The diverse variety of ransomware families, intrusion methods and affected targets makes securing systems an increasingly complex task. We review the lessons learned from 2021.
The ransomware business has (unfortunately) never been in better health. At the 2021 FIC forum, Jean-Thierry Calvet – head of cyberdefence operations at France’s ANSSI digital security agency – reported that incidents due to this malware were up by 255% in France. Worldwide, ransomware attacks doubled during 2021, and 37% of organisations surveyed by the International Data Corporation claimed to have experienced a ransomware attack during the year. But what are the realities and trends behind the ransomware phenomenon today? Are all companies equally vulnerable to the threat?
Ransomware: a game of “Happy Families”
Also during the 2021 FIC, Captain Paul-Alexandre Gillot of the Gendarmerie Nationale’s Judiciary Unit carried out a small accounting exercise. He identified 28 families of ransomware currently active in France, with the FBI reporting more than 100 in the United States.
Some families of ransomware have stood out for their recurring appearances over the last twelve months. For example, Babuk was used by the cyber-criminal group of the same name to infiltrate several large companies in 2021. The leak of the software developed by the group also contributed to its popularity, as other less experienced cyber criminals were able to make use of the ransomware for their own purposes. Atom Silo and BlackMatter are other examples. The operators of this latest ransomware, discovered at the end of July, have been causing havoc for about three months, attacking companies around the world. Lastly, Edouard Simpère – Head of CTI at Stormshield – points to the resurgence of REvil (also called Sodinokibi) and Ryuk in 2021. The former, which has been around since 2019, has long been considered one of the most difficult to detect, and one of the most profitable for cybercriminals. Its source code is regularly updated to counter cyber-protection measures. Fortunately, the Russian authorities’ dismantling of the group seems to have put a stop to it.
But overall, Edouard Simpère notes that this malware’s basic modus operandi remains the same. The two classic types of ransomware, “lockers” – which block the operation of a computer – and “cryptos” – which consist of encrypting data and demanding payment for a decryption key as a ransom – have not fundamentally changed. “So we’re seeing tools that we’ve actually observed before,” he explains. However, the means by which workstations and information systems are penetrated may be different.” But how have these methods of access, which are all common to the various different families of ransomware, evolved?
Entry points, distribution, targets: the anatomy of ransomware
The points through which ransomware can enter are (unfortunately) diverse, as shown in this diagram produced by the New Zealand government. Not surprisingly, phishing is one of the main gateways. By directly recovering credentials, cyber criminals can gain access to a VPN or an email system. And it only takes one of your employees to fall into such a trap before the whole company’s information system has been put at risk. That’s because cyber-criminals will quickly move laterally until they get their hands on the valuable administrator rights for the domain’s directory. And more than just the obvious manager profiles, all employees of a company are in fact potential targets for cyber criminals.
But the entry points are occasionally more devious – using “social engineering” – or more direct, with the exploitation of unpatched software vulnerabilities or booby-trapped emails. Around this e-mail vector, the entry points for ransomware are combined with their distribution methods. Consider Ryuk’s example, in which simply clicking in an e-mail will trigger a first element – the injector – which will download the malware itself. This is just one example, as “these entry points are based on the exploitation of vulnerabilities whose use can vary”, Edouard Simpère explains. It is an equation featuring two unknown variables: X vulnerabilities and Y ways of exploiting them. And in recent years, ransomware distribution methods have become more diverse. On the one hand, “traditional” non-targeted “spray and pray” attacks are still the leading attack vector in the CESIN 2021 barometer. But they are evolving: although they still take the form of large worldwide e-mail campaigns, relying on a statistical approach, they are now much more sophisticated than would have been the case a few years ago. “It’s a far cry from Amazon emails with mistakes in almost every word,” says Edouard Simpere. The quality is much better: for example, you can find realistic invoices in their appropriate context, addressed to accountants as if they were an email from a client.” Since 2021, cybercriminals have even been reusing stolen email histories to re-initiate conversations, using the subjects and contents of old exchanges. And, of course, with a contaminated file thrown in for good measure. Some cybercriminals, however, opt for a much more targeted strategy. They decide to target specific companies, like this campaign detected in March 2022 by another cybersecurity company and described as a “surgical cyberattack” by L’Expansion.
It’s a far cry from Amazon emails with mistakes in almost every word. The quality is much better: for example, you can find realistic invoices in their appropriate context, addressed to accountants as if they were an email from a client.Edouard Simpère, CTI Manager, Stormshield
At the same time, small and medium-sized enterprises are coming in for twofold scrutiny by cybercriminals. Firstly, they are targets in their own right, as they are particularly sensitive to business interruptions. Secondly, they are still being used today as a staging point from which to attack their larger trading partners. Because when it comes to ransomware, no one is safe. And hackers whose aim is to convince an infected company to pay the ransom will resort to any means necessary...
DDoS and data leakage: pressure tactics that go hand in hand with ransomware
Because although official advice is not to pay ransoms, cyber criminals obviously see things differently. And to tip the balance in their favour, they will devise and use additional pressure tactics. In 2018, patient data from around 20 Finnish psychotherapy centres was stolen. But when the company hit by the theft refused to pay the ransom to get the data back, the cyber-criminals turned to... the patients themselves, threatening to make the data public. This is the start of a trend towards the threat of data disclosure. It is a means of pressure that complements – or can sometimes now even replace – encryption as a way of forcing companies (and individuals) to pay ransoms. “Cybercriminals have noticed that some targets are resistant to ransomware,” explains Renaud Feil, CEO and co-founder of Synacktiv, a company specialising in security audits. They have effective backups in place. So the hackers had to come up with something else.” In practical terms, this means targeting companies which place a high value on reputation and confidentiality issues, such as law firms or accounting firms. And the threat can also become a threat of encryption. In this innovative new process, cybercriminals demand a ransom... for not encrypting your data. This is the reward without the effort that cybercriminals are seeking, relying solely on the fear they instil in their targets. There is no guarantee they will be able to carry out their threat… but would you take the risk?
At the same time, as Edouard Simpère notes, cyber-criminal groups’ methods became more professional in 2021, including the pressure tactics adopted: “Their financial resources are now such that they can afford to develop new methodologies. For some groups, we’re talking about several tens or even hundreds of millions of euros of firepower.” This is leading to another trend: the ability to carry out two types of attack simultaneously: a ransomware attack followed by a DDoS attack. By making sites unavailable, cyber-criminals increase the pressure on companies to pay. This principle of “double extortion” is estimated to have earned cybercrime groups over $45 million in 2021, with Conti leading the way, followed by REvil and DarkSide.
So the era of ransomware is far from over. And it spares no one. From very small businesses to large international groups, the entire global economic fabric is a potential target. Yet according to specialist insurer Cybercover, SMEs are the companies most at risk: almost 60% of victims of cyberattacks are small and medium-sized enterprises. Fortunately, there are ways of protecting yourself. And the cybersecurity ecosystem is also starting to get its act together. “Today, there are many companies that have not experienced a major incident, despite attempts,” Renaud Feil points out. “A company that makes systematic and rigorous security efforts will discourage attackers, who will move on to other targets... The whole aim, then, is to strengthen your system, whatever the size of your company.”