The economics of ransomware: how the pattern of attacks is evolving


Not individual criminals, but an ecosystem or enterprise that increases the complexity and power of cyber attacks: human-managed ransomware , increasingly sophisticated and targeted, prevails, and as many as one-third of targets are successfully compromised. All successful attacks have in common weak protection and poor IT hygiene on the part of the affected organisation. Data emerging from the Microsoft Digital Defense Report 2022, an overview of the state of cybercrime, the scope and scale of threats, and the need for prevention as the first line of defense.

Understanding the economics of ransomware

One of the most interesting aspects of the report is the focus on theeconomics of ransomware, a true parallel market: unlike the “popular” ransomware narrative, it is rare for a single malware variant to be created and operated by a single entity or group.

In short, forget about the stereotype of the evil lone genius malware creator. In recent years, we have witnessed the emergence of a veritable criminal ecosystem composed of separate entities that create the malware, get their way into the victims’ data, distribute the ransomware, and handle the extortion negotiations. 

A complex ecosystem, a veritable industry operated by the malware developers who create the tools, the brokers – some of which are top-tier – specialized in high-value networks and capable of breaking into a system and selling access to third parties, and the encryption and extortion service providers who through subscriptions, membership programs or one-time licenses allow “renting” attack capabilities(RaaS, Ransomware as a Service).

The attacks are getting bolder and the impact increasingly significant. The report highlights how an “industrialized” ransomware model has developed in recent years, a criminal economy franchise of sorts where various figures cooperate as part of a criminal network and make sophisticated tools available – even to less experienced attackers – creating an ever-expanding reservoir of attacks and threats that can potentially reach more and more targets.

Different parties with different techniques, goals, and skills dedicate themselves to 

study access methods and provide gradually more efficient services: the operators of this black market of sorts can buy access to government organisations and networks – data obtained through malware, brute force attacks, and exploitation of known vulnerabilities – but also services such as payload distribution, ransom demand management and monetisation, and even service negotiation (conducted by RaaS experts and not by “customers”). Various extortion support services are often included in the package: from leak site hosting and decryption to payment reminders and cryptocurrency transaction services.

The vulnerability survey

Not only nation-state cyber attacks, which also increased from 20 percent to 40 percent out of the total attacks detected by Microsoft, in conjunction with the Russia-Ukraine conflict, but also a steady growth in the effectiveness and pervasiveness of criminal techniques not necessarily aimed at institutions or related to the geopolitical situation, but in general at administrations and companies of all sizes

The attacks potentially affect all devices and infrastructure, particularly the most critical ones, such as those related to health care.

There are 921 password attacks per second (the increase is 74% in a single year), a steady growth in phishing campaigns, and a multiplication of ransom demands following ransomware attacks that have more than doubled.  The field survey shows that 93 percent of ransomware attack cases were facilitated by poor control over access privileges and little control over techniques such as Lateral Movement.

Defensive strategies against ransomware attacks

An effective and long-lasting defense strategy against ransomware attacks cannot do without elements such as multi-factor authentication (MFA), frequent release of security patches, adoption of a security operations center (SOC), and a Zero Trust approach applied to a large network perimeter. High security standards and timely audits aim to combat attacks through careful prevention efforts, which also implies an evolution in mindset on the part of decision makers and management figures: operate sooner-precisely because human-managed ransomware attacks are unpredictable and fast.

It sounds incredible, but even today a sophisticated ransomware attack can start with access to the privileged account of an individual system, domain or network administrator. 

Some actions to put into practice to defend against attacks  

Secure credentials and check their degree of exposure

Perform cloud hardening

Reduce SOC alert fatigue by hardening the network to reduce volume and conserve energy for high-priority incidents

Study and understand the extended perimeter to be protected and reduce the attack surface

Equip yourself with ransomware recovery tools

Let’s briefly elaborate on the last point. It is important to have immediate visibility into the extent of the damage and initiate rapid recovery of uncompromised backups to ensure recovery of important files and accelerate operations that ensure business continuity. This is possible through solutions that can be integrated with popular security automation frameworks, which not only enable instantaneous full or partial recovery, but also store data in immutable backups that cannot be infected by ransomware, detect unusual activity and anomalies (through proactive analysis of behavioral patterns), and, in the event of an attack, provide diagnosis and analysis of the impact on encrypted and sensitive data (e.g., personally identifiable data or health data) that may have been exposed to the damage. Such solutions work to build a secure architecture, including the measures we mentioned earlier-multi-factor user authentication, Zero Trust.

Among other actions to protect against attacks, we cannot fail to mention the need to choose an Object Storage S3 with full and continuous maintenance. Optimized, scalable and secure storage spaces, such as clouds with geodistributed S3 anti-ransomware backups, ensure a proper and immediate Disaster Recovery approach: end-to-end encrypted clouds that protect sensitive data, for example, compatible with the Amazon S3 ecosystem, ideal for a scalable and secure hybrid and multi-cloud strategy.

SCAI Tecno is the game-changer in your most important games. We develop integrated IT solutions, manage infrastructure, support digitisation processes to empower your teams and play ahead in the most competitive markets: Industry 4.0, Manufacturing, Services and Utilities, Finance and Insurance, Web.
We transform ideas into effective technology processes and successful digital products, thanks to best practices and workflows proven by years of experience in the field.

related news