Ransomware: Why it's still a big threat, and where the gangs are going next

Ransomware attacks are still lucrative for cyber criminals because victims pay ransoms -- and the threat is still evolving.
Written by Danny Palmer, Senior Writer on
Image: Getty

Ransomware has been a cybersecurity issue for a long time, but last year it went mainstream.  

Major ransomware attacks like those on Colonial Pipeline, the Irish Healthcare Executive and many others demonstrated how significant the problem had become as cyberattacks disrupted people's lives.

What was once a small cyber-criminal industry based around encrypting files on personal computers and demanding a ransom of a few hundred dollars for a decryption key had evolved into a massive ecosystem designed around holding critical services and infrastructure to ransom -- and making extortion demands of millions of dollars.

No wonder Lindy Cameron, head of the UK's National Cyber Security Centre (NCSC), has described ransomware as "the biggest global cyber threat".

Ransomware is continually evolving, with new variants appearing, new ransomware groups emerging, and new techniques and tactics designed to make the most money from attacks.

More on the next big challenges in tech security

And as the recent Conti ransomware leaks showed, the most successful ransomware gangs are organised as if they were any other group of software developers. 

"They are really acting like a business. Aside from the fact they're not legitimately registered, they really are. They're functioning like a real business and sometimes the number of people within these organisations is bigger than some startups," says Christine Bejerasco, CTO at WithSecure. 

"They have shown a lot of resilience and a lot of agility in adapting to what's new," she adds. 

It's this resilience and an ability to adapt that has resulted in a string of ransomware attacks around the world, often with cyber criminals walking away with millions of dollars.

And that just accounts for the ransomware incidents we hear about -- many simply don't get reported.

"The main challenge is we don't know what the trends really are because most companies don't disclose incidents," says Brett Callow, threat analyst at Emsisoft. "You can't manage what you don't measure."

Ransomware attacks against smaller victims are going unreported 

While ransomware attacks against large organisations get noticed, a ransomware attack against a small or local business, where the victim quickly pays the ransom because they feel as if they've got no other choice, might not get reported at all.  

Individual attacks against smaller targets won't bring a huge payday like a successful attack on a big corporation would, but by chaining together a series of attacks against a range of smaller victims, ransomware attackers can still turn a substantial profit. 

Small and medium-sized businesses are unlikely to invest as much into cybersecurity as large businesses, so getting inside networks might prove easier. That means ransomware groups can hit several targets across a short period of time, which is crucial if they want to make as much money as possible. 

"They're obviously not going to get the same massive pay-outs as they could from a larger enterprise, which means that they need to go from the initial penetration to successful extortion much quicker," says Callow, who suggests going after smaller businesses also brings another advantage to cyber criminals. 

"Attacks on small businesses may not attract the same level of attention -- targeting local grocery stores may mean the risks of being pursued by US Cyber Command are somewhat less," he says.

After the Colonial Pipeline attack, the US Department of Justice managed, seized and returned the majority of the multi-million dollar ransom payment that was made. And while it's still rare for individuals involved in ransomware attacks to be tracked down or arrested, it's possible that this direct action against the DarkSide ransomware gang's ability to make money shifted the outlook of cyber criminals. 

"Since that event, the reality is threat actors have changed their understanding of the world a little bit. They've seen consequences that up until that point they really hadn't seen before," says Sherrod DeGrippo, senior director of threat research and direction at Proofpoint. 

"Since then, we've seen other large ransomware events, but we haven't seen the indiscriminate hammering of everyone anywhere, the way that we had seen in the past," she adds. 

Ransomware is loud – some criminals may turn to quieter alternatives 

Gangs could still be laying the foundation for a new wave of ransomware attacks -- or as DeGrippo suggests, some hacking groups could be turning their attention towards other cyberattacks that are less noisy but nonetheless profitable.

"We're going to see that initial access leveraged at scale, so it may be ransomware final-stage payloads, maybe something else -- we may see a big return to banking trojans," she says, adding: "There are options that are a lot quieter, under the radar, that still offer significant paydays, but don't catch the attention of law enforcement."

Trojan malware allows cyber criminals to steal sensitive information from victims, including bank account details, providing them with the opportunity to steal money directly from victims.

There's another issue that could persuade some cyber criminals using ransomware to go down this path: cryptocurrency is volatile. So a ransom payment made in Bitcoin that's stored away could end up being worth a lot less by the time the attackers opt to cash out. For cyber criminals, it could be tempting to focus their attention on using malware to steal hard cash again. 

"You tell a threat actor you can get the equivalent of a million dollars of bitcoin today or you can get a million dollars hard currency out of a banking trojan transferred to wherever you're doing your money laundering -- I think a lot of them would take the cash right now," says DeGrippo. 

But that doesn't mean that ransomware is going away any time soon. While some may turn their gaze elsewhere, ransomware attacks are still a lucrative means of illicitly making money -- and ransomware attacks continue to evolve.

For example, ransomware groups now regularly target cloud applications as an entry point for attacks.

It seems inevitable that some of the most sophisticated, well-resourced ransomware gangs could turn their attention to compromising cloud service providers in attacks that wouldn't just affect one company, but thousands. 

That approach would create a lot of leverage for the attackers to demand a large ransom demand from their target -- one that might get paid quickly because of the widespread disruption. 

"If ransomware actors head in that direction, effectively encrypt the data in the cloud and hold those up for ransom, can you imagine if all the customer data in a service got encrypted because they managed to access an organisation and encrypted all the data? That would bring an organisation to its knees," says WithSecure's Bejerasco.

How to protect your network against ransomware attacks

Ransomware is a major cybersecurity threat, but there are steps that organisations of all sizes can take to help avoid becoming a victim. In most cases, ransomware gangs aren't looking to go after a specific target, they just exploit security vulnerabilities wherever they can find them.  

That's why it's important to apply security updates and software patches as soon as possible, especially when they're for critical vulnerabilities, because that prevents cyber criminals from exploiting them to gain access to, or maintain persistence on, networks. Applying security updates across whole networks can be a challenge, but it's one of the most important things an IT department can do to keep the business safe from cyberattacks. 

Multi-factor authentication (MFA) can also provide an important defence against ransomware and other cyberattacks. Many ransomware campaigns begin with cyber criminals stealing usernames and passwords and exploiting them to move around networks. Rolling out MFA to users makes it harder for cyber criminals to use stolen passwords. Unexpected login notifications can indicate that something is amiss and needs investigation. 

It's also useful to ensure that employees are using unique, complex passwords that can't be easily guessed -- or cracked with brute-force attacks -- to help make the network as robust as possible against unauthorised intrusions. 

And as ransomware is based around encrypting data, it's vital that organisations regularly back up their data -- and do so offline. Then, if the worst happens and the network is hit with ransomware, there's the option of restoring the data without paying a ransom to cyber criminals, although the rise of double-extortion attacks means stolen data could still be published because the ransom isn't paid.

Law enforcement and government officials strongly discourage businesses from paying ransom demands. Not only does it encourage further ransomware attacks, but you also don't know who you're paying -- and your cash could be going to a sanctioned or rogue state.

But whether a victim decides to pay a ransom or not, according to DeGrippo, it's vital that a plan is made in advance about what to do -- because having a strategy set out in advance is much more preferable to making one in a panic after falling victim to a ransomware attack.

"Each organisation must decide how they will handle the ransomware event well in advance of the ransomware event happening, and yes, that includes the dollar amount that you will or will not pay," she says.

"These are not fun discussions to have. But they're incredibly devastating and painful to have while a ransomware event is going on."


Editorial standards