Why cyber gangsters extort ever higher ransom money with ransomware

Another driver of the development is the ransom money itself. From the victims’ point of view, the payments may appear understandable, because they are usually cheaper than the loss of sales until the IT systems concerned are rebuilt. Often, the encryption of data completely paralyzes the companies concerned. In the case of Symrise, a German manufacturer of fragrances and flavors, the Federal Criminal Police Office puts the damage caused by a “production and communication failure” at “several million euros per lost day”. Symrise had been attacked with ransomware by the Cl0p group.

But in the long run, the ransom money is disastrous. If word of this kind of payments gets around in the underground, the motivation of other criminals increases to attempt a ransomware attack as well. The more money ends up underground, the easier it is for criminals to find new exploits, service providers to disguise Bitcoin transactions or social engineering specialists who deal with the initial infection of the victims. And the more companies buy their way out, the more normal the process appears to other affected parties.

According to some experts, insurance companies also play a role in this. More and more organizations are taking out special cyber policies that also cover ransomware attacks. From the point of view of criminals, however, existing insurance is a very good argument in favor of increasing the ransom demand even further.

Law enforcement and cybersecurity agencies typically advise against paying ransom money. Some experts in the US and Europe are even calling for ransomware payments to be banned by law in order to drain the attackers financially. As the first major insurance company, Axa decided in May not to offer policies with ransom reimbursement in France in the future. This has responded to concerns of the French government, the company told US media.

According to a survey by the security provider Sophos, the ransom money is often only supposedly a simple solution: Only eight percent of more than 1000 companies surveyed that paid a ransom would have received all of their data. “Many had to save themselves by restoring backups or even typing data by hand, despite previous payment,” reports Sophos expert Michael Veit to c’t.

Experts see the corona-related move to the home office as another driver. This development has “undoubtedly increased the potential attack surface of target organizations”, writes the British think tank RUSI in a study published in March. The risk of weak points and misconfigurations has increased due to the installation of new hardware and software, and there are also possible gaps in the employees’ home IT.

Prosecutors have so far been able to do little to counter the extortion’s raid. There have been successes in investigations, such as the blow by European authorities against the Emotet infrastructure in January. The attacks with the Emotet malware paved the way for encryption Trojans. In retrospect, however, the investigators’ successes have little lasting effect – the ransomware hydra are reliably growing new heads.

Investigators repeatedly see evidence that many gangs are actually operating from Russia and other ex-Soviet states. The think tank RUSI provides another indication in its study. The researchers evaluated 1,200 blog entries from ransomware gangs and found that the attacked organizations came from a total of 63 countries, but that there was not a single victim headquartered in Russia.

This pattern is unlikely to change in the future, despite attempts by US President Biden to persuade Russia to cooperate. At his Geneva press conference, Putin denied the allegation that the attacks came from Russia and said his authorities had always responded to requests from American investigators. What we do not know is what Putin replied to Biden’s question about how he would feel if a ransomware attack on Russian pipeline operators were to occur.