During 2020, ransomware attacks more than doubled. Ransomware is a form of malware which works by encrypting databases and files on the infected platform, and then asking for a ransom, which generally doubles after 72 hours. Typically, cyber criminals threaten to publish the victim’s personal data or block access to their information until the ransom demand has been met. Nonetheless, giving in to this blackmail involves additional risks. There’s no guarantee that the attacker will release the information, and the possibility of identifying the cybercriminal is almost nonexistent. Moreover, payments made in crypto currencies are extremely difficult to track and recover.
No one is safe from being infected by ransomware, but a trend is emerging in which attackers go after larger targets, such as banks, telecom companies, and government agencies or large enterprises and entities that have an impact on the public. Unfortunately, the focus has recently shifted towards health entities, hospitals, sanatoriums, hospitals, and medical insurance, putting the public’s personal health data at risk.
The damage is amplified when considering private ransomware-as-a-service groups such as REvil will auction off personal data to the highest bidder. The ethical and legal implications of these scenarios, especially in the medical field, are beyond measure.
A Look into Recent Ransomware Trends
In spring of 2021, laptop maker Acer reported that it suffered an infection from REvil ransomware and that the ransom demand was $50 million dollars, a historical record. The gang targeted a Microsoft Exchange server on the company’s domain and leaked private financial documents.
Several security agencies and research groups agree that some ransomware gangs are collaborating with each other to gain strength and momentum, although this cannot be confirmed. Nonetheless, attacks are being performed at increasing speeds and with the advantage that they continue to remain largely anonymous.
For some time, we’ve known that four of the best-known and most active groups of cybercriminals are Twisted Spider, Viking Spider, Wizard Spider, and Lockbit Gang.
These groups are becoming more dangerous as they reinvest their proceeds to improve their ransomware operations. This includes expanding automated operations and regularly updating malware with more advanced features, making ransomware bands increasingly dangerous going forward. Various investigations and scans on dark web forums and cyber intelligence information sharing sites indicate that Twisted Spider and other gangs likely work together.
For instance, rumors have circulated that groups such as Twisted Spider and Lockbit Gang may have joined forces, and that a ransomware cartel was once in the works. Nonetheless, it appears to be a collaboration at best, as funds must be exchanged within a group for it to be considered a cartel. At present, the groups only appeared to have shared their data breach sites, on which victim information is posted, and some infrastructure.
In the past, these four groups have reached out to journalists and have even made public statements. In particular, if a company refused to pay, Twisted Spider issued press releases criticizing the companies. Viking Spider used Facebook ads and a “wall of shame” to expose them. Some of these actions resulted in disbanding or renaming of the groups; the group “Maze” which was renamed “Egregor,” which is now one of the most rapidly growing ransomware families.
Increasing Risk Fueled by Automation
Wizard Spider, an experienced group commonly associated with Trickbot and the Ryuk ransomware which has attacked health systems, has developed an automated system to infect victims’ networks. While most ransomware attacks take several days or weeks from the initial commitment to actually initiate the ransomware, automation could reduce it to hours. In general, ransomware is currently a fairly manual process, but as cybercrime organizations grow and acquire greater financial capacity, they will likely be able to increasingly leverage automation.
For its part, Lockbit Gang is also focused on automating its process. In one attack, a forensic report determined that they infected the victim’s system, spread through its network, and ran ransomware in less than two hours. The group then presents themselves as a support service, which helps companies to recover from crypto-malware for a fee (that is, the ransom).
The reality is that the cost and resources required to identify, arrest, and imprison cybercriminals is much, but much greater than what governments are willing to dedicate to stopping these offenders. Unfortunately, Western governments are generally not prepared to investigate and prosecute cybercrime on a large scale, so cybercriminals will continue to have free reign and target high-profile victims until something changes.