The Worsening State of Ransomware

“The Worsening State of Ransomware”
Communications of the ACM, April 2021, Vol. 64 No. 4, Pages 15-17
News
By Samuel Greengard

“Suddenly, you have people with limited ability using powerful software to discover, exfiltrate, and encrypt files. They wind up with many of the same capabilities that sophisticated cybercriminals have.”

Few things elicit terror quite like switching on a computer and viewing a message that all its files and data are locked up and unavailable to access. Yet, as society wades deeper into digital technology, this is an increasingly common scenario. Ransomware, which encrypts data so cybercriminals can extract a payment for its safe return, has become increasingly common—and costly. A 2019 report from security vendor Emisoft pegged the annual cost of ransomware in excess of $7.5 billion in the U.S. alone.

“Individuals, businesses, hospitals, universities and government have all fallen victim to attacks,” says Chris Hinkley, head of the Threat Resistance Unit (TRU) research team for security firm Armor. In a worst-case scenario, ransoms can run into the tens of millions of dollars and close down an organization’s operations entirely. It has forced hospitals to redirect patients to other facilities, disrupted emergency services, and shut down businesses.

The problem is growing worse, despite the development of new and more advanced ways to battle it, including the use of behavioral analytics and artificial intelligence (AI). “Cybergangs use different cryptographic algorithms and they distribute software that is remarkably sophisticated and difficult to detect,” Hinkley says. “Today, there is almost no barrier to entry and the damage that’s inflicted is enormous.”

Money for Nothing

The origins of modern ransomware can be traced to September 2013. Then, a fairly rudimentary form of malware, CryptoLocker, introduced a new and disturbing threat: when a person clicked a malicious email link or opened an infected file, a Trojan Horse began encrypting all the files on a computer. Once the process was complete, crooks demanded a cryptocurrency payment, usually a few hundred dollars, to unlock the data. If the person didn’t pay in cybercurrency, the perpetrator deleted the private key needed to decrypt the data and it was lost permanently.

Today, a dizzying array of ransomware exists, with each variation developed by different cybergangs. Once they reside on a computer, the likes of Dharma, Maze, Ryuk, Petya, Sodinokibi, Lazarus, and Lockbit unleash malware that spreads across systems and networks—until the crooks decide to pull the trigger. Making matters worse, some cybergangs sell ransomware kits for as little as a few hundred dollars (or via a subscription that may run as low as $50 to $100 per month). These “customers,” who have zero coding skills or software expertise, take advantage of a ransomware-as-a-service (RaaS) model to gain sophisticated capabilities, says Keith Mularski, a former FBI agent and now managing director of the cybersecurity practice at Ernst & Young.

According to security firm Sophos, 51% of organizations it sampled globally found themselves the targets of ransomware attacks in 2019. The crooks succeeded in encrypting data in 73% of these attacks. Just over a quarter of these organizations paid the ransom, or their insurance companies forked over the cash. For instance, University Hospital of New Jersey paid a $670,000 ransom in October 2020 after a group called SunCrypt captured 240GB of its data. A more catastrophic outcome occurred in July 2019, when Portland, OR-based PM Consultants, a managed services provider (MSP) for dental practices, was hit with ransomware; customers could not access key files or data for months, and the firm shut down.

Not surprisingly, dozens of major ransomware gangs now exist worldwide, including in Russia, Eastern Europe, and North Korea. Incredibly, many of these operations look and function like authentic businesses. “They rent office space, they have development teams, data architecture teams, help desks, phone support, and people that negotiate ransoms with targets,” says Alexander Chaveriat, chief innovation officer at Tuik Security Group. “They buy server space all over the world using cryptocurrency, change servers as needed, and use virtual private networks and other tools to hide their location.”