Over the past couple of years, ransomware attacks have proliferated. What was once a niche corner of hacker subculture is now a mainstream phenomenon. Most Americans were able to witness mainstream news profiling the ransomware shutdowns of the Colonial Pipeline, or the meat supplier JBS.
According to research from security provider SonicWall, 2021 saw an unprecedented 623.3 million ransomware attacks — more than double the 304.6 million ransomware attempts in 2020.
The reasons for this explosive ransomware growth are varied. Some attribute the rise to the recent adoption of digital tools, and the lack of awareness around security measures for them. This is a factor – but it’s not the only factor.
The three major, structural reasons for the steady uptick in ransomware attacks are:
- the rise of cryptocurrencies
- the emergence of RaaS (Ransomware-as-a-Service)
- the increasing sophistication of cybercriminal “safe havens” around the world
Let’s take a look at how these three trends contribute to this sudden, almost overwhelming increase in ransomware attacks, and find out what we, as potential victims, can do about them.
Ransomware: From 2019 to Today
In recent years, the ransomware situation has turned “from a trickle into a flood,” as TV show host John Oliver puts it in an August 2021 episode of his Last Week Tonight with John Oliver.
According to data presented by the late-night show host, the estimated total ransoms paid quadrupled to $350 million in 2020. This is based on data from the Institute for Security and Technology (IST).
Since 2020, things have gotten worse. In a study by Trend Micro, 84% of US organizations experienced ransomware or phishing attacks from 2020 to 2021. Worse still, about 50% of them rated themselves “ineffective overall at tackling phishing and ransomware.”
By the end of 2021, ransomware growth was 105% more than 2020: a mind-blowing 623.3 million ransomware attacks globally. Data has shown that 2021’s lowest month – March – had 36.3 million ransomware hits, which was still “more ransomware than all but one month (November) in 2020.”
Unfortunately, this is merely a massive undercount because most businesses are apprehensive about reporting ransomware attacks for fear of lawsuits or negative press. The real data is probably much worse.
Ransomware is such a plague because everyone is vulnerable. Every industry is under threat. Some high-profile examples:
- The ransomware attack on the Colonial Pipeline shut down one of the largest sources of fuel in the continental US. The company paid $5M in ransom, most of which has been recovered by authorities.
- A Russian ransomware gang paralyzed about 1,500 organizations when they successfully infected managed service provider (MSP), Kaseya. According to investigators, the hackers broke into about 50 MSPs that used Kaseya’s products.
- The meat industry suffered a major disruption due to a ransomware attack directed at JBS, one of the world’s largest meat processing companies. According to reports, the company had to pay $11M worth of Bitcoin to get their meat plants back up and running.
These are just some of the examples of attacks that have happened in recent years. The growth of ransomware attacks has also caused chaos in city governments such as Colorado, New Orleans, Baltimore, and Atlanta. School districts, police departments, and hospital systems have all been targeted.
Why have ransomware threat actors suddenly become extremely bold? What are the reasons for this exponential increase in ransomware attacks?
The Role of Cryptocurrencies
The rise of cryptocurrencies has made it easier for hackers and bad actors to profit from ransomware. Before crypto, attackers had to resort to telling a victim to go to a corner store, buy a $100 gift card, and send them the code. In this scenario, tracing fiat currencies was easy for law enforcement.
Today, because of the inherently anonymous and decentralized nature of crypto wallets, authorities are having a hard time tracing the money taken as ransomware payments. Attackers choose Bitcoin and other cryptocurrencies because, “a bitcoin wallet is something you can possess and control without going through a third party,” according to Yaya Fanusie from the Center for a New American Security.
Bitcoin transactions can be traced, but scammers and hackers are aware of this. So they move their illicit profit through hundreds, even thousands of transactions across a dozen or so wallets. They employ ‘mixers’, which take an amount of crypto, break that up into smaller transactions, and ‘mix’ those with transactions from other people in the blockchain – further masking the paper trail.
While authorities have managed to recover most of the Bitcoin paid during the Colonial Pipeline attack, there are new cryptocurrencies on the market that are more anonymous (completely hide the user’s identity) and pseudonymous (only shields a user’s true identity with a generated alphanumeric address that’s traceable through financial forensics).
One example is Monero, which promises a “private, decentralized cryptocurrency that keeps your finances confidential and secure.” It is virtually untraceable and, according to their explainer video, helps citizens “escape government repressions and nosy neighbors or crooks.”
Monero employs various methods to hide the identities of their senders and receivers, such as:
- Stealth addresses – one-time generated addresses to obscure public blockchain transactions)
- Ring signatures – a digital signature that “can be performed by any member of a group of users that each have keys.”
Other cryptocurrencies that have robust built-in privacy features include:
- Zcash – implements Zero-Knowledge Proof, a cryptographic tool that obscures transaction amounts and allows participants to transact without seeing each other’s addresses.
- DASH – has a PrivateSend feature that obfuscates the origin of the transaction’s funds with a blockchain mixing protocol.
- Horizen – offers both public T-Addresses and privacy shielded Z-Addresses.
- Verge – protects user identities through The Onion Router’s (TOR) technology and the Invisible Internet Project’s (I2P) encryption.
- Beam – a security-focused token where all transactions are private by default and no private information from the sender or receiver is stored on the blockchain.
Aside from Horizen, ZCash also uses T- and Z-addresses. Basically, a T-address is a crypto-address that can be viewed publicly. Z-addresses, meanwhile, are what crypto-users get if they want to remain anonymous to the blockchain they are in.
The emergence of RaaS has also spurred this increase in ransomware attacks.
A nefarious product of the cybercriminal market, ransomware-as-a-service (RaaS) was created for people and parties that want to execute ransomware attacks but don’t have the tools, expertise, or time to do so themselves.
This off-the-shelf type of ransomware attack can be alarmingly easy to trigger. Anyone can make an attack happen without writing a single line of code; they can order an attack as if simply clicking “add to cart” on any e-commerce site.
The fact that the typical RaaS “business” has better customer service than your ISP provider adds insult to injury. Jake Williams, a cybersecurity consultant who helps towns and municipalities hit with ransomware attacks, shares how RaaS companies help customers with step-by-step processes while paying the ransom:
“I think in the movies we picture that these attackers are the big bad, ‘F.U.’ type guys. Over the last couple of years we’ve seen a move toward full customer service. Honestly, I wish my Internet Service Provider had customer service like these guys do.”
Some of the most notable RaaS providers are Cerber, which earned $2.5M annually and was known as the largest RaaS ring in 2016, and REvil (aka Sodinokibi), which zeroed in on large businesses and allegedly earned $100M within a year.
These are sophisticated outfits that offer 1:1 bespoke services and have established reputations within the cyber underworld. By filling the RaaS niche, they have opened up the potential for ransomware attacks to a much broader field of actors – essentially, to anyone with money and means.
National Safe Havens for Attackers
Ransomware growth has also been influenced by the fact that certain countries and territories have become “safe havens” for attackers.
Russia, in particular, ignores threat actors in their country, as long as they do their ‘work’ outside of Russia’s borders. According to the New York Times:
“Cybersecurity experts say the ‘don’t work in .ru’ stricture, a reference to Russia’s national domain suffix, has become de rigueur [demanded by custom] in the Russian-speaking hacking community, to avoid entanglements with Russian law enforcement. The Russian authorities have made it clear they will rarely prosecute cybercriminals for ransomware attacks.”
North Korea is also considered a safe haven for ransomware hackers and cybercriminals alike. According to The New Yorker:
“North Korea’s cybercrime program is hydra-headed, with tactics ranging from bank heists to the deployment of ransomware and the theft of cryptocurrency from online exchanges.”
The White House has accused China of abetting ransomware hackers in July of 2021, along with its allies in the United Nations, in an effort to condemn China’s “malicious cyber activity.”
In a CNBC interview, Michael Orlando, acting director of the National Counterintelligence and Security Center, listed other countries that protect hackers from within their borders, and how this problem is part of their mission to counteract ransomware incidents.
“We do know that countries like Russia and China, Iran and others certainly create safe havens for criminal hackers as long as they don’t conduct attacks against them. But that’s a challenge for us that we’re going to have to work through as we figure out how to counter ransomware attacks.”
National safe havens for ransomware attackers – and the explicit encouragement, even direct business of, governments – allow attackers to thrive. They now have places where they can build large offices, recruit teams, access powerful infrastructure – all without fear of reprisal.
Dealing with the Ransomware Trifecta
Cryptocurrencies, the rise of RaaS, and the existence of safe havens for hackers combine to fuel the increase in ransomware attacks.
Businesses need to improve their overall security to combat this swelling of digital risk. Many threat intelligence solutions online can help with this. Tools that have robust detection and response capabilities can help businesses flag ransomware attempts and reduce recovery time should an attack find itself successful.
That said, prevention is always better than cure. Preventive measures will greatly reinforce your overall security stance and combat the continuous growth of ransomware attacks. Here are some good steps to take:
- Nicole Perlroth, author of the bestselling This Is How They Tell Me the World Ends: The Cyberweapons Arms Race, says that “80% of the ransomware attacks we’re seeing right now come in through a combination of a stolen password or a phishing email, and a lack of two-factor authentication.” Encourage your employees to turn on 2FA, yesterday!
- Ensure your software and systems are constantly patched and updated.
- Use endpoint detection and response (EDR) tools to monitor your systems for indicators of attack (IOA).
- Keep a backup of your data and regularly do test restorations to keep your response protocols fresh and up to date.
Deploying a good backup and recovery solution ensures data security and quick recovery in case of attacks. Businesses can guard themselves against the sudden increase in ransomware attacks, mitigate data loss, and alleviate data breach costs by keeping fully recoverable copies of their data. Dropsuite can help.
Dropsuite’s automated, ongoing, cloud-based backup solution maintains complete copies of your data and files – from your emails, to your chats, to your data stored in Microsoft 365 and Google Workspace.