Ransomware groups have been nothing if not persistent. After a big initial run in the mid-10s, ransomware was thought to be dying out as a criminal enterprise in 2018. By 2019 it had roared back, thanks to a combination of criminals taking advantage of conditions and coming up with innovative new approaches, and it is once again the leading cybercrime threat to businesses throughout the world.
A new report from security firm Analyst1 illustrates how agile ransomware groups have become, to the point that they are backing off and regrouping with new tactics before slow-moving legislation and enforcement can catch up with them. The report also speculates on what the next move for these groups will be, and the news is not good for small businesses.
Ransomware groups stay one step ahead of the law
2021 saw ransomware groups cross a number of worrying lines. One of those was a willingness of criminal groups to directly attack real world critical infrastructure, famously seen in the incidents with Colonial Pipeline and meatpacker JBS. The Colonial Pipeline attack saw fuel supplies severely slowed to a number of US states for about a week as billing and inventory systems became inaccessible, while JBS had to pause its business in several countries (and ultimately pay a $11 million ransom) due to similar circumstances.
Another recent issue is a seeming pivot by ransomware groups to targeting cloud services providers, looking to use their trusted relationships and permissions with their clients to infect thousands at once. The most high-profile example of this was the attack on management service Kaseya, which saw about 1,500 of the firm’s clients hit with ransomware via one of its cloud-based tools that had been compromised.
This collection of attacks prompted unprecedented action from the US government. President Joe Biden directed US intelligence agencies to investigate REvil, which was tied to both Kaseya and JBS. Biden also spoke directly to Russian president Vladimir Putin about the country’s traditionally permissive attitude toward ransomware groups (and other cyber criminals) so long as they steered clear of domestic targets and Russia’s allies abroad, securing a promise of increased cooperation in investigating incidents and bringing wanted criminals to justice.
This effort did appear to pan out in the case of REvil, which would eventually be penetrated by a joint international law enforcement effort and taken offline (along with a couple of arrests in Ukraine). And the heat did appear to force some ransomware groups into a retreat, with BlackMatter (thought to be a reformed DarkSide, the group behind the Colonial Pipeline) among the big names announcing their virtual retirement.
But in the world of ransomware groups, a “going out of business” sign means very little. What it usually means is that the current “brand” has taken on too much attention, and is being abandoned (along with its virtual infrastructure) as the criminals take a few weeks or months off and regroup under a different name with some new tricks.
Small businesses back on the menu?
One of the trends seen with the resurgence of ransomware groups is the focus on large companies with the ability to pay similarly large ransom demands (often with a cyber insurance policy). The report’s authors think this may be changing in the near future.
Several factors may prompt the bigger ransomware groups to start hunting smaller game again. One is the mobilization of the US and other international intelligence and law enforcement agencies, with these groups being much more active as ransomware has become the leading cyber threat to businesses. Clearly, a damaging enough attack will now prod the sleeping giant into action.
Another possible factor is that cyber insurance companies are increasingly limiting coverage, particularly as pertains to ransomware incidents. Large companies may no longer be so quick to pay without the assumption that insurance will make them whole.
The report sees ransomware groups continuing to focus on breaching supply chains to reach multiple targets, but now focusing on smaller companies in the chains that are less likely to have robust IT teams. The groups may also simply settle for smaller payments from smaller entities out of market necessity.
Chris Fiormonti, former intelligence community threat analyst and researcher at Analyst1, also thinks that ransomware groups may tend to steer away from countries that have demonstrated a commitment to chasing down attackers: “Now that the federal government has brought in the Military with Cyber Command, ransomware actors will have to shift targets away from US infrastructure and target smaller private companies. The targeting of smaller companies with smaller ransoms is one way to stay under the radar. Ransomware actors will want to avoid American infrastructure to avoid a US military response.”
But the ransomware industry is unlikely to go away entirely, given that it has brought in average payments that shot up to half a million dollars in 2021 and heists that have netted tens of millions in one shot. The heyday of these big scores may be coming to an end, but a broad variety of companies should remain braced for attacks in the near future; remediation costs often exceed the payment amount by far, with costs projected to go as high as $6 trillion next year and to $10.5 trillion by 2025.
