The first such attack, the AIDS Trojan of 1989, required a $189 ransom sent to a P.O. box in Panama to obtain a decryption key. Today, some sophisticated cyberattackers are basing their ransom demands on the cyber insurance coverage of their victims, with sliding scales to ensure the largest payments per victim.
By stealing corporate data that lists insurance coverage—either from the insurance companies themselves or from their customers’ corporate files—criminals now can create bespoke demands for each target. Sometimes attackers use open source intelligence, such as news articles about cyber insurance, or information found in SEC filings and on company websites, to tailor an attack for prey.
Corporate victims of ransomware attacks are in a catch-22 situation when it comes to paying attackers. Depending on the size of the ransom, it can be a business decision to simply pay and hope the decryption codes work, but federal laws against funding sanctioned terrorists can put companies in legal jeopardy if they make ransom payments.
A new wrinkle vexing ransomware victims is the dual demand for not only payments for a decryption key to unlock data encrypted by the malware, but also a second payment to the attackers to keep them from distributing the stolen data onto the Dark Web. Recently, at least three ransomware gangs began explicating, warning victims they would publish the stolen data if the victims reported the attacks to federal agencies.
Popular malware distributed via phishing includes Locky, Cerber, and Nemucod. This classic attack asks victims to simply click on an attachment, often with unassuming names such as “Telephone Number List” or “Corporate Holidays.”
Another common ransomware tactic takes the form of an email that claims the attacker recorded the victim using the victim’s own webcam. These are generally bogus, as normally there’s no stolen video to release, but just the threat of such is often sufficient to extort money.
As an unfortunately growing business, ransomware is branching out to the cloud—not just as an attack vector for the criminals, but also as a delivery source. Ransomware as a Service (RaaS) provides even non-technical criminals with the resources to launch effective attacks.
RaaS operates much like any other service operation: Attackers first select the ransomware payload and delivery method. Then the RaaS providers, sometimes referred to as “gangs,” offer the criminals who launch the attacks various payment options. These include a one-time service fee with no profit sharing; an affiliate program that includes a monthly fee plus profit sharing; a flat fee for the attack; or just profit sharing.
Attackers even offer customer support for victims who don’t know how to pay with cryptocurrency. The customer support personnel might need to walk the victim through not only the payment process, but also the remediation efforts to unencrypt the ransomed data.
Popular RaaS attacks include such malware families REvil, which was used against Kaseya and thousands of other businesses on July 4, 2021; and the LockBit attack group that has been active throughout 2021, particularly during the summer. LockBit, which describes itself an “affiliate program,” reportedly has been working with other criminal groups such as REvil/Sodinokibi, DarkSide, and Netwalker.
It’s the ransomware resource you can’t afford to be without. 437 Pages of ransomware know-how. Stay ahead of the cybercriminals: get your copy now!