Record High Ransomware Payouts in 2021 as Extortion Evolves
Flush with cash from successful ransomware campaigns, cybercriminals are investing in more sophisticated technology and using new tactics to drive up ransomware payments even further, with the Conti ransomware group responsible for the most activity in 2021.
These were among the findings of a report released from Palo Alto Networks’ Unit 42, which revealed the average ransom demand rose 144% in 2021 to $2.2 million and the average payment climbed 78% to $541,010.
The Conti ransomware group was responsible for more than one in five cases worked by Unit 42 consultants in 2021. REvil, also known as Sodinokibi, was second with 7.1%, followed by Hello Kitty and Phobos (4.8% each).
Malicious actors increasingly turned to Dark Web ‘leak sites’ where they pressured victims to pay up by threatening to release sensitive data, the report found.
Ransomware Research and Development
As larger ransomware groups like Conti become more operationalized and profitable, they’re able to sink more money into research and development initiatives that enable them to launch attacks that use more sophisticated techniques, such as fileless malware and obfuscation.
“Today’s ransomware operators are much more financially motivated than they were in the past,” explained Matthew Warner, CTO and co-founder at Blumira, an automated threat detection and response technology provider.
He said many aren’t interested in exfiltrating data; they want to encrypt the victim’s entire environment, put a bounty on it and quickly get payment. Others are using double extortion methods to repeat bounty payouts.
“Since ransomware operators are more financially motivated, they often take a smash-and-grab approach, casting a wider net that includes smaller and mid-sized businesses,” he said. “SMBs generally have fewer resources to protect against ransomware and more exposure in their attack surfaces.”
Warner noted another equally concerning trend: Stolen credentials and exploit kits on the dark web are becoming more readily available, making it easier for unsophisticated ransomware operators to launch attacks.
“Low-level attackers often use complex malware loaders like Cobalt Strike, SquirrelWaffle and QakBot with sophisticated obfuscation techniques that make it more difficult for defenders to detect,” he added.
Aaron Turner, vice president of SaaS Posture at Vectra, an AI cybersecurity company, explained the natural progression of ransomware is that sophisticated attackers will look for interesting intellectual property (for industrial espionage) and sell that to interested parties.
Then, they will try to find easily monetized data (payment account numbers, etc.) and attempt to rapidly withdraw value from those accounts.
“Finally, ransomware is deployed only when industrial espionage and payment account fraud opportunities are exhausted,” he said. “As industrial espionage and payment fraud attacks become more sophisticated, ransomware follows in their wake.”
Turner said system hygiene is among the key, critical first steps organizations must take to protect themselves from ransomware. He added that endpoint configuration management, especially for internet browsers, should be a key focus area.
“Even when ransomware is delivered through cloud storage services, oftentimes the initial attack vector is through a vulnerable internet browser,” he said. “Cloud storage posture management is another important focus area.”
Warner added that securing environments against these attacks requires broad visibility and risk mitigation efforts that are difficult for organizations of all sizes to keep up with.
Nip Attacks in the Bud
He said it’s extremely important that organizations focus on detecting the first three steps of a ransomware attack: Discovery, gaining a foothold and escalating privileges.
“Ensuring that your public-facing attack surface is known and properly configured will reduce threats of discovery against your environments such as internet-facing RDP servers,” he said.
Detection, in addition to being aware of data that could help you restore from a backup, will allow you to quickly respond to attacks, or in a worst-case scenario, understand how to handle post-exploitation of a ransomware event.
“It’s also important that organizations stay up-to-date on patches and apply them rapidly as they become available,” he said. “Vulnerabilities to Exchange and VPNs were one of the biggest drivers for ransomware entry points into environments and must be remediated as soon as possible.”
Warner added that while endpoint protection and detection tools are important, relying on them alone may result in failure to detect attacker behavior until it is too late—for example, when an attacker introduces malware into the environment.
“Detecting potentially threatening behavior and detecting known-bad file signatures are both important approaches,” he said.
However, relying on AI or ML alone will result in a higher false-positive rate and could quickly become unmanageable.
“The behavior-based approach that a modern SIEM provides will be able to detect living-off-the-land techniques that signature-based detection cannot,” Warner said.
As for the 2022 ransomware outlook, Turner pointed to the Conti group’s announcement that they planned to be active combatants in the Russia-Ukraine conflict.
He called it an indicator that the ransomware groups who have enjoyed Russian protection from extradition and prosecution feel some loyalty to Russia and will actively support their military efforts, focusing their digital attack skills on targets they believe will benefit Russia.
“We should consider ransomware gangs as essentially guerrilla fighters, waging a new form of warfare while enriching themselves along the way,” he said.
