Ransomware: Why we're now facing a perfect storm

Normalising the act of paying a ransom to cyber criminals does nothing to protect anyone against ransomware, warns report.
Written by Danny Palmer, Senior Writer

Ransomware is becoming more successful than ever before because of a combination of factors that allow cyber criminals to easily gain access to corporate networks – and they're finding success because a significant number of organisations that fall victim to attacks are willing to pay the ransom.

A report by defence think tank, the Royal United Services Institute (RUSI) and cybersecurity company BAE Systems, warns that the 'perfect storm' of conditions have come together and allowed ransomware attacks to run rampant against organisations around the world.

Those elements range from how easy it is for cyber criminals to acquire and distribute ransomware, and the frequency of ransomware payouts, to the way the COVID-19 pandemic has made it simpler for malicious hackers to gain entry to networks.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic) 

But it's the way in which enough victims of ransomware are paying ransoms that ultimately helps encourage cyber criminals to pursue this line of attack – and normalises the act of giving into the ransom demands.

"The more organisations that pay a ransom, the more acceptable the notion of paying a ransom to solve the problem becomes," the paper warns, adding that the ability to claim ransom payments back via cyber insurance may further encourage payments to criminals.

And with the rise of ransomware as a service, it's relatively simple for even low-skilled cyber criminals to get involved with ransomware. The attackers pay a fee or a subscription for pre-packaged ransomware, which they can then use as part of their attacks.

Some of these as-a-service offerings are relatively small-time, while others such as REvil result in attacks where victims pay out hundreds of thousands of dollars – with the authors of the ransomware getting a cut of the fee.

Keen to make as much money as possible, many ransomware operators will publicise their offerings on underground forums to attract as many users as possible, complete with customer service.

"Recent evidence suggesting that ransomware operators are on active recruitment drives for new talent are a concerning sign that the scale of the threat is still increasing," warns the research paper.

Ransomware groups are always evolving and this has also helped contribute to the success of the attacks. Ransomware attacks were already proving effective, but the attackers behind Maze added another weapon to force victims to pay up – threatening to leak stolen data if the ransom isn't paid.

The success of this "double extortion" technique has been adopted by a number of other ransomware groups who are using it as an additional method to coerce victims into paying the bitcoin ransom.

The range of ways that cyber criminals can gain access to networks is also adding to the success of ransomware. Attack methods such as phishing, brute-force attacks looking to crack weak passwords on remote desktop protocol services or abusing technical vulnerabilities are all playing a part in allowing ransomware attackers to gain the access to the systems they require.

SEE: Cybercrime groups are selling their hacking skills. Some countries are buying

Something that has helped cyber criminals gain a foothold in networks for ransomware attacks is the boom in remote working. With employees working from home and relying on email and remote services more than ever before, cyber criminals have been taking advantage by exploiting the reduced security of remote employees as a stepping stone to installing ransomware on corporate systems.

Ultimately, the report concludes, ransomware attacks will only stop if ransomware becomes unprofitable – and that relies on organisations becoming secure enough to not fall victim to attacks in the first place, so never having to even consider paying a ransom due to an attack.

Recommendations on securing networks include ensuring the timely patching of critical vulnerabilities and the use of multi-factor authentication wherever possible, along with reinforcing phishing awareness training.


Editorial standards