Evolution of ransomware

Ransomware is a type of malware that has historically been designed to encrypt data and make systems that rely on it unusable. Malicious actors then demand ransom in exchange for decrypting the data.

In 2021, we saw a huge rise in the number of ransomware attacks, where many companies were faced with their IT infrastructure and data becoming encrypted and many got their data stolen by different ransomware groups. In Norway, where I am based, we have also seen many large organizations be attacked by ransomware in the last year, which has also ended up affecting the Norwegian population. Here are some of the organizations that got hit by a ransomware attack in 2021 in Norway:

• Nordic Choice Hotels: This is one of the largest hotel chains in Scandinavia. When they got attacked, they needed to switch to manually checking people into their rooms.
• Amedia: This is the second-largest news publisher in Norway and publishes more than 90 newspapers. When they got attacked, it halted all newspaper production for over a week.
• Nortura: This is one of the largest food producers in Norway, so when they got hit by ransomware, it meant that farmers were not able to deliver animals to get processed.

In addition, there have been many high-profile attacks in other countries, such as the attack on Colonial Pipeline in the US and on MSP software provider Kaseya, which ended up impacting close to 1,500 customers worldwide.

After the attack on Colonial Pipeline, the US government implemented a new reporting regulation, which meant that an organization within the US that has fallen victim to a ransomware attack must report the incident to the FBI, CISA, or the US Secret Service.

In the last few years, we have also seen that ransomware attacks against healthcare have almost doubled, according to Sophos (https://news.sophos.com/en-us/2022/06/01/the-state-of-ransomware-in-healthcare-2022/), however, the attacks against healthcare is not done intentionally since most ransomware groups tend to avoid healthcare businesses. In 2022, we saw several cases where ransomware groups provided the decryption key to organizations for free to avoid impacting systems that can affect patient treatments within healthcare areas such as hospitals.

The attack on Kaseya, which was done through their Virtual System Administrator (VSA) product, ended up affecting the Swedish supermarket chain Coop, which needed to close 500 stores after the attack throughout the Nordics.

In a survey that Sophos did, where they spoke with 5,400 IT decision-makers in 2021, about 37% had been hit by ransomware in the last year, which is, fortunately, a significant reduction from the year before when that number was 51%.

There have, however, also been some significant changes in the behavior of attackers. Most likely, the reduction in the number of attacks could be related to less automated attacks and more hands-on targeted attacks. Emsisoft, the security software company behind ID ransomware (malwarehunterteam.com), allows us to identify which ransomware strain has encrypted files by uploading the ransomware note file. Emsisoft posted on its website that, in 2021, there were close to 560,000 submissions to the service, which is 50,000 more than it had the year before. In addition, Emsisoft also estimated that only 25% of victims submit to their website (https://id-ransomware.malwarehunterteam.com/).

We have also seen an increase in personal engagement from threat actors. For instance, we have seen an increase in attacks close to holidays such as Christmas, since people are often more stressed and are more likely to fall victim to phishing attacks.

So many organizations worldwide have faced ransomware attacks, and looking at the statistics, the number of large organizations that have been impacted only seems to be rising. But has ransomware evolved over the last few years?

Ransomware is mostly used by attackers to exploit the weakest points in your infrastructure and then encrypt your data and infrastructure using some form of encryption method. Once the encryption is done, they leave a ransom note and wait. The only way to get access to the original data (or to be able to decrypt it) is by buying a decryption tool from the attackers using one of the digital currencies. There are also other attack methods, but I will get back to that a bit later.

Within the ransom note, you get instructions about how to contact them or access their support channels, which are typically hidden behind Tor addresses. When you access their support channel, some of the operators give some information about what happened and how much you need to pay to get access to the decryption tool:

Figure 1.1 – Ransomware operator chat support

A ransomware attack often involves multiple teams or people. Many of the different ransomware groups are split into smaller groups and affiliates. Many of the affiliates often work together to gain access to an environment, or might even be someone on the inside. They sell or give access to other teams who deploy the ransomware. The profit is usually divided between the affiliate and the group, with a one-time payment to acquire access to the environment.

Affiliates operate independently or as a member of organized groups, while some of the most well-known ransomware groups are doing active recruitment programs to get afiliates.

Ransomware attackers are only focused on getting access, encryption data, and waiting for the organization to make contact. In most cases, the ransomware operators also have some insight into your organization and the number of employees, which will also impact the ransom fee.

Most ransomware operators host self-service portals with built-in chat support to get details and information on how to pay for the decryption tool, which is only accessible on the Tor network. The most well-known groups tend to use Monero as the crypto of choice since many see it as an untraceable currency. However, we have seen other cryptocurrencies being used as well. There is also recent evidence showing that threat actors conduct business for one another, such as using money laundering services to make the money untraceable.

While most security professionals agree that you should never pay the ransom, many have paid the ransom in pure desperation to gain access to their files and get their services back up and running. Consider the alternative – your entire infrastructure, backup, and other services are gone, and rebuilding your services would take too much time and your company could even go bankrupt.

We have also seen that many organizations have been relying more on cyber insurance to cover costs related to ransomware. Ransomware was involved in 75% of all cyber insurance claims during the first half of 2021; this has also led to a significant increase in the cost of premiums.

Important note

It should be noted that in a survey that Sophos did in 2021, for organizations that paid the ransom, the average amount of data they were able to recover was only close to 65% (https://news.sophos.com/en-us/2021/04/27/the-state-of-ransomware-2021/). In some cases, when you are negotiating the price with the attackers, some of the different ransomware operators give you a free sample to show you that they have the decryption tool and can decrypt the data. In most cases, this can decrypt a single file or a single virtual machine. In most cases, they also have a good mapping of the environment, and they know which of the machines are running, such as the backup service, so you will most likely only be able to decrypt a non-important virtual machine such as a test server.

When you pay the ransom, you will either pay to get the decryption key for every single machine or get a decryption key and tool that is used for the entire environment. Once you get access to the decryption tool, it can take many hours to decrypt a single machine. If you need to decrypt an entire environment, you can expect it to take a long time.

Over the last few years, there has been a lot of focus on getting good backup and data protection services in place, and those organizations that have good backup systems and routines in place can easily restore data and be up and running again.

However, it should be noted that in many ransomware cases, we have also seen that the backup data was encrypted by the attackers. Fortunately, we are seeing more and more backup vendors adding new features, such as immutable backups, so that ransomware is less likely to impact the data.

This, of course, means that attackers have a lower chance of getting paid, so they also switch tactics to not only encrypt data but also exfiltrate data that they then could use as means for leverage.

This was, unfortunately, the case for the Finnish psychotherapy center Vastaamo, which was hit by ransomware in late 2020, where the attackers managed to encrypt their data and steal 40,000 patient journals. The attackers also used another extortion tactic, which was to contact the patients via email and ask them for a ransom directly, and if they didn’t get paid, they would publish their journals.

It should be noted that the electronic patient record that was compromised was running an outdated version of Ubuntu 16.04.1, Apache 2.4.18 (which came out in 2015), and PHP 5.6.40, which all contain many known vulnerabilities.

While most ransomware attacks aim at performing data encryption and data exfiltration, there is also another attack vector that is becoming more and more popular: Distributed Denial of Service (DDoS) attacks. DDoS-based ransomware attacks are more aimed at online retailers or cloud-based applications. Microsoft, in their yearly DDoS attack trends, stated that they see close to 2,000 DDoS attacks daily and that in 2021, they stopped one of the largest DDoS attacks ever reported, where they mitigated a DDoS attack with a throughput of 3.47 TBps and a packet rate of 340 million packets per second against an Azure customer in Asia.

The attack only lasted 15 minutes but that is more throughput than most ISPs and local data centers can handle.

Important note

More vendors are seeing an increase in the amount of DDoS attacks, and buying a DDoS attack from a botnet that lasts 1 hour only costs about $50 on the dark web. You can find more information about DDoS attack statistics in the yearly Microsoft DDoS protection report at https://azure.microsoft.com/en-us/blog/azure-ddos-protection-2021-q3-and-q4-ddos-attack-trends/ and also from Cloudflare Radar at https://radar.cloudflare.com/notebooks/ddos-2021-q4.

Cloudflare also stated in their yearly DDoS trend report that in Q4 2021, they saw an increase of DDoS attacks of 29% compared to the previous years in the same quarter. They also surveyed customers that were targeted by DDoS attacks, and one-fourth of the respondents reported that they received a ransom letter demanding payment from the attacker.

While many DDoS attacks aim to overload the infrastructure with a large amount of traffic from multiple sources (mostly botnets) against your services, there has also been an increase in DDoS amplification attacks, where the attackers utilize a weakness in a protocol that essentially does a reverse DDoS attack. We have seen such examples with the DTLS protocol.

In 2020, Citrix and their ADC product had a weak implementation of the DTLS protocol, wherein earlier firmware was vulnerable to a DDoS amplification attack. The attackers sent forged DTLS packets where the ADC would send large packets back to the attackers, potentially leading to outbound bandwidth exhaustion, so essentially DDoS.