The US $ 200 that victims of the then dominant encryption Trojan CryptoWall had to pay as a ransom in 2014 seem almost cute nowadays. Meanwhile, ransomware attacks are about other sums of money: According to a study by Palo Alto Networks, the average ransom payment in 2020 was $ 313,000 – in 2019 it was only $ 115,000.
In the past few months there have been an increasing number of spectacular cases in which companies have even bought their encrypted data with sums of millions. In June, meat processor JBS USA confirmed that it had transferred $ 11 million to a ransomware gang. The pipeline operator Colonial had previously paid over four million dollars, the insurance company CNA Financial even 40 million, according to a Bloomberg report.
In 2020, a total of 400 million US dollars flowed to known cryptocurrency addresses of ransomware gangs, according to an analysis by the service provider Chainalysis. Compared to 2019, the total has more than quadrupled. The total damage caused by ransomware – including lost sales of the victims – is estimated to be in the double-digit billions per year.
The topic has now reached the highest levels of politics. In June, US President Joe Biden confronted Russian President Vladimir Putin with allegations of giving cyber gangsters a free hand. “I looked at him and said: How would you feel if ransomware were to attack the pipelines in your oil fields,” said Biden after the meeting in Geneva.
Big game hunting
Several developments have contributed to the “ransomware epidemic”. Up until three or four years ago, criminals infected mostly automatically and therefore indiscriminately by means of a vulnerability scan, but now they choose their victims more specifically – and prefer to target wealthy organizations. The BKA calls this “Big Game Hunting” in the Cybercrime Federal Situation Report 2020. As a result, private individuals are rarely faced with a ransom demand. They are simply not financially strong enough and therefore uninteresting.
Today, criminals spend more time before the initial infection of a company, says Michael Veit, Technology Evangelist at the British cybersecurity company Sophos, in an interview with c’t. This is necessary because masses of malware are regularly intercepted by antivirus software. The ransomware groups therefore switched to sending poisoned Word files or PDFs with alleged résumés to HR departments that were created in the spear-phishing style. Researching job advertisements and contact persons is comparatively time-consuming.
If the first computer is infected, according to Veit, human operators usually step in and map the network. Only human attackers could unnoticed use legitimate tools such as PowerShell to gain more rights and get through to the heart of the network, the Active Directory (AD). By manipulating the AD, you are laying the foundation for the next step.
Mock and leak
Since the end of 2019, this next step no longer consists of blindly encrypting the data on servers and end devices. Instead, the criminals first suck off sensitive data – and then blackmail the victim in a second way: If a company does not want to pay for decryption because it can rely on its offline backups, for example, the cyber criminals threaten to publish the confidential Data. In the case of the Apple manufacturer Quanta, for example, construction drawings were leaked.
The ransomware groups list and ridicule their victims on websites that are typically only accessible via the anonymizing Tor network. If the companies concerned do not pay, the criminals make the captured data available for download – emails, patient data, research results, contracts, laboratory reports, copies of ID cards, bank receipts and so on. For example, around 20 gigabytes of financial data and 90 gigabytes of e-mails from Software AG were found on the gang called Cl0P. The Ragnar Locker Group has put more than 1.5 terabytes of internal data from the Taiwanese storage manufacturer Adata online.
Another driver of the development is the ransom money itself. From the victims’ point of view, the payments may appear understandable, because they are usually cheaper than the loss of sales until the IT systems concerned are rebuilt. Often, the encryption of data completely paralyzes the companies concerned. In the case of Symrise, a German manufacturer of fragrances and flavors, the Federal Criminal Police Office puts the damage caused by a “production and communication failure” at “several million euros per lost day”. Symrise had been attacked with ransomware by the Cl0p group.
But in the long run, the ransom money is disastrous. If word of this kind of payments gets around in the underground, the motivation of other criminals increases to attempt a ransomware attack as well. The more money ends up underground, the easier it is for criminals to find new exploits, service providers to disguise Bitcoin transactions or social engineering specialists who deal with the initial infection of the victims. And the more companies buy their way out, the more normal the process appears to other affected parties.
Insurance as a driver?
According to some experts, insurance companies also play a role in this. More and more organizations are taking out special cyber policies that also cover ransomware attacks. From the point of view of criminals, however, existing insurance is a very good argument in favor of increasing the ransom demand even further.
Law enforcement and cybersecurity agencies typically advise against paying ransom money. Some experts in the US and Europe are even calling for ransomware payments to be banned by law in order to drain the attackers financially. As the first major insurance company, Axa decided in May not to offer policies with ransom reimbursement in France in the future. This has responded to concerns of the French government, the company told US media.
According to a survey by the security provider Sophos, the ransom money is often only supposedly a simple solution: Only eight percent of more than 1000 companies surveyed that paid a ransom would have received all of their data. “Many had to save themselves by restoring backups or even typing data by hand, despite previous payment,” reports Sophos expert Michael Veit to c’t.
Home office vulnerability
Experts see the corona-related move to the home office as another driver. This development has “undoubtedly increased the potential attack surface of target organizations”, writes the British think tank RUSI in a study published in March. The risk of weak points and misconfigurations has increased due to the installation of new hardware and software, and there are also possible gaps in the employees’ home IT.
Prosecutors have so far been able to do little to counter the extortion’s raid. There have been successes in investigations, such as the blow by European authorities against the Emotet infrastructure in January. The attacks with the Emotet malware paved the way for encryption Trojans. In retrospect, however, the investigators’ successes have little lasting effect – the ransomware hydra are reliably growing new heads.
Investigators repeatedly see evidence that many gangs are actually operating from Russia and other ex-Soviet states. The think tank RUSI provides another indication in its study. The researchers evaluated 1,200 blog entries from ransomware gangs and found that the attacked organizations came from a total of 63 countries, but that there was not a single victim headquartered in Russia.
This pattern is unlikely to change in the future, despite attempts by US President Biden to persuade Russia to cooperate. At his Geneva press conference, Putin denied the allegation that the attacks came from Russia and said his authorities had always responded to requests from American investigators. What we do not know is what Putin replied to Biden’s question about how he would feel if a ransomware attack on Russian pipeline operators were to occur.
In issue 15/2021 we tested Chromebooks and checked out their Chrome OS operating system, which has long been more than just a browser. We will also show you how you can upgrade your home office cost-effectively and comprehensively – from the PC to the peripheral devices to the network. C’t editor Urs Mansmann has tested suitable mobile phone tariffs for home office, which offer 15 GByte or more. We also explain the cryptography learning tool CrypTool 2, tested premium notebooks and looked at ESPHome, a low-code solution for smart home projects. You will find issue 15/2021 from July 2nd in Heise shop and at the well-stocked newspaper kiosk.