The single goal defining the illicit careers of most cybercriminals is simple: money. Cybercrime is a cut-throat industry, displaying a single-track focus on ROI and financial gain. This defining trait is overseeing changes in the roles of traditional attack types. Ransomware is currently undergoing a shift toward a brand-new, uber-exploitative, business model.
How Extortion Found its Partner in Cybercrime
First off, what is cybercrime, and where did it all begin? The first round of cybercrime appeared in the 1980s; the goal throughout these attacks centered around the theft and reselling of information, a trend that defined cybercrime and still damages brands today. In 1986 – merely a few years after the invention of ARPANET – the German cybercriminal Marcus Hess piggybacked off an internet gateway in California to gain access. This allowed him to gain access to over 400 computers in use at various military institutions, including mainframes at the Pentagon. This data was intended to be sold to the KGB, but Hess was stopped before then.
Identity theft continues to be one of the leading threats to organizations around the world; this is described as an attacker gaining access to a user’s personal information. This, in turn, can help an attacker break into confidential systems. Data breaches continue to spiral in scope and cost, with the average breach now costing organizations over 4 million dollars. Alongside the direct costs caused by unscrupulous actors, affected organizations also suffer through a loss of investor interest, alongside a reduced credit rating and greatly affected customer trust. If sensitive customer data is stolen, expect fines and penalties – alongside a wave of negative PR as legal suits from customers follow.
From the ever-present threat of sensitive data theft, new viruses and malware exploded in popularity during the 1990s. Early in the decade, cases of in-the-wild viruses numbered only a few tens of thousands. By 2007, however, the number had hit 5 million cases every year. This kickstarted the mass production of cybersecurity tools, as the necessity of widespread protection became increasingly clear. It was this year that one researcher at NASA envisioned the first firewall program: it was modeled on the building’s own fire-retardant architecture.
The 2010s rolled around, and cybersecurity began to go mainstream. A number of high-profile attacks saw the breach of national security, and attacks started to cost in the millions. For instance, the Saudi-based threat actor 0xOMAR stole and published the details of over 400,000 credit cards online. The emergence of cryptocurrencies, such as bitcoin in 2010, then proceeded to pave the way for a unique form of attack: ransomware.
Cryptolocker was the first big piece of wild ransomware: attackers combined military-grade, uncrackable encryption, with anonymous and easy-to-use bitcoin transactions. The ransomware first gained access to a victim’s device via trojan email links, before deploying and wiping through every single file on the hard drive. Each victim was asked for $300 to remove the encryption that had swallowed their vital files up. The power of ransomware was evident: the ROI of which rapidly reached astounding levels. Attackers jumped on the trend enthusiastically, and in 2017 the WannaCry ransomware swept through 230,000 computers in a single day. The actors making this money were mostly small groups of dedicated illicit developers.
The early days of ransomware jump started a black market industry that now earns its actors millions. Now, however, the traditional ransomware economy is evolving.
Inside The New Ransomware Extortion Economy
On the other side of the ransomware coin is the way in which these pieces of malware are placed onto a system. Over 80% of today’s ransomware attacks originate from relatively simple, common misconfiguration errors in software. This is largely enabled by the trend of bloated, complex tech stacks that become unmanageable as organizations scale. The ease of access that this grants has emboldened cybercriminals.
By taking a deep dive into the modern ransomware economy, researchers have found that threat actors are actually working with a limited pool of specific ransomware code. This is unexpected, as the financial weight of the extortion market would be expected to drive up the variety and number of ransomware models. However, the ransomware ecosystem is in fact dominated by the affiliate model. Here, consolidation and specialization have driven a market where a few developers construct highly replicable pieces of ransomware. From there, affiliates with far lower levels of technical expertise hire out this ransomware code, and deploy it against real-world organizations. This business model is named Ransomware as a Service (RaaS), and enables criminals to engage in cybercrime regardless of technical experience.
The big names in ransomware – such as Conti and REvil – are not, as some may think, gangs of set individuals. Instead, these describe the RaaS programs themselves. Hordes of affiliates chop and change between these different systems, while the developers take a cut of each successful extortion attack. This segmentation of the attack chain also obfuscates each individual threat actor, as affiliates can chop and change between different RaaS services as they please. These RaaS groups will also depend on the success of their affiliates for marketing, too, as affiliates are looking for the highest ROI on their easy-to-replicate attacks.
This industrialization has also sparked further specialized roles: access brokers act as gateways to certain networks, vetting and aiding affiliates in their journey to cybercrime. Many RaaS kits include customer service support, alongside an active community of other affiliates and bundled offers.
Managing the Extortion Threat
The modern ransomware economy is the end result of complex tech stacks and overburdened security teams. Edge devices, cloud resources, and third-party software solutions are all constantly connecting and disconnecting from your organization’s network. Employees download files, click on URLs, and rely on software that inevitably has small, overlooked holes in security.
Attack mitigation solutions focus on identifying suspicious behavior. Traditionally, providers focused on file signatures. This demands the analysis and filing of malware files, the signature of which is added to the security solution’s database. This creates an immune system that is shared throughout the solution’s customers. This tactic works particularly well for the relatively limited pool of ransomware. However, much like the human immune system in the days before widespread vaccination, this is a reactive approach to security. Under this approach, victims are a necessity.
Next-generation intrusion defenses focus on prevention ahead of the attack. This solution recognizes patterns of normal application and file behaviors. From this foundation, it becomes possible to identify suspicious behavior. This, in turn, triggers a mechanism through which a suspect file or device is quarantined from the larger network. Alongside this, security teams get real-time insight into their evolving attack surface.
Alongside a proactive security solution, some other network hygiene habits should be adhered to. Encrypted databases, and up-to-date backups, are vital. In the event of an attack, these limit the destructive potential that extortion fundamentally relies on. Encrypted data, even when stolen, is of limited use to attackers, and backups can allow for a company to simply refuse a hostage negotiation, effectively de-clawing the RaaS threat.
The cybercrime industry’s evolution is indicative of its overall success. Now, it is vital to pull your organization ahead of the modern wave of low-skilled RaaS affiliates.