From Ransomware to the U.K.'s Cybersecurity Strategy
From the Covid-19 pandemic to the prevalence of work-from-home and hybrid work models, the cybersecurity attack space has vastly expanded with both new devices and new threats. Threat actors quickly took advantage of an expanded attack surface, as new digital systems required multiple access points for customers, partners, and employees.
At the same time, the evolution of ransomware-as-a-service (RaaS) and the increased specialization of cybercriminals have also contributed to increased ransomware attacks. RaaS is a business model where cybercriminal gangs rent out their malware to buyers called affiliates.
As a result, cybercrime has escalated with a record-breaking number of ransomware attacks with increasing severity. In fact, in the past couple of years, ransomware attacks have doubled and – in some instances – quadrupled in frequency, as noted in BlueVoyant’s Ransomware series.
The attack surge has been fueled in part by an increase in “triple extortion” ransomware technique, whereby attackers encrypt a network, illegally obtain the data and threaten to release it to the wider population unless a ransom payment is made. But it is more than just a criminal money-making enterprise holding individuals and companies to ransom; it has become a tool for geopolitics, an issue for policymakers, and a threat to individuals’ health and safety.
Fascinated by the development of this industry, BlueVoyant has sought to demystify and explain some of the basic questions around ransomware attacks and the actors involved. To do this, we compiled five mini reports that shed light on how ransomware attacks happen, what occurs when they do, and the impact they have on various stakeholders.
In the first blog, we examined how ransomware became so prevalent in the cybercriminal economy and the evolution of ransomware gangs. We traced the growth of leak sites and RaaS while exploring how this has fueled growth. Additionally, we looked at how advanced threat groups behind ransomware, such as REvil, Maze, DarkSide, Ryuk, WastedLocker, and Netwalker have progressed in the underground economy.
How the First Leak Site Fueled the Industry
In 2019, Maze ransomware operators set up the first leak site, which shamed victims who would not pay up fast enough and, by 2020, the practice of double extortion had become widespread. Very quickly, the attacks listed on these leak sites led to increased news reporting, and ransomware gangs and cybercriminals quickly recognized that there was big money to be earned. At the same time, the lack of ransomware groups held accountable for their actions seeded ransomware growth, as the low risk/high reward model attracted more bad actors.
At the same time, the RaaS model, or the practice within the cybercrime economy of providing ready-made tools or services for sale, has evolved. It may involve leasing out the use of a ransomware service so that a less tech-savvy criminal pays for the ability to launch their own attack with these services. This has lowered the barrier to entry and has the added benefit of making attribution more difficult, as many attackers share similar service infrastructure.
Ransomware gangs and cyber criminals have experienced hefty payouts. For example, Canadian Sébastien Vachon-Desjardins reportedly earned $27 million from his cybercriminal exploits. Similarly, the ransomware gang behind the REvil ransomware earned an $11 million payout from global meat supplier JBS. Additionally, a spokesperson for the REvil ransomware gang known as UNKN noted that one of its affiliates earned $50 million before he decided to retire.
A Diversified RaaS Model
It is mesmerizing how early ransomware innovations have spawned a layered, complex industry. Gangs have structured themselves into businesses, while creating their own ecosystem filled with partners and vendors who develop marketing campaigns and other initiatives, just like any other legitimate business.
And as it has grown, the RaaS model has become quite varied depending on the operation and its maturity level. There are often service buy-ins or lease requirements, and potential affiliates are vetted for skills or by country of origin. Affiliates can be asked to prove prior work or a constant stream of potential accesses for exploitation, just like any legitimate salesperson is asked to verify their previous experience and take their “black book” of contacts from one employer to another.
U.K. Launches First-Ever Cybersecurity Strategy
Level-of-threat concerns have prompted governments globally to shore up their cybersecurity strategies. In January, the U.K. government launched its first-ever National Cyber Strategy targeted at protecting the public services upon which citizens rely. The strategy aims to make core government functions, such as the delivery of essential public services, more resilient than ever before to cyberattacks from malicious actors, with ransomware viewed as one of the most prolific threats.
Ransomware will continue to evolve, with ransomware operators using new and more complex techniques in addition to targeted attacks. Just like the recent increase of attacks in Latin America, new regions and industries may be targeted. Data exfiltration will be on a large scale, as will attacks on the supply chain.
When it comes to cybercriminals, it’s a faceless and nameless way to earn money. With little risk of being caught, ransomware gangs keep expanding. Therefore, organizations and security practitioners must be mindful and prepared as ransomware gangs will continue to grow until the risk outweighs the reward, a milestone we’re unlikely to hit any time soon.
James Tamblin is President, BlueVoyant UK.