Cracks forming in the ransomware ecosystem

According to the UK’s National Cyber Security Centre (NCSC), ransomware is the most immediate threat to businesses worldwide. Gone are the days when ransomware actors would target a single machine and try to extort a user by stealing their data. Today’s ransomware threat is organized and sophisticated, with technology that’s been democratized to the point that ransomware has become its very own economy.

Some ransomware operators will play a numbers game, targeting MSPs (managed service providers) with software supply chain attacks that impact thousands of businesses. Others, such as APT (advanced persistent threat) groups, will go after specific targets to destabilize governments or leverage high-value data to extort millions. Last year in the US, the Cybersecurity and Infrastructure Security Agency (CISA) observed ransomware incidents that impacted 14 of the United States’ 16 critical infrastructure sectors, including defense, food and agriculture, government facilities and even the emergency services. The Australian Cyber Security Centre (ACSC) has recently reported continuous targeting of its critical infrastructure by ransomware operators, going as far as publishing a joint advisory statement with the US and UK to warn of the growing ransomware threat to both government entities and private businesses.

This chimes with the findings we published in our 2022 Security Report.  We revealed a 50% year-on-year increase in cyberattacks in 2021, with 1 out of every 61 organizations worldwide impacted by ransomware each week. The government/military sector experienced a 47% increase in the number of weekly attacks, the communications sector saw a 51% increase, but the education/research sector suffered the greatest increase at 75%, averaging 1,605 cyberattacks per week through the year. This sharp rise could, at least in part, be attributed to the increased vulnerability of organizations as they moved to hybrid working models in response to the pandemic. But a more likely culprit is the growing Ransomware-as-a-Service (RaaS) economy, in which ransomware groups and their affiliates effectively package and sell ransomware off-the-shelf to “customers” who then orchestrate the attack. These top-tier ransomware operators don’t just offer ransomware itself, but often money laundering services, negotiation specialists, and even detailed playbooks to go along with it, as evidenced by the recently leaked Conti “cookbook”. This democratization of cybercrime has created an entire ransomware sub-industry, with competition driving innovation as it would in any legitimate sector.

However, thanks to the efforts of white hat researchers and security specialists, as well as governments around the world now strengthening their security posture and taking a more proactive approach, cracks in the ransomware ecosystem are now starting to appear.

Was the attack on Colonial Pipeline the tipping point?

One of the defining trademarks of modern ransomware attacks is the widespread real-world damage they can do, from crippling the UK’s National Health Service to throwing the US Department of Homeland Security into chaos. But never have the real-world consequences of a successful ransomware attack been so clearly highlighted than the attack on Colonial Pipeline in 2021. One of the largest pipeline operators in the US, Colonial Pipeline supplies roughly 45% of the entire East Coast’s fuel, from keeping homes and businesses warm, to fuelling cars, jets and even military outfits. DarkSide ransomware operators took advantage of a suspected unpatched vulnerability in Colonial Pipeline’s system, forcing the company to take certain systems offline in order to contain the threat. The cost of fuel soared, panic buying ensued and the aviation and military sectors could have been severely impacted if the situation had not been remedied a full week later.

This attack appeared to be the final straw for the Biden administration, who announced shortly after the incident that crypto exchanges such as Russian-based SUEX would be sanctioned, making it harder for ransomware actors to profit from their attacks. This appeared to be the first in a series of events that have ultimately led to cracks forming in the ransomware ecosystem, and proof – if any was needed – that taking a proactive approach rather than a remedial one is the most effective way to combat cybercrime.

In the US, ransomware is now regarded by The Department of Justice as a threat to national security. The European Union and an additional 31 countries around the world have also joined the US in sanctioning crypto exchanges to disrupt the activities of ransomware operators. In Australia, a new “Ransomware Action Plan” has been established,  giving organizations and government institutions greater power and capabilities to tackle ransomware head-on. These moves are indicative of how much the security stances of governments around the world have changed from reactive to proactive, and organizations would do well to follow suit.

Turmoil in the ransomware ecosystem

Ransomware operators sit at the “head” of the ransomware ecosystem, and, just like for any service provider, reputation matters. RaaS groups need to attract affiliates or customers to grow their network and increase their revenue, so any disruption inflicted on these groups can have dire consequences and even turn the industry against itself.

As revealed in our report, one month after the attack on Colonial Pipeline, the DarkSide group responsible announced they were shutting down after their servers were seized and their crypto funds were stolen. This had a knock-on impact on their ability to pay their RaaS affiliates. The REvil group, responsible for the Kaseya MSP breach in July 2021, also disappeared later that year after a law enforcement operation successfully hijacked its infrastructure and blog, giving the group a taste of its own medicine. The Department of Justice went even further, arresting members of the REvil group and seizing more than $6 million worth of ransom money.

But what does this mean for the ransomware ecosystem?

Some perpetrating groups are now placing more pressure on their victims to keep the authorities away during ransomware attacks. The Grief ransomware group, for instance, threatened to completely delete its victim’s decryption keys if they hired professional negotiators – something they may previously have welcomed as a way to extort money. Beyond that, the proactive targeting of ransomware operators has led to a flurry of operators and affiliates exiting the arena or separating from one another and “rebranding” to distance themselves from any indictments or seizures. After DarkSide shut down, for example, several members formed a splinter group called BlackMatter, but it too came under pressure from authorities and shut down before the year was out.

This disruption of the ransomware ecosystem isn’t a one-off, but a result of increased pressure from government agencies around the world to curb what is rapidly becoming a global threat. However, organizations shouldn’t get too comfortable.

Not out of the woods yet

While 2021 dealt a significant blow to the ransomware ecosystem, we’re still likely to see millions of ransomware attacks throughout 2022, with new and existing operators and affiliates stepping up their attack efforts. Emotet, one of the most dangerous botnets in history, made its return at the end of 2021, despite a coordinated effort by governments around the world to take it down. This banking trojan come modular botnet has infected 1.5 million computers worldwide across thousands of corporate networks, often used as a delivery mechanism for network-wide ransomware attacks.

Organizations therefore need to remain vigilant and, like governments around the world, take a more proactive and preventative stance in dealing with the growing threat of ransomware. That means tapping into real-time global threat intelligence such as that offered by Check Point’s ThreatCloud, and taking steps to protect your business from not only the threats you can see, but also the ones you can’t. Zero-day vulnerabilities and fifth-generation (Gen V) attacks are sophisticated threats that require a sophisticated response, as well as employee awareness training, continuous backups, multi-factor authentication and employing the principle of least privilege.

The cracks in the ransomware ecosystem may be beginning to show, but while the recently landed blows indicate that ransomware actors might be losing the battle, the cyberwar is far from over.