Ransomware has changed very quickly during the last few years. This type of malware is known for its data encryption element, but that tactic is being replaced by outright extortion. This evolution has gained the attention of system administrators, who will need to develop new defenses against this latest addition to the ransomware landscape.
Once ransomware infects a computing device or network, it performs a malicious act or threatens to do so unless the victim a ransom. The most common act in the past has been the encryption files, preventing the victims from accessing their own data. The perpetrators would then promise to provide the decryption key once the ransom is paid. More recently, ransomware attacks are likely to include a threat to disclose the encrypted information. To be effective, a ransomware must also include a payment method that’s difficult to trace, typically in the form of cryptocurrency.
Encryption
Early ransomware typically used poor encryption, allowing target organizations to easily decrypt the data without paying the ransom. However, later versions often use encryption that makes it more economical to pay the ransom. Criminal organizations were thus able to seek out more lucrative targets and increase the ransom. Ransomware attacks have become more convincing and targeted as a result, especially in the past year. The next step in the evolution of ransomware was for its creators to rent it out on the Dark Web, which has since become known as Ransomware-as-a-Service (RaaS). This sharing of resources is one of the driving factors behind the rapid proliferation of ransomware.
The greatest weakness of ransomware has historically been the standard practice of regular data backups, especially among enterprises that could afford to pay a large ransom. In these cases, an organization can remove the ransomware from its system, delete the encrypted files and recover unencrypted versions with minimal data loss. While this process requires time on the part of a system administrator, the cost of restoring data from backups is typically less than the ransom needed to make a ransomware attack worthwhile. Ironically, ransomware is the primary reason that so many of today’s organizations are able to easily restore their data. Ransomware that merely encrypts data is now ineffective against many lucrative targets.
Extortion
Perpetrators of ransomware attacks began threatening to disclose their victims’ information as an additional incentive to pay the ransom. Organizations store a large amount of data that they don’t want to be publicly available, including employee records, customer payment information and the company’s own proprietary data. A business that refused to pay a ransom to get their data back might be willing to do so to prevent it from being leaked.
Ransomware operators soon learned that companies are generally much more concerned about having their sensitive information published than they are about being unable to access it. Extortion was thus a far more lucrative strategy than decryption, which is why this type of ransomware attack has exploded since 2018. For example, the Babuk ransomware gang announced in May 2021 that it would focus entirely on data theft rather than encryption going forward. Security analysts expect other ransomware operators to soon follow suit.
The success of ransomware based on data theft is also driving profit-motivated attacks. In the past, ransomware attacks were more likely to be pranks or acts of revenge perpetrated by individuals or small groups. However, today’s ransomware operators are often large, well-organized gangs attempting to expand into cybercrime as a source of revenue.
Summary
The emerging threat of extortion via ransomware will pose new challenges for security staff, especially those in large enterprises. The importance of keeping intruders away from sensitive data will continue to grow as organizations store more data online. The security posture of large businesses must adapt quickly to prevent ransoms from becoming an unavoidable business expense.
Locky ransomware: source code flickr photo by Christiaan Colen shared under a Creative Commons (BY-SA) license
