Why cyber gangsters extort ever higher ransom money with ransomware


The US $ 200 that victims of the then dominant encryption Trojan CryptoWall had to pay as a ransom in 2014 seem almost cute nowadays. Meanwhile, ransomware attacks are about other sums of money: According to a study by Palo Alto Networks, the average ransom payment in 2020 was $ 313,000 – in 2019 it was only $ 115,000.

More from c't magazine

More from c't magazine

More from c't magazine

More from c't magazine

In the past few months there have been an increasing number of spectacular cases in which companies have even bought their encrypted data with sums of millions. In June, meat processor JBS USA confirmed that it had transferred $ 11 million to a ransomware gang. The pipeline operator Colonial had previously paid over four million dollars, the insurance company CNA Financial even 40 million, according to a Bloomberg report.

In 2020, a total of 400 million US dollars flowed to known cryptocurrency addresses of ransomware gangs, according to an analysis by the service provider Chainalysis. Compared to 2019, the total has more than quadrupled. The total damage caused by ransomware – including lost sales of the victims – is estimated to be in the double-digit billions per year.

The topic has now reached the highest levels of politics. In June, US President Joe Biden confronted Russian President Vladimir Putin with allegations of giving cyber gangsters a free hand. “I looked at him and said: How would you feel if ransomware were to attack the pipelines in your oil fields,” said Biden after the meeting in Geneva.

US President Joe Biden accuses Russian President Vladimir Putin of allowing cyber gangsters.

(Image: Saul Loeb / Pool AFP / dpa)

Several developments have contributed to the “ransomware epidemic”. Up until three or four years ago, criminals infected mostly automatically and therefore indiscriminately by means of a vulnerability scan, but now they choose their victims more specifically – and prefer to target wealthy organizations. The BKA calls this “Big Game Hunting” in the Cybercrime Federal Situation Report 2020. As a result, private individuals are rarely faced with a ransom demand. They are simply not financially strong enough and therefore uninteresting.

Today, criminals spend more time before the initial infection of a company, says Michael Veit, Technology Evangelist at the British cybersecurity company Sophos, in an interview with c’t. This is necessary because masses of malware are regularly intercepted by antivirus software. The ransomware groups therefore switched to sending poisoned Word files or PDFs with alleged résumés to HR departments that were created in the spear-phishing style. Researching job advertisements and contact persons is comparatively time-consuming.

If the first computer is infected, according to Veit, human operators usually step in and map the network. Only human attackers could unnoticed use legitimate tools such as PowerShell to gain more rights and get through to the heart of the network, the Active Directory (AD). By manipulating the AD, you are laying the foundation for the next step.

Since 2019, the blackmail gangs have also made sensitive data of their victims available for download.

Since the end of 2019, this next step no longer consists of blindly encrypting the data on servers and end devices. Instead, the criminals first suck off sensitive data – and then blackmail the victim in a second way: If a company does not want to pay for decryption because it can rely on its offline backups, for example, the cyber criminals threaten to publish the confidential Data. In the case of the Apple manufacturer Quanta, for example, construction drawings were leaked.

The ransomware groups list and ridicule their victims on websites that are typically only accessible via the anonymizing Tor network. If the companies concerned do not pay, the criminals make the captured data available for download – emails, patient data, research results, contracts, laboratory reports, copies of ID cards, bank receipts and so on. For example, around 20 gigabytes of financial data and 90 gigabytes of e-mails from Software AG were found on the gang called Cl0P. The Ragnar Locker Group has put more than 1.5 terabytes of internal data from the Taiwanese storage manufacturer Adata online.