Pandemic Problems: The Rise of Ransomware Gangs

Overview

Netflix and Zoom are not the only entities experiencing an escalation in their revenue as a result of the COVID-19 pandemic – ransomware gangs, as well as cyber hackers in general, have increased in both activity and profit. These cybercriminal groups attack systems using strains of ransomware, a form of malicious software (malware) that takes control of a device and demands ransom payment from victims. While ransomware gangs are certainly nothing new, the onset of the pandemic has catalyzed the growth of ransomware. Indeed, some reports estimate that ransomware gangs made at least $350 million in 2020, which represents a massive 311% increase in profit compared to 2019. On a related note, ransomware attacks are also capturing the world’s attention and are therefore, more high profile.

Remote Work: The Ransomware Jackpot

So how has the pandemic created opportunities for ransomware gangs? Here are a few ways that these groups have benefitted:

1. Growth of Internet usage and activity – The pandemic caused an increase in global Internet usage, as people have been obligated to comply with quarantine measures and remote work policies. More people online means more clicks on potentially harmful links and opportunities to extort users.

2. Rise of cryptocurrency – Most ransomware gangs demand ransom payments via cryptocurrencies like Bitcoin, given that they allow for more anonymity during transactions and are subject to less regulation. Between April 2020 and April 2021, the price of Bitcoin rose by more than 800%.

3. More victims are paying the ransom – According to Steve Morgan, the editor-in-chief of Cybercrime Magazine, more companies are paying the ransom in order to retrieve their data and minimize the fallout of the attacks. Moreover, research shows that the number of victims who chose to pay the ransom rose by over 300% between 2019 and 2020.

4. Increased media coverage – As ransomware gangs have continued to exploit more high-profile targets (for example, National Basketball Association (NBA), Colonial Pipeline, Washington DC Metro Police), media outlets are publishing more reports about these incidents. This trend contributes to the cyclical nature of the ransomware problem – companies are targeted in an attack then pay the ransom, the perpetrators collect payments and walk away, the incidents are covered by the media, and other hackers read about the successful attack and decide to try it out for themselves.

How Does Ransomware Work?

First, they dwell. Hackers planning to use ransomware often begin their attacks through a process known as dwelling, during which they enter a target’s system undetected and hunt for the most confidential (and therefore, valuable) data to exploit. Attackers often gain access to victims’ networks through phishing emails, a type of social engineering in which malicious links disguised as legitimate websites are sent via email.

Next, they search for servers. Another common method used by ransomware gangs targets public Remote Desktop Protocol (RDP) servers, which allow users to control a local computer from a remote workstation. In fact, a report released by computer software company Group-IB showed that 52% of ransomware attacks in 2020 gained initial access through these publicly accessible RDP servers (fun fact: phishing methods comprised 29% of attacks).

Then, they use brute force. After gaining initial access, cybercriminals tend to brute force attacks in order to bypass the targeted systems’ requests for credentials. Brute force attacks contain a password-cracking program that tries every possible combination of characters in order to access secure systems.

Finally, they release the malware. Once inside the network, ransomware gangs launch the payload, or the transmitted data within the malware that executes the attack, frequently through Microsoft’s programming language PowerShell.

Case Study: 2021 Attack against Kaseya

On July 2, 2021, the Russian cybercriminal group REvil launched a global ransomware attack that leveraged vulnerabilities found within US technology company Kaseya Limited’s Virtual System Administrator (VSA) remote management software. Specifically, the incident exploited vulnerabilities within VSA’s latest update, allowing the hackers to replace it with ransomware and hack into 50 managed services providers (MSPs) that used Kaseya’s products. Before Kaseya was able to issue warnings to its customers, the ransomware’s malicious payload had affected approximately 1,500 organizations, with demands for ransom ranging from thousands of dollars to $5 million or more. Several hours later, Kaseya shut down the VSA software on its own servers and suspended its cloud-based Software as a Service (SaaS) servers.

Media reports have described the attack against Kaseya as the single largest global ransomware attack in history. But what made it so successful? Well, largely because of the combination of the interdependent supply chain and security vulnerabilities. Ransomware attacks targeting a specific software, rather than a specific individual or company, are growing in popularity due to the “domino effect” that results from launching a single attack that proliferates into multiple systems. Additionally, REvil’s attack demonstrates the growing sophistication of ransomware attacks – by disguising the malware within the software update, the attackers ensured a maximum number of victims would be affected.

In conclusion, the future of ransomware is ever-evolving. While preventing an attack may seem daunting, the cybersecurity community can proactively take measures to educate and protect users. Some best practices include: conduct regular vulnerability scanning of internal networks to identify system weaknesses, apply consistent patches and updates, maintain offline and encrypted backup services, and ensuring employees are familiar with crisis management protocols. Conducting good cyber hygiene is necessary to mitigate risks both during the pandemic and beyond.

Interested in other examples of ransomware attacks against the global supply chain? Check out Phishing for Answers’ previous post, “How Ghana Saved a Global Conglomerate from a Cyber Attack,” to learn more about how a ransomware attack that started in Ukraine ended up spreading across the world.