Measured Insurance Partners with Canopius and Long-time Backer SCOR to Expand Critical Cyber Insurance Solutions

Ransomware payouts reach record levels in 2021 as extortion becomes more sophisticated

Measured Staff
April 7, 2022
|Share this article:

Cybercriminals are flush with cash from successful ransomware campaigns, and they are using more sophisticated technology and tactics to drive up ransomware payments even further, with the Conti ransomware group leading the way.

According to a report released by Palo Alto Networks’ Unit 42, the average ransom demand rose 144% to $2.2 million in 2021, and the average payment increased 78% to $541,010.

The Conti ransomware group was responsible for more than one in five cases worked by Unit 42 consultants in 2021. The second-highest rate was REvil, also known as Sodinokibi, with 7.1%, followed by Hello Kitty (4.8%) and Phobos (4.8%).

Malicious actors increasingly turned to Dark Web ‘leak sites’ where they pressured victims to pay up by threatening to release sensitive data, the report found. 

R&D behind ransomware

To become more operational and profitable, large ransomware groups like Conti must put more money into research and development that allows them to use more sophisticated techniques, such as fileless malware and obfuscation, to launch attacks.

“Today’s ransomware operators are much more financially motivated than they were in the past,” explained Matthew Warner, CTO, and co-founder at Blumira, an automated threat detection, and response technology provider.

According to him, most of them aren’t interested in actually stealing data; they want to encrypt the victim’s entire environment, put a bounty on it, and get paid as quickly as possible. Double extortion is being used by others to repeat bounty payouts.

“Since ransomware operators are more financially motivated, they often take a smash-and-grab approach, casting a wider net that includes smaller and mid-sized businesses,” he said. “SMBs generally have fewer resources to protect against ransomware and more exposure in their attack surfaces.”

An equally concerning trend noted by Warner is the availability of stolen credentials on the dark web and exploit kits, which are making ransomware attacks easier for the more unsophisticated operators.

“Low-level attackers often use complex malware loaders like Cobalt Strike, SquirrelWaffle, and QakBot with sophisticated obfuscation techniques that make it more difficult for defenders to detect,” he added. 

Progression of ransomware

At Vectra, an AI cybersecurity company, Aaron Turner is the vice president of SaaS Posture. He explained that the natural progression of ransomware is that sophisticated attackers seek out the interesting intellectual property (commonly for industrial espionage) and sell it.

They will then seek out easy to monetize data like payment account numbers, for example, and try to quickly withdraw value from those accounts.

“Finally, ransomware is deployed only when industrial espionage and payment account fraud opportunities are exhausted,” he said. “As industrial espionage and payment fraud attacks become more sophisticated, ransomware follows in their wake.”

In order to protect themselves from ransomware, Turner said organizations should start by ensuring system hygiene. A key focus area should be endpoint configuration management, especially for internet browsers.

“Even when ransomware is delivered through cloud storage services, oftentimes the initial attack vector is through a vulnerable internet browser,” he said. “Cloud storage posture management is another important focus area.”

In addition, Warner explained that organizations of all sizes have difficulty keeping up with the wide-ranging visibility and risk mitigation efforts needed to secure environments against these attacks.

Spotting a cyber attack

Ransomware attacks usually consist of three steps: discovery, gaining a foothold, and escalating privileges. Organizations should focus on detecting these steps as effectively and efficiently as possible.

“Ensuring that your public-facing attack surface is known and properly configured will reduce threats of discovery against your environments such as internet-facing RDP servers,” he said. 

Detecting attacks, as well as being aware of data that can be restored from a backup, will allow you to respond quickly to attacks, or in a worst-case scenario, understand how to deal with ransomware post-exploitation.

“It’s also important that organizations stay up-to-date on patches and apply them rapidly as they become available,” he said. “Vulnerabilities to Exchange and VPNs were one of the biggest drivers for ransomware entry points into environments and must be remediated as soon as possible.”

Despite the importance of endpoint protection and detection tools, Warner said relying on them alone may result in an inability to detect attacker behavior until it is too late, for example, when an attacker introduces malware into an environment.

“Detecting potentially threatening behavior and detecting known-bad file signatures are both important approaches,” he said.

Artificial intelligence or machine learning alone will, however, lead to a higher false-positive rate and could quickly become difficult to manage.

“The behavior-based approach that a modern SIEM provides will be able to detect living-off-the-land techniques that signature-based detection cannot,” Warner said. 

Ransomware in 2022

Turner details the ransomware outlook for 2022 by noting the Conti group’s announcement that they intend to be active participants in the conflict between Russia and Ukraine.

It is an indication that the ransomware groups that have been protected from extradition and prosecution by Russia feel some loyalty to Russia and will actively support their military efforts, focusing their digital attack skills on targets they believe will benefit Russia.

“We should consider ransomware gangs as essentially guerrilla fighters, waging a new form of warfare while enriching themselves along the way,” he said.