RANSOMWARE: A look at the criminal art of malicious code, pressure, and manipulation

GOALS

The goals of this paper are to demonstrate how dangerous ransomware has become, describe the latest techniques used by ransomware gangs, and suggest what your organization can do to reduce exposure to, and damage from, ransomware attacks. Three ransomware attack vectors are addressed in this order: remote access, email, and supply chain.

RANSOMWARE — CYBERTHREAT AT ITS WORST

A ransomware attack can be defined as an attempt to extort an organization by denying it access to its data. Ransomware is a subset of malware, a collective term for all forms of malicious code, including computer viruses and worms.

Ransomware is probably one of the most serious cyberthreats your organization will face. Why? Because in the past few years criminal gangs creating this type of malware and running ransomware as a service have been perfecting a different, more targeted approach to these kinds of attacks — for which metrics are much harder to obtain.

Cybercriminals are also constantly coming up with new approaches to ensure that they receive the sum they ask for, usually by increasing the pressure on the victim. In 2019, they started to rely on double extortion, which combines the “usual” data encryption with data exfiltration. In this way, they not only prevented access to the victim’s valuable, critical, or otherwise sensitive files, but could also leak or sell them to other malicious actors.

Upping the ante further, some ransomware operators have adopted triple extortion, adding the further step of contacting business partners or customers of victims that have not paid the ransom demand. The cybercriminals inform the victim’s partners/customers that their sensitive data has been accessed as part of the ransomware attack, suggesting these partners/customers pressure the ransomware victim to pay up to prevent this data being released. In some cases, the attackers even demand payment from these partners/customers.

Recent years have seen a shift away from victimizing large numbers of random people while requesting ransom demands of modest sums, toward a targeted approach making much larger ransom demands from a smaller victim pool. That group features deeper pockets and members who can ill afford to lose access to their data or control over it.