Archive · · 23 min read

What Makes Ransomware Successful and Why It Won't Ever Really Stop

Ransomware is absolutely everywhere. What is going on? Why is ransomware so effective? Is there anything we can do about it?

What Makes Ransomware Successful and Why It Won't Ever Really Stop

Ransomware is absolutely everywhere. All different types of companies from around the world are getting hit by this potentially devastating cybercrime.

What is going on? Why is ransomware so effective? Is there anything we can do about it?

This video essay gives you an overview of the crime, the technical details, the challenges in fighting, and more.

References cited in the video are linked at the end of each chapter in the transcript below.

Contents

Video Chapters

Transcript

Back to top

1. What Is Ransomware?

You’ve seen the headlines, ransomware is everywhere.

From a massive gas pipeline shutdown, to meat plants, to school districts, to health systems, you can’t hide from it.

The concept of ransomware is straight forward.

Criminals lock you out of your data until you pay them to regain access.

That’s it.

So if it’s so simple, why are criminals continually finding high profile victims around the world?

Cited in this section:

Back to top

2. How Big Is the Problem?

This crime is on the rise for one simple reason. Money.

It’s estimated that ransomware cost companies $42 BILLION in 2020.

That covers the costs of ransoms and recovery. And that may even be a figure on the low side.

The average ransom has increased year over year with the average now a little over $300,000 dollars US.

That’s a startling amount given the average ransom in 2015, just six years ago, was only $294. That increased to just over $1,000 in 2017.

It’s obvious that criminals see opportunity here and are increasingly investing in this area.

On the extreme side, we’ve seen the highest payouts going up and up.

In 2020, the University of California at San Francisco reportedly paid out $1.14 million dollars after negotiating down the initial ransom demand.

Travelex was also hit in 2020 and is rumoured to have paid out $2.3 million in ransom as part of an attack that took systems offline for almost two weeks.

2021 has brought even higher ransom demands as criminals hit their stride.

The North American division Brenntag, a distribution company, reportedly paid out $4.4 million dollars to recover 150 GB of critical business data.

At the same time, Colonial Pipeline is said to have paid the same $4.4 million dollar demand to the same criminals gang in order to recover their data. After having shutdown the fuel pipeline that serves the majority of the eastern seaboard in the US.

And topping the known list is JBS USA Holdings.

It’s been reported by the Wall Street Journal and others that they paid out an $11 million dollar ransom in order to restore the plants that process roughly 1/5 of the United State’s meat supply.

Criminals are making mountains of money with this crime. No wonder it’s happening more and more.

But the ransomware payment is actually the cheaper side of this crime.

The costs associated with restoring IT systems and the cost of lost business are skyrocketing as well.

After a ransomware incident, the average organization takes a little over two weeks to fully recover.

Why does it take so long?

Well, even if an organization pays the ransom and gets the keys to access their data, that process takes time.

It can take days to decrypt or restore the information. The same goes if the company has to restore from backups.

And that process can only take place once the team has determined that they’re removed the criminals from their network.

That often requires an outside team of professional incident responders.

Most organizations don’t have the experience or the capacity to do a complete sweep of their systems to make sure that they’re safe.

Calling in a third party is a smart move but it takes time and adds to the overall bill.

That bill usually clocks in around $1.2 million dollars. And that number is rising quickly as these incidents grow in size.

Now keep in mind, none of these figures even start to touch the opportunity costs associated with lost business or the impact to a companies brand reputation.

If your e-commerce site was down and you couldn’t take any orders for two weeks, the numbers are going to skyrocket.

No wonder this was a $42 billion dollar problem in 2020.

Cited in this section:

Back to top

3. How Does It Work?

Let’s take a step back and look at the mechanics of the crime.

Ransomware mirrors the idea of a physical ransom.

This is a scheme where the criminal takes possession of something. Let’s say, they steal a prized painting of yours.

There is only one of that painting. The criminal has it now and they know that it’s the only one.

They set a ransom they think hits the sweet spot between what the painting is worth and what you’re willing to pay to get it back.

The premise is simple; pay the ransom and get the painting back.

Of course, a thousand things could go wrong.

The top concern for the criminal is that they need you to believe that you’ll get the painting back if you pay.

If at any point you don’t think you’ll get the painting back, you are unlikely to pay and the criminal is unlikely to make money…that’s not what they want.

They also need you not to involve law enforcement as that significantly increases the odds of them getting caught in the physical version of this crime.

For larger ransoms, insurance companies and other players get involved and can negotiate the payment down and handle the exchange.

It’s not a common crime but it’s pretty easy to understand.

The criminal has something unique that you treasure. Pay and get it back.

For ransomware, the concept is the same.

But in the digital world, “unique” is extremely rare. It’s easy enough to copy a file to make a backup.

macOS and Windows ask you if you want to set up automatic backups when you plug in a new external drive. You phone and tablets automatically backup critical data to the cloud.

This seems like it prevents ransoms, doesn’t it?

Well, you and I both know that technology is never that simple.

Organizations rarely have an effective backup strategy in place and individuals are even less likely one.

It’s an odd failing of the human condition.

Even if you do beat the odds and have backups, denying you access to those backups is now part of the ransomware workflow.

Cited in this section:

Back to top

4. The Technical Side

Let’s dive into that workflow now to get a better idea of what happens on a technical level.

Before denying you access to your data, ransomware first needs to get on to your systems.

The initial entry point into a network is almost always a phishing email.

In fact 94% of all malware is delivered via phishing.

It simple, cheap, and effective as a first step for criminals.

So criminals are sending out targeted phishing emails that are designed…yes designed…to get you to click on them and take some sort of action: log in somewhere, download a file, run a program, that sort of thing.

Once you do that, a loader or dropper works it way on to your system.

That is the initial foothold the criminals need to start their scheme.

With the dropper in place, the next stage is to find out where they’ve landed.

Criminals will quietly probe your systems and try to find the most valuable data and weak points on your network.

They use any number of techniques and could be in your systems for days.

The average “dwell” time on a network is now down to 24 days.

Yes, down.

A decade about it was 416 days and around 186 days for a number of years. So 24 days is looking pretty good given the circumstances.

Once they’ve identified all of your weak spots and the most valuable data, it’s time to trip the switch.

The ransomware is deployed throughout your network and will try to either corrupt or block access to your backups and at the same time encrypt all of your critical data.

Encryption is a technique we use all of the time throughout computing. It’s actually one of the primary ways we keep data safe.

It locks the data away and need a key to access it.

With ransomware, any guesses as to who has the only key?

If you said the criminals, you got it in one.

A well executed ransomware strike will ensure that you are in the same situation as a physical ransom: the only way back to your data is by paying to get the key.

If we summarize the process, we get roughly four stages:

  1. Research
  2. Land
  3. Explore
  4. Lock

But it wasn’t always this involved…

Cited in this section:

Back to top

5. Changes Over Time

The first ransomware attack was actually all the way back in 1989 and was distributed via floppy disk.

The criminal mailed out 20,000 floppy disks to attendees of the World Health Organization’s AIDS conference that year.

When an infected system ran for the 90th time, it would lock the system and demand a $189 annual payment or $389 one-time payment be mailed to a PO Box in Panama.

It’s a truly bizarre story but as a historical note, it serves as a proof of concept. Digital extortion and ransom made real.

There are scattered examples in the intervening years but ransomware in its current form really came to the fore in 2013.

That year, a ransomware called CryptoLocker was targeting Windows systems. Over the course of the next year, it’s estimated that the criminals behind the scheme brought in about $1.3 million dollars.

The success (from a criminal standpoint) of CryptoLocker led to an explosion of ransomware over the next few years.

During this period, ransomware was very much a crime of opportunity. If a system could be infected, it was.

There was little-to-no targeting. The goal was volume.

Which is why ransoms were still in the low hundreds of dollars. Criminals had no idea who their victims were.

The concept was simple: your data is valuable to you.

Most people and organizations with computers should be able to scrape together the ransom and if they couldn’t…well, there were always more victims.

For years security companies were tracking hundreds of thousands of ransomware attacks and dozens and dozens of distinct technical implementations of ransomware.

The trend since 2019 has been more targeted and precise attacks.

Gone are the volume plays as cybercriminals realize that they make more money with fewer, higher value victims.

Ransomware has gone upmarket.

Cited in this section:

Back to top

6. Who Is Doing This?

You’ll notice throughout this video, I’ve been saying “criminals”.

Despite what you hear in the headlines and the questions being floated by politicians, this is a scheme perpetrated by criminals.

Nation states may use ransomware attacks as a method to disguise their other activities but they are not the ones holding companies data for ransom.

This is a profit motivated crime.

Now, don’t get me wrong. Nation’s have a role to play in how many resources they commit from law enforcement and in other areas that they could use crack down on ransomware.

But, let’s be clear, this is a law enforcement and criminal justice issue, not a cyber warfare one.

How organized are the criminals involved? Very.

Remember the four rough stages of an attack? We had:

  1. Research
  2. Land
  3. Explore
  4. Lock

At each of these stages there are products and services for sale that criminals use as part of their campaigns.

If you took a dark turn and wanted to run a ransomware campaign, it actually takes little-to-no technical knowledge, just start up capital.

When you’re researching your victim, you can buy access to social media accounts, personal information, and more to make sure that your initial efforts are well crafted and likely to get you access to their systems.

Of course, that only augments the research you can do on social media and through the news.

There’s always a ton of information about organizations and their employees available online…paid or otherwise.

Moving to the “land” step, you can rent services to help run the logistics of your phishing campaign, just like any online marketing campaign.

Or you can buy access to a pre-hacked network directly via an initial access broker.

These brokers offer existing footholds into various networks to help you accelerate your efforts and see a profit quicker.

Once you’ve landed, you’ll need more tools in your kit to explore the network around you. Tools that allow you to compromise more systems and enumerate the data and services within the network. These are readily available for a price or even as open source tools for defenders.

When you’re ready to lock the environment down, you can rent the malware and the entire system end-to-end with Ransomware-as-a-Service.

Yes, the criminal underground has adopted a cloud services model and is has a product to meet every need.

This is how profitable ransomware is. It’s spawned an entire criminal industry.

Cited in this section:

Back to top

7. How Are We Reacting?

Given the expansion of criminal activity, you would expect a massive response from law enforcement globally.

And we are seeing some level of response. In the spring of 2021, arrests were made of members of the Cl0p ransomware organization.

Before that, we saw arrests associated with the Egregor ransomware in early 2021 and GandCrab in the summer of 2020.

These arrests were just a drop in the bucket. In reality there is very little risk for criminals running ransomware campaigns.

Why?

Law enforcement in the digital space is a rats nest of jurisdictional issues, technical challenges, and a lack of resources.

It’s not for a lack of trying.

It’s extremely difficult to gather sufficient evidence, cooperation, and funding to rein in the perpetrators behind these crimes.

But governments are slowly turning their attention to the problem.

The United States recently said they would be treating ransomware with the same priority as terrorism.

That’s a good first step but for the previously stated reasons, for now, it’s more political posturing than a program that’ll deliver results.

Law enforcement needs more technical resources, clear priorities, and a framework were victims can come forward without fear of increasing their own liability on a number of issues.

These efforts needs to start now and won’t pay off for years.

Cited in this section:

Back to top

8. What Are Companies Doing?

With all of the money at stake and all of the headlines, companies are understandably reacting to the issue.

It’s an obvious risk to the business…and that includes all businesses.

However, IT is already a cost center for most organizations and security is typically an afterthought of those activities.

On a whiteboard, ransomware can be prevented with regularly patching and updates, good security controls, a strong disaster recovery plan, and an excellent security education program.

The problem is that those whiteboard ideas don’t line up with reality.

On regularly patching and updating, noted cybersecurity expert, Kevin Beaumont put is best, ““Just patch” is a mantra you will heard in cybersecurity circles, but I’m not sure how many people in cybersecurity have tried to patch Microsoft Exchange and SharePoint clusters, but… it isn’t a “just” operation.”

In fact, 25 days after a patch is released, most organizations have only about 35% of affected systems patched. Moving that marker out to 75 days after release, that number limps to about 55% of affected systems being patched.

Patching is hard and unpatched system are prime targets for criminals.

Security controls can be a good tool to help stop the criminals at any stage in the ransomware process.

But cost and complexity are an organizations enemy here.

Cybersecurity solutions can be expensive (it is a $162 billion dollar a year market after all) and even when procured, they can take a long time to deploy…if you ever even get them out the door.

There’s no real stats on this but anecdotally, a lot of security professionals have seen this first hand.

Security controls are lobbied for, finally purchased, and then never quite deployed completely for any number of reasons.

So despite the full coverage protection on the whiteboard, this is area where companies have blind spots, a false sense of security, and are vulnerable.

What about disaster recovery? Well it’s a disaster in its own right. It’s expensive and time consuming.

Businesses rarely test their plans under perfect conditions, let alone under the stress and challenges presented by an ongoing security incident.

And finally, security “awareness” programs are typically the same regurgitated tropes time and time again.

“Don’t click on links” if you don’t want to get phished. “Pick a strong password” to stop hackers.

The security community needs to radically shift how we treat users as they are a critical part of any security posture.

For the record, “Don’t click on links” is ridiculous. That’s what they are made for and marketing links in emails look more malicious than the worst malware out there.

The most straightforward advice? If you click on a link in an email and it asks you to take an action like downloading a file, entering credentials, or something like that, then STOP and ask a lot of questions about that link.

Similarly, password guidance is out of date.

I won’t go into it here but just remember that a strong password is actually a long passphrase. Think, “sentence” and you should be ok.

So this advice to business would be great protection against ransomware but it’s hard to completely implement for a number of reasons. It’s just not realistic.

Realizing these challenges, more and more businesses are turning towards cybersecurity insurance.

These policies vary widely and you have to read the fine print, but they generally have provisions to help with any potential ransom payments and recovery costs.

What they usually don’t cover is lost revenue from the business while you’re shut down and costs for improving your security posture with new people and tools.

These policies will help get you out of your current jam financially and will help you avoid the latest double extortion technique from criminals.

This is where they not only lock you out of your data but also steal it. Then threaten to release it if you don’t pay the initial ransom demand.

Add all of this up and more and more companies are paying the ransom.

Making the matter worse (yes, worse), 80% of businesses that pay a ransom are hit again within the year.

And why not? They’ve already shown a willingness to pay and odds are they haven’t dramatically improved their security posture for any number of reasons.

This is a profit motivated crime. This is to be expected.

Cited in this section:

Back to top

9. Can Companies Recover?

We have seen some situations where companies didn’t recover given the long downtime and the massive financial expenditures spent during the incident.

But for most organizations, a ransomware event is a major set back for a few months and then things move on.

This is something that businesses can recover from.

One of the biggest recovery questions is whether or not to pay the ransom.

It’s easy to say, “NO, Don’t pay”. But it’s not the simple.

From a community perspective, you shouldn’t pay the ransom. The more money criminals make, the more they invest in ransomware continuing the cycle.

But if your back is up against the wall and it’s the fastest path to recover, it might make sense from a business perspective. Especially with the new double extortion techniques we’re seeing.

When the alternative is either a massive data breach or a long struggle to recover, the board may feel it’s worth the risk to pay, even with the high attack recurrence rate.

Here’s a statement from the US administration’s lead, Anne Neuberger, on the issue. It’s about as politically correct a shrug as possible.

Depressingly, paying the ransom is becoming a “cost of doing business” activity at this point.

But it shouldn’t be and doesn’t have to be.

Businesses should be doing everything they can to prevent ransomware from taking hold.

That means investing and ensuring that technical cybersecurity controls are deployed throughout the organization.

If you can’t do it yourself, contract that work out. The same goes for monitoring those security controls.

Currently cybersecurity insurance can look like a smarter investment. However, the current financial situation with the insurers won’t stay this way forever.

Insurance is a numbers game and as more and more businesses are hit with ever increasing ransoms, the baseline security posture to get insurance and the overall cost will continue to increase.

Just as critical is to have a disaster recovery plan in place and to regularly practice it. The good news here? These plans work for any disaster and are a solid investment.

The key is to figure out what’s actually critical for your business. You may have a lot of systems right now that are nice and help things run more efficiently but in a pinch, you could do with out them.

Focusing on the core of your business will help reduce the complexity and cost of your disaster recovery plan.

Regardless of the approach you take, the key is to do it NOW. Not when you’ve been hit with a ransomware attack, by then it’s too late.

Cited in this section:

Back to top

10. What’s Next?

Ransomware isn’t going anyway. Criminals are making too much money too easily to stop anytime soon.

Expect to see more and more industries targeted as criminals take advantage of overly complicated IT deployments, poor security messaging, and a lack of community focus on the issue.

The 2021 attack of Kaseya, an IT management platform, is an example of what to expect.

This firm offers a product that helps other companies manage the IT operations of their clients. Criminals associated with the REvil ransomware managed to breach the company and then use its own tooling to deploy ransomware to those service providers.

By attacking one company in the supply chain, they managed to successfully breach dozens of others.

The impact was felt far and wide with one of the most visible victims being the COOP supermarket chain in Sweden shutting down almost 500 stores in order to deal with the attack.

These type of supply chain attacks offer a high return on investment for criminals.

Similarly, going after companies in the energy sector, manufacturing, and other key verticals all have large, complex IT systems and a need keep operations running 24/7.

They are likely to pay big when attacked and are already in the crosshairs for enterprising criminals.

What can we do?

This is not an easy problem to solve. There are so many interconnected concerns and challenges here that it’ll take years to unwind.

What we do know is this;

We aren’t going to stop ransomware tomorrow but if we work together and take steps to prevent it from taking hold, we can at least slow it down.

Cited in this section:

Back to top

More Reading

General

US Response

Nation State Issues

Colonial Pipeline

REvil

Insurance

Kaseya

Other Attacks

The person in charge of the REvil ransomware operation said they did not meant to cause meat delivery disruptions in the US. They targeted JBS because it was a Brazilian company. https://t.co/hgYGzn6F7z— Catalin Cimpanu (@campuscodi) June 4, 2021
Sen. @MarkWarner is asked on Meet the Press if ransomware payments should be made illegal.

"That's a debate worth having. I am not sure what the answer is at this point ... (but) let's make sure if companies do pay, there is transparency around those payments."— Dustin Volz (@dnvolz) June 6, 2021
DOJ to business leaders: "The threat of severe ransomware attacks pose a clear and present danger to your organization."

"Pay attention now. Invest resources now. Failure to do so could mean the difference between being secure now or a victim later" https://t.co/WHY7jr5TUY pic.twitter.com/yMCkG0nxz6— Bloomberg Quicktake (@Quicktake) June 7, 2021
I published a bit of research today about this ransomware, alleged to be at the core of the JBS attack, as well as many, many others. REvil (or Sodinokibi, if you're a masochist) is a ransomware-as-a-service that is just all over the place right now https://t.co/FgXpBcgjak— Accountability Brandt (@threatresearch) June 11, 2021
“We have signed an agreement regarding the bitcoins for 30 minutes ago and we expect that the bitcoins will be transferred to the bandits very soon.”

This is extraordinary, an org is live blogging their ransomware incident. https://t.co/1P4iC944nK— Kevin Beaumont (@GossiTheDog) June 11, 2021
New research from @PaloAltoNtwks on Conti ransomware shows that HSE/ SEPA etc did well not to pay or negotiate with the hackers. "In our experience Conti has not demonstrated any signs that it cares about its reputation with would-be victims." https://t.co/byo04h87b1— Joe Tidy (@joetidy) June 18, 2021
I talked to a senior recovery engineer at one of the top firms about this. The historical advice is that you can't secure a compromised environment, but greenfield is so unrealistic for most firms they can't make it a rule. Monitoring has gotten better as IR has professionalized. https://t.co/nJmmHSPgBf— SwiftOnSecurity (@SwiftOnSecurity) June 20, 2021
We really should make an update to this illustration. https://t.co/KNPJ9GSn5x— @mikko (@mikko) June 21, 2021
This bit from @BBCDavidCowan ‘s BBC Scotland report on the SEPA ransomware attack is incredible. Great honesty from the Scottish environment agency about the impact. ‘We didn’t even have records for who worked here’ pic.twitter.com/buZbwTJNWK— Joe Tidy (@joetidy) June 25, 2021
Supply chain attack of Kaseya, commonly used in managed service provider environments in the United States, leading to mass ransomware event.

Details in link and thread as they develop:https://t.co/YStENYMTdW— Kevin Beaumont (@GossiTheDog) July 2, 2021
Coop in Sweden have shut down 800 stores as they used an MSP on point of sale devices, who used Kaseya, so now they have REvil ransomware.

Nightmare fuel.

Should be a wake up call for governments, insurance, businesses etc. https://t.co/bjnWr1mQot— Kevin Beaumont (@GossiTheDog) July 3, 2021
One of the very large victims of Kaseya incident, a company that supplies point of sale terminals, was also a victim of Cloudhopper years ago.

The difference? Cloudhopper = covert action. Kaseya = ransomware gang.

Guess which incident is more serious.— Kevin Beaumont (@GossiTheDog) July 4, 2021
It was interesting reading this thread from @mikko and it got me thinkinghttps://t.co/oa8rskdKBg— Ian - but not THAT Ian (@sailingbikeruk) July 4, 2021
More helpful background from the Dutch researchers who found the Kaseya vulns REVIL exploited in the ransomware attack. It sounds like Kaseya did all the right things, but REvil beat them to the fix. Key q here is how did REvil find out about the zero day? https://t.co/DlKQ5j4xKu— Nicole Perlroth (@nicoleperlroth) July 4, 2021
Extenda Retail, part of the impacted supply chain, statement (their customers have the impact): pic.twitter.com/LFBgLEzE0i— Kevin Beaumont (@GossiTheDog) July 5, 2021
At yesterday's Geneva summit between the US and Russian heads of state, president Biden said he gave Putin a list of 16 industries the US considers critical infrastructure.https://t.co/xqgJPcPI2F— Accountability Brandt (@threatresearch) June 18, 2021
Put it this way, the Kaseya VSA vuln is in a .asp script - not even ASPX. The code dates back 15 or so years.

Enterprise IT is held together by string, and ransomware gangs are the match. 🔥 https://t.co/BN2jrbu0IN— Kevin Beaumont (@GossiTheDog) July 5, 2021

Read next