Ransomware ©pexels.com/Soumil Kumar
  • it-sa News

Ransomware: A lucrative source of income for cybercriminals

New ransomware attacks make the headlines almost daily. The attacks are simple, lucrative, and there is no shortage of victims. That just attracts more cybercriminals.

Quick and straightforward attack patterns are assuring an extreme increase in ransomware attacks. The damage is often greater than expected: Businesses then have to contend with lengthy downtimes.

Losses caused by ransomware have become an everyday occurrence. There is no shortage of examples, and the Head of the district authority in Anhalt-Bitterfeld even declared a disaster recently: Payment of all social services had come to a standstill, and vehicle registrations were no longer possible. It was estimated it would take three to six months before all the systems would be back to normal again. Eight hundred employees were affected and the majority were unable to do their jobs. A few days later, the municipal council of Giesenheim in Hesse and the hospital in Wolfenbüttel, Lower Saxony, were also targeted.


Large sums with little effort

Underlying these cyber-attacks is a lucrative, cleverly thought-out “business model”, which security experts have now thoroughly investigated. The main objective is still to extort ransoms to free up encrypted IT systems. Because the amounts involved are regularly in the tens of millions, the target group comprises large businesses and public institutions. The “revenues” are there to be seen: DarkSide, a highly active group in recent times which was responsible for the attack on the Colonial Oil pipeline in the US, has reportedly bagged more than $10 million per month. For its system to work, the hacker group even maintains its own customer service. The cybercriminals operate dedicated servers for customer support and negotiations with parties prepared to pay, and also have special employees for the purpose. They often grant quite large “discounts” when negotiating ransoms. If a “wrong victim” falls into the net, as happened with the Irish healthcare system, for example, they release the key to the encrypted data without payment, assist with the decryption, and insist they do not want to harm anyone. This is meant to convey a noble and positive image that conceals their brutal and uncompromising approach. Everything is meant to run as silently and as invisibly as possible – the criminals shun publicity. If their attacks make the headlines too often, they change their name or dissolve and form new groups before the major prosecutors such as the FBI apply their boundless energy to the hunt.


Major damage even with no ransom

But the damage is still extensive even if the attack is unsuccessful and no ransom is paid. The affected businesses often have to take their IT systems off the network to determine which systems have been compromised. It may happen that backups have to be restored and systems reinstalled. That costs a lot of time, during which employees cannot do their jobs because the IT systems are unavailable. If the extent to which the systems have been compromised cannot be established, all the systems often have to be reinstalled. That means a huge increase in cost and effort, and it can take weeks or even months. Very few businesses are prepared for such a major loss event. Then there is the huge time pressure, since the attackers threaten their victims with disclosure or sale of stolen data if payment is not made within a short period, often just a few hours or days.

And the activities of the cyber-gangs are not limited to these activities but extend further still. Like other groups, the DarkSide gang, which has only been active since last summer, also engages in a kind of franchising activity, Ransomware as a Service (RaaS). This involves leasing their malware and infrastructure to partner entities that then attack their victims. In return, the gangs demand 20 to 40 percent of the proceeds. There seems to be plenty of demand, since the gangsters are free to choose their partners. “The basic precondition for a candidate looking to participate in a top-level RaaS partner programme is generally evidence they enjoy compromised access to lucrative corporate networks,” reports security specialist Intel 471. To prevent western prosecutors and security researchers from infiltrating these partner programmes, some RaaS gangs also demand native-speaker Russian-language skills or local and cultural knowledge about Russia and the countries of the former Soviet Union.

Autor: Uwe Sievers