Ransomware Attacks Growing More Sophisticated

Cybercriminals attacked with gusto in the first half of 2021 and attacks show no signs of slowing down. In just the first half of the year, malicious actors exploited dangerous vulnerabilities across different types of devices and operating systems, leading to major attacks that shut down fuel networks and extracted millions from enterprises.

These were among the results of a midyear security roundup from Trend Micro, which detected 7.3 million ransomware threats in the first six months of 2021. Despite the high-profile coverage ransomware has so far received, detections actually decreased by 50% year-over-year.

However, the attacks that occurred in the first half of 2021 were highly sophisticated, targeted and complex, making them more detrimental to victims.

Ransomware Targeted Banking

The banking industry was disproportionately affected, experiencing a 1,318% year-over-year increase in ransomware attacks in the first half of 2021, while other industries that found themselves under heavy fire included government and manufacturing.

Timur Kovalev, chief technology officer at Untangle, a provider of network security for SMBs, explained that cybercriminals have found their “sweet spot” with government, manufacturing, banking and critical infrastructure.

“Previous ransomware attacks stole or accessed data and held that hostage while demanding a ransom and threatening to leak or sell the data,” he said. “Malicious actors have recently targeted specific companies where they can cause severe disruption to services and society, in general, knowing these entities will pay the ransom to get services up and running as soon as possible.”

Kovalev pointed out that ransomware attacks are increasing because companies are paying the ransom.

“It’s been reported that JBS paid $11 million in ransom. The Colonial Pipeline also paid a $4.4 million ransom, although a good portion has been returned,” he said. “Cybercriminals see the large payouts and it encourages them to strike more often and at larger, more lucrative targets.”

Stefano De Blasi a cyberthreat intelligence analyst at Digital Shadows, a provider of digital risk protection solutions, agreed that attacks aimed at government, manufacturing and banking organizations are getting more frequent and intense due to the potential for high payout.

“You have to remember that cybercriminals’ top priority is simply to get paid at the end of an offensive operation,” he said. “They are able to monetize more effectively when targeted organizations hold sensitive information and cannot afford any downtime due to production needs.”

In the past 18 months, De Blasi noted, ransomware operations have become more frequent and profitable than ever. Within this timeframe, a few ransomware groups managed to establish well-organized ransomware-as-a-service (RaaS) programs and become renowned players in the threat landscape, he noted.

“On the other hand, although we’ve observed dozens more smaller ransomware groups appearing on the scene, these groups often struggle to establish long-lasting operations when competing with the technical and financial resources of established RaaS programs,” he said.

Kovalev explained that when it comes to cryptocurrency miners—which have become the most-detected type of malware, according to the Trend Micro report—hackers have taken to requesting payment in the form of cryptocurrency because they can transport vast amounts of money across international boundaries in seconds.

“The ease and quickness of transactions, coupled with lack of traceability, have made it the go-to solution for ransomware hackers,” he said. “Because the cryptocurrency exchanges often take place overseas, governmental regulatory power and law enforcement of the transactions is limited.”
In addition, many of these cyber thieves live outside of the U.S. in countries like Russia, making it even more difficult to trace them or catch them in the act.

Lowering the Barrier to Entry

De Blasi added that not only is this malware relatively cheap and easy to use, but some listings also offer the opportunity to have the malware already installed on a victim’s machine.

“This mechanism has increasingly lowered the barrier to entry and caused many inexperienced threat actors to use this malware as a side gig,” he said. “Unsurprisingly, security professionals often detect these unsophisticated actors because of their inability to cover their tracks.”

Kovalev noted that while ransomware attacks continue and the ransom amounts demanded increase, there are several defensive moves companies and governments can make to help prevent ransomware attacks in the future.

“First and foremost, companies should not pay the ransom,” he said. “Law enforcement agencies encourage organizations not to pay fees to cybercriminals, as it encourages more attacks.”

Kovalev also called for more consistent policies for international cooperation.

“It’s time to recognize that this is an international issue and that the most effective way to stop ransomware is by developing a global solution,” he said. “Business and government leaders must work together to readily share information, develop prosecution agreements for cybercriminals and impose sanctions against rogue nations that harbor cyber pirates.”

He added that to combat attacks, large corporations that could be targeted may begin to add cryptocurrency and blockchain specialists to their security teams.

“Those with investigative and tracing skills may soon be in high demand for law enforcement and businesses,” he said.

De Blasi said security teams can increase the robustness of their defensive strategies by making themselves a difficult target.

“Cybercriminals are typically opportunistic, financially-motivated actors who target low-hanging fruit,” he said. “Therefore, by following basic cybersecurity hygiene best practices and sticking to their threat model, security teams have more chances to adopt a proactive and agile posture that would place them in a much better position.”

He warned that cybercriminals are constantly improving and updating their tactics, techniques and procedures (TTPs) to stay one step ahead of security professionals, and have now reached an “impressive” level of sophistication in their operations.

“Keeping pace with threat actors is a daunting task for every security team and can often result in a whack-a-mole game,” De Blasi said.

Nathan Eddy

Nathan Eddy is a Berlin-based filmmaker and freelance journalist specializing in enterprise IT and security issues, health care IT and architecture.

nathan-eddy has 242 posts and counting.See all posts by nathan-eddy