypting ransomware attacks (e.g. exfil, wipers, bricking)
extortion by cybercriminal groups
We will go through each of these areas in detail as we explain exactly why ransomware is ‘irrelevant.’
Back to where it all began
Extortion as a criminal business model has been around for a long time. Kidnapping has been a known risk for hundreds of years. Naturally, ransom insurance has been around nearly as long. Cryptovirology (the use of cryptography as a tool in malware) has been around since at least 1996.
In the mid-2010s, criminal groups were very successful in stealing payment data. However, turning stolen credit card data into usable cash is a long and painful process. Criminals began looking for easier, more repeatable schemes and found one in ransomware, partially thanks to the advent of cryptocurrency.
There were two key innovations: encrypting files to create a need to pay a ransom (the ‘lever’) and the use of cryptocurrency to simplify the financial component. The idea of using digital currency wasn’t even new. Gift cards and other digital currencies were used years before Bitcoin and other types of cryptocurrency became the standard.
A shift to bigger payoffs
While ransomware was initially opportunistic, targeting individuals at random, more organized criminal groups began shifting their focus to larger payoffs. Looking at the situation like a business (which it very much is), the criminal CEOs decided that labor costs were too high and payouts too low.
Negotiating ransom payments individually, with hundreds or thousands of victims, made for relatively slim profit margins and required a lot of overhead. If the existing ransomware tactic was scaled up to an entire business, they could get one large payoff instead of hundreds of small ones. It was more work on the front end, but companies could afford to pay more, and that made the extra effort worth it.
Note that attacks against individuals still occur, but they’re overshadowed by the large enterprise ransom cases in the news headlines.
An opportunistic component is still very much part of the process, however. Crews or initial access brokers will scan the Internet for common vulnerabilities, or attempt to use stolen or leaked credentials. Attackers often end up with access to far more organizations than they can reasonably take advantage of (remember this - it is foreshadowing for our next piece on this topic).
In the 2016 Uber breach, the attackers allegedly had over 100,000 successful logins into private Github accounts. They then filtered the list based on website popularity. Uber was at the top of that list. In other cases, criminals have stolen records from insurance providers and targeted organizations with the most cyber insurance, also knowing exactly what their policies will pay out.
How a typical attack plays out
After the target is chosen, ransomware attacks closely resemble penetration tests. A variety of common, but effective techniques are used to gain access to the company’s environment and spread this access to as many internal systems as possible. The penultimate step is to deploy the ransomware, from which the name for the entire process is derived. The final step is to deliver the ransom note, so that the target knows what is happening, and how to pay.
Overwhelmingly, the ‘lever’ used most often to get targets to pay was encrypting files. Pay the ransom, and maybe you get the keys to decrypt and undo the damage. As a result, many ransomware ‘solutions’ have focused almost entirely on data backup and recovery. This reaction proved to be very shortsighted.
Ransomware becomes irrelevant
The shift to extorting entire businesses was objectively a huge success for cybercriminals, who managed $765.5 million in ransom payments globally in 2021. This number dropped 40% to $456.8 million in 2022. This seems like good news - why the long faces?
If we’ve learned anything about cybercrime, it’s that it is resilient. Extortion has proved to be an effective model, and we’ll unlikely see crews give up on it. As more organizations refuse to pay and chose to restore from backup, the criminals shift tactics. The refusal to pay led to a shift away from file encrypting ransomware - a move predicted back in 2016, if not earlier.
The most common ransom attack today has shifted to exfiltrating sensitive corporate and customer data. The threat of publishing this data is not a problem that can be solved once the data has been stolen. The only choice is to pay or prepare to apologize to employees, shareholders, partners, and customers. A variation in this attack is to extort customers, employees, or partners directly with the threat to expose data.
We're just kicking the can down the road by addressing the symptoms (one particular ransomware payload) and not the root of the problem (inability to detect or stop pen test-style attacks). Ransomware with modular payloads has been around for years. The security industry’s myopic solutions take years to react to shifts, while attackers can simply change a configuration file to get around new defenses.
File encryption ceases to be effective? Try stealing data. Stealing data isn’t working? They could try bricking systems.
None of these methods are mutually exclusive and are often used in combination, leading to the coining of the terms “double extortion” and “triple extortion”. At this point, using the term ransomware as synonymous with extortion becomes problematic.
Ransomware is no longer essential to criminal groups in the extortion process. Because alternate extortion models exist, businesses and consumers need to understand that protections focused solely on file-encrypting malware haven’t been effective for some time.
Don’t get me wrong. We can’t ignore older types of ransomware as long as they persist, but the future of ransomware and extortion will continue to evolve, and we’ve got to get ahead of it, as an industry.
The future of digital extortion
Stealing data and threatening to expose it is a solid tactic for criminals and is a harder problem to solve for businesses. The benefit of crypto ransomware (something I never thought I’d say) is that a business can recover from it, even if they weren’t prepared for it. However, when it comes to data theft, once unprotected data is taken, it’s gone.
It’s a tough problem to solve. Businesses must share and handle data to function. In many businesses, it’s normal to see large amounts of data flowing in and out of the network every day. While encryption and digital forms of compartmentalization can help limit data exposure, data only has utility and value in its unencrypted form. The opportunity to lose, steal or leak data will always exist.
We’ve seen data exfiltration added to ransomware in the payload repertoire. A bricking component could be next, but focusing on the payload might not be the right move.
Even if we assume data exfiltration is a solvable problem in the short term (it isn’t), there are other tactics extortion crews can use as extortion levers. Denial of service attacks and locking businesses out of their own cloud resources are also common attacks. A particularly concerning one is the use of ‘bricking’ as a tactic to scare organizations into paying. Instead of encrypting files on hundreds or thousands of systems, extortion crews could threaten to break computer equipment at a very low level. The result is permanent damage to hardware, requiring it to be physically replaced.
We are only just beginning to recover from global shortages of many products, not the least of which, are computer chips. There are signs that bricking attacks could be coming, as many cyber insurance firms already cover damage from ‘wipers’, suggesting that similar methods are already in use. TrickBoot, a component of the modular TrickBot malware that searches for firmware vulnerabilities, was discovered by Eclypsium in 2020.
Firmware could also offer malware a method of persistence, even after systems are wiped and rebuilt. Malware designed to go after popular graphics cards or large crypto-mining farms could have a massive impact on the global supply chain at the worst possible time.
If you’re working to solve ransomware, you’re working on the wrong problem.
Cybercriminals operate as businesses now, and can afford to employ generalists, specialists and strategists. They even have R&D budgets and teams. Defenders should be wary of spending too much focus or time on individual tactics - the symptoms of the problem.
An organization that can confidently detect and stop an attack before it causes permanent damage is much better off than one that has just purchased the latest and greatest ransomware prevention tool.
Given enough resources, there’s no reason an organization can’t do both. The biggest return on investment continues to be in people, processes, and fundamentals.
As mentioned in the opening of this essay, ransomware isn’t dead. Criminals are still happy to collect some crypto or cash from unlucky individuals or businesses. We can’t afford to ignore ransomware, but we also can’t afford to give it our full attention - it’s not even close to being the biggest issue financially. BEC scams in the US alone were more than five times larger than global ransomware damages in 2022.
The pen test was once mocked for failing to emulate real-world attacks and adversaries. Now that life is imitating art, it seems more than a little ironic that enterprises weren’t prepared for the same pen test techniques expensive consulting firms have been exposing them to for nearly two decades.
It seems reasonable to assume that extortion crews will stick with what works and change what doesn’t. Right now, the initial method of compromise, the part that looks like a pen test, and the means of getting paid all seem to be working well. Where we see changes occurring is in the payload.
A criminal crew made up of moderately skilled penetration testers can do a lot more damage than the most ingenious and innovative malware.
We should always assume cybercriminals are already beta-testing their “Next Big Thing”, and we should always be preparing for what that could be. However, it seems a more effective strategy in the short term to attack the tactics our adversaries cannot easily or quickly change.
It’s tempting to drop a Gretzky quote about skating to where the puck is going to be, but this isn’t hockey and team sports have rules that enforce fairness. In cybersecurity, we have to think differently. If there’s an opportunity to trip your opponent and kick them in the head (metaphorically, assuming it doesn’t break any laws), go for it!