The future of ransomware

Excerpt from Sophos 2022 Threat Report

Ransomware has staked its claim as a major element of the cybercriminal ecosystem. As one of the most
potentially damaging and costly types of malware attacks, ransomware remains the kind of attack that
keeps most administrators up at night, a Keyser Söze of the internet. As we move into 2022, ransomware
shows no sign of slowing down, though its business model has gone through some changes that seem
likely to persist and even grow over the coming year.

Ransomware-as-a-service subsumes attacks by solo groups

Over the past 18 months, the Sophos Rapid Response team has been called in to investigate and remediate
hundreds of cases involving ransomware attacks. Ransomware isn’t new, of course, but there have been
significant changes to the ransomware landscape over this period: the targets have shifted to ever-larger
organizations, and the business model that dictates the mechanics of how attacks transpire has shifted.

The biggest change Sophos observed is the shift from “vertically oriented” threat actors, who make and
then attack organizations using their own bespoke ransomware, to a model in which one group builds the
ransomware and then leases the use of that ransomware out to specialists in the kind of virtual breaking-and-entering that requires a distinct skill set from that of ransomware creators. This ransomware-as-a-service (or RaaS) model has changed the landscape in ways we couldn’t predict.

Sophos Rapid Response, reason for incident response engagements 2020-2021

While ransomware attack response accounted for most of the incidents the Sophos Rapid Response team was involved in during the
past year, it didn’t account for them all. Removal of Cobalt Strike Beacons, cryptominers, and even web shells also prompted extra attention,
especially in the days following the revelations of the ProxyLogon, and later ProxyShell, exploits, which resulted in a lot of people quickly
becoming familiar with how dangerous a web shell could be.

For instance, when the same group crafted and attacked using their own ransomware, those threat actors
tended to engage in unique and distinctive attack methods: one group might specialize in exploiting
vulnerable internet-facing services like Remote Desktop Protocol (RDP), while another might “buy” access
to an organization previously compromised by a different malware group. But under the RaaS model, all
these distinctions in the finer details of how an attack takes place have become muddled and make it more
difficult for incident responders to identify exactly who is behind an attack.

Sophos believes that, in 2022 and beyond, the RaaS business model will continue to dominate the threat
landscape for ransomware attacks, as this model permits experts in ransomware construction to continue
to build and improve their product, while giving experts in “initial access” break-ins the ability to focus on this
task with increasing intensity. We’ve already seen these RaaS threat actors innovate new ways to break into
progressively more well-defended networks, and we expect to see them continue to push in this direction in
the year to come.

Ransomware families investigated by Sophos Rapid Response, 2020-2021

Nearly four in five calls to Sophos Rapid Response service came as the result of a ransomware attack, and among those calls, Conti
was the most prevalent ransomware we encountered, at 16% of engagements. The next most frequent were the three Rs – Ryuk, REvil,
and Ragnarok – who together accounted for the next 28% of attacks. Among the remaining 56% of incidents, we encountered ransomware
under 39 different names.

Expanding extortion

Ransomware is only as good as your backups, or so an adage might go if any existed. The truth of this
statement became the basis for one of the most devastating “innovations” pioneered by some threat actor
groups involved in ransomware schemes in the past several years: the rise of extortion in ransomware

Increasingly, large organizations have been getting the message that ransomware attacks were costly but
could be thwarted without the need for a ransom payment – if the organization kept good backups of the
data the attackers were encrypting and have been acting on it by engaging with large cloud backup firms
to keep their systems cloned. After all, if, for instance, you only lost one day’s worth of work, it would be a
manageable loss, completely survivable for the targeted organization, if they chose to restore from backups
rather than pay the ransom.

Atom Silo, like many ransomware threat groups, engages in extortion with a threat of leaking sensitive information, as well as
maliciously encrypting files.

We have to presume that the ransomware groups were also getting the message because they weren’t
getting paid. They took advantage of the fact that the average “dwell time” (in which they have access
to a targeted organization’s network) can be days to weeks and started using that time to discover an
organization’s secrets—and move everything of value to a cloud backup service themselves. Then, when the
ransomware attack struck, they’d layer on a second threat: pay up or we release your most sensitive internal
documents, customer information, source code, patient records, or, well, anything else, to the world.

It’s a devious ploy and one that put ransomware attackers back on their feet. Large organizations not only
face a customer backlash – they could fall victim to privacy laws, such as the European GDPR, if they fail to
prevent the release of personally identifiable information belonging to clients or customers, not to mention
the loss of trade secrets to competitors. Rather than risk the regulatory (or stock price) fallout from such
a disclosure, many of the targeted organizations chose to pay (or have their insurance company pay) the
ransom. Of course, the attackers could then do whatever they wanted, including selling that sensitive
competitive data to others, but the victims found themselves unable to resist.

There have been cases, however, where the normal forms of ransom and extortion were still insufficient
motivation for the victims to pay a hefty ransom. In a limited number of cases, the Sophos Rapid Response
team was informed by the victim organization that they’s begun to receive phone calls or voicemails from
someone who claimed to be associated with the ransomware attackers, repeating the threat that the
attackers would publish the victim’s internal data unless they received their ransom payment.

And as 2021 moved to a close, at least one ransomware group published a press release (of sorts) that
stated they would no longer work with professional firms that negotiate on behalf of businesses with
ransomware attackers. The overt threat leveled against ransomware targets was this: If you speak with or go
to the police or work with a ransomware negotiation firm, we will instantly release your information.

There have been some bright spots on the horizon, however. In September 2021, the U.S. Treasury
Department enacted financial sanctions against a Russia-based cryptocurrency broker and market, which
the government alleges had been widely used as an intermediary for ransom payments between victims
and attackers. Small steps such as this may offer a short-term solution, but for most organizations, we
remain consistent on our basic advice: it’s far better to avert a ransomware attack by hardening your attack
surfaces than to have to deal with the aftermath.

Sophos expects that threats of extortion over the release of data will continue to be a part of the overall
threat posed by ransomware well into the future.

Contact us to discuss your needs and implement the right Sophos security products that will protect your business from the ever growing threat of ransomware.