Over the past several years, the emergence of big-ticket, destructive ransomware attacks has jolted governments into action to circumscribe the predominately Russian-based threat actors behind the scourge.
At the same time, ransomware has been a critical factor driving the growth in corporate cyber security budgets as organisations grapple with the often-crippling threat.
Despite the policy measures and increased private sector funding to slow down the drumbeat of attacks, ransomware threats remained a top topic at this year's RSA conference.
Experts at the event underscored that Russian state-sanctioned criminal actors are not the only ransomware threat actors to fear, nor are ransomware attacks decreasing despite the intensified efforts to nip them in the bud. The same actions taken to quash ransomware activity might end up forging alliances among financially motivated threat actors to create hybrid cyber-attacks that meld social engineering with ransomware.
Iran is a ransomware innovator
Speaking at RSA, Dmitri Alperovitch, executive chairman at Silverado Policy Accelerator and co-founder and former CTO at CrowdStrike, said Iran is an innovator in ransomware with its SamSam ransomware. He noted that it was an Iranian group that attacked the city of Atlanta and the state of Colorado with this malware, and it was Iran that first introduced big game hunting at scale.
"Not just trying to target one system within a network and lock it up, but really doing an intrusion and then rolling ransomware across the entire network to try to get as big of a ransom as possible that we now have seen from all other groups like REvil, LockBit, and others," he said.
"One of the things that the Iranians are doing, and we're seeing this in the criminal space as well, is leaking data to harass organisations.," Alperovitch said.
Ransomware attacks are still increasing
Sandra Joyce, executive vice president and head of Mandiant Intelligence and Advanced Practices, said that it's misleading to think that ransomware attacks are going down, a common misconception in the wake of Ukraine's invasion of Russia. "If you look at Q1 year after year and Q2 year after year, what you're going to see is a very stark rise," she said.
"I can tell you that at Mandiant, we saw a spike in the last week and a half." Joyce pointed in particular to shaming site victims, "where if you don't pay and frankly at times where you do actually pay, threat actors are going to go and dump your data there."
Sometimes ransomware is not a factor in threat groups' attacks. "A lot of what we measure for ransomware gets intermixed with data theft and extortion, and there may not be any need to drop any malware at all," Joyce said.
"And we've been predicting for quite a while that these attacks could have nothing to do with malware. It could just simply be extortion and data theft, and it's getting measured as ransomware as well. So, the thing to think about is a lot of what's happening in the ransomware space with or without malware is a tactic to evade sanctions."
REvil comes back from the dead
But the ransomware news isn't all bad, Alperovitch said. "We had some good news on the ransomware front. In January, a month before [Russia's invasion of Ukraine], the Russians did take action against 14 individuals that were part of this group, REvil, that was responsible for some of the most high-profile attacks last year."
More recent developments have undercut even that bright spot. "Problem solved, right?" Alperovitch said. "Well, not so fast. The little thing called war happened, and that, of course, resulted in a breakdown in the communications between the cyber teams in the United States government and Russian cyber teams. Understandably so."
"What you see now are statements coming out of lawyers for these individuals back in Russia saying, 'Well, it turns out that the U.S. is not providing any information that we can… use in the prosecutions of these individuals. So [prosecutors] should just drop the charges and let them go.' It's unclear if that has yet happened."
Consequently, the prolific threat group is returning to life in what Alperovitch said is an incredibly resilient ecosystem that spreads responsibilities across many specialised actors within the group. "One of the things that we are seeing now is, REvil is starting to come back. Some of their sites and tor networks have come back, and we have to watch that very carefully."
Costa Rica's ransomware attack is a cautionary tale
The recent ransomware attack on Costa Rica that has cost the country hundreds of millions of dollars in lost productivity and spurred the Conti ransomware attackers to call for the overthrow of the nation’s government highlights the enduring destructive power of ransomware.
Matt Olsen, assistant attorney general for national security at the U.S. Department of Justice, signalled that the attack on Costa Rica is probably not a targeted one but is likely a case of uncontrolled ransomware.
Olsen said the Costa Rica attack is possible "spillover" damage from the Russian ransomware group's operations.
"When you look at what happened with NotPetya, where the Russian attack was focused really on Ukraine, it was sort of a fake ransomware attack," Olsen noted. "But it immediately spilled over outside the borders of Ukraine. That's the nature of these types of attacks. They don't recognise national boundaries.
"I think that's a cautionary tale where you see there's every reason to believe that Russia will expand its reach to countries and places using groups that are going be helping carry out its goals."
Ransomware and BEC actors could converge over the next year or so
Two of the top financially motivated cyber attacks, ransomware and business email compromise (BEC), have risen in parallel over the past five to six years, even though "they are on completely opposite sides of the cyber crime spectrum" in terms of sophistication, Crane Hassold, director of threat intelligence at Abnormal Security, told the conference attendees.
Ransomware is a highly concentrated specialty with a centralised ecosystem. Almost two-thirds of all ransomware activity between 2020 and 2021 could be attributed to just three ransomware groups, Hassold said. "Right now, over 50 per cent of ransomware activity is attributed to Conti or LockBit."
On the other hand, BEC is committed by thousands of actors with little central direction, mostly in places like West Africa or Nigeria. Despite these differences, Hassold thinks ransomware actors will gravitate to BEC over the next 12 to 18 months, mainly because government authorities are making it difficult for ransomware gangs to get paid via cryptocurrency.
“The frictionless environment that cryptocurrency transactions previously afforded are going to start going away, and it's going make it a lot more difficult to make those transactions for more malicious and illicit purposes," he said. "Because of that, the overall return on investment, the overall effort needed to make those transactions will start creating diminishing returns for the threat actors."
Ransomware actors are "going to pivot somewhere else to make money, and in my opinion, what we might see in the next 12 to 18 months is this essential convergence of ransomware actors and the BEC space to create this sophisticated hybrid social engineering attack that essentially takes [on] the scale and sophistication of ransomware.”