Ransomware Repeat Attacks

Cybercriminal groups work a lot like modern IT companies. They rent out expensive urban office space, conduct detailed market research, and hire customer support representatives to help victims work out the details of paying cryptocurrency ransoms. It is therefore no surprise that repeat attacks are on the rise.

It should come as no surprise that the leaders of these organizations are taking another page out of the business school playbook. Almost everyone familiar with business administration has heard that it costs at least five times as much to acquire a new customer than retain an old one. Many organizations commit considerable time and resources turning one-time customers into repeat customers.

The same thing is true of the cybercrime industry. The economics of “customer acquisition” work the exact same way, which is why 67% of organizations suffer repeat attacks within 12 months of the original incident.

Imagine you manage a group of hackers who have spent countless hours and a fair bit of money extorting a finance company. You received a decent payout and you’re ready to move onto your next target.

You conduct research, scout for vulnerabilities, and invest in reconnaissance. You find a target and begin the work of infiltrating their systems. This new target is better prepared than your last one. It might be protected by a dedicated detection and response team, or it has Zero Trust architecture in place.

In either case, you hit a roadblock. You need to invest in a more sophisticated hacking tool to breach the new target’s defenses, but you also need to pay your team. You can’t take a loan from the bank or issue equity – so you need a fast, reliable infusion of cash.

There is an easy solution to this problem. Simply go back to the first victim you targeted and extort them for more money. Your team has already done all the work, and all the necessary capital has already been invested. You might even still have administrator-level privileges. If the victim hasn’t yet addressed their security vulnerabilities effectively, all the better.

From a business perspective, extorting previous victims multiple times is an obvious strategy. You generate free cash flow that costs next to nothing without taking on any added risk.

Sharing victim data with other cybercrime groups is another strategy that hackers are increasingly turning to. Essentially, two competing organizations decide to cooperate so that each one earns more profits than they would working alone.

They may charge their partners for access to data or build profit-sharing structures into their workflows. In either case, the result is the same – two separate, competing organizations collude to become a more effective whole, or even monopolize an entire sector.

Obviously, there are no antitrust regulations in the cybercrime industry. Nothing stands in the way of two or more cybercrime leaders combining forces to create a more powerful organization. In fact, there is good evidence that this has already happened many times in the recent past.

For example, there was an incident in April 2022 where three different ransomware groups – BlackCat, Hive, and LockBit – all attacked the same network within the space of a few weeks. It’s even possible that the initial breach occurred months earlier with the help of a fourth, unrelated access broker.

As the cybercrime industry becomes more sophisticated, it can support increasingly specialized people and organizations. Since the ransomware surge of the pandemic era, this has led to the establishment of a “ransomware-as-a-service” model where cybercriminals profit from collaboration with one another.

Organizations that follow this model specialize in one particular step in the cyberattack kill chain. One team may specialize in developing ransomware tools, while another gains initial access to victims’ networks. Others may provide services strictly related to accounting, human resources, and yes – customer service and tech support for victims who want to pay, but don’t know how.

This model works a lot like a modern franchise brand. The main group might be a well-known name like LockBit or Cl0p. They run many of their own operations, but not all of them. Some third-party hackers recognize the quality of the original group’s technology and workflow, so they simply pay a subscription for the right to use the brand and its products.

This approach can backfire. There is evidence that cyberattacks against some high-profile targets like Colonial Pipelineand JBS Foods were actually conducted by third-party hackers. These attacks earned those hackers (and every contact they ever made in the cybercrime industry) the attention of the world’s most effective national security apparatus.

This is a high-risk, low-reward business model for the developers who created the tools used in those attacks – and they know it. Since these attacks occurred, there has been a noticeable trend towards targeting smaller organizations more frequently and making the most out of many small attacks.

If your organization has been targeted by a cybercrime group, you must take steps to secure your infrastructure and protect against repeat attacks. This is true even if your current security systems successfully repelled the attack. The cybercriminals will learn from their failure and come back equipped with better tools and more sophisticated tactics.

Consider boosting your organization’s security posture with a combination of detection-based security tools and prevention-based solutions. Early detection can help you identify intruders before they trigger active attacks, and better prevention forces them to spend valuable time and money breaking down your defenses before they strike.

Anti data exfiltration is an excellent example of a prevention-based solution that successfully impedes ransomware operations. Hackers who can’t get data off your network also can’t connect to command-and-control servers to conduct attacks. Instead, your security team gets ample evidence of wrongdoing and a clear audit trail leading directly to the source of the intrusion.

BlackFog is an anti data exfiltration (ADX) vendor that specializes in detecting and preventing data leaks. Stop cybercriminals from sending data off your network to protect your assets from extortion attacks.