From Ransomware to the UK's Cyber Security Strategy

As we learn to live with COVID-19, two aspects of the last couple of years really stand out. The first is the acceleration of digital transformation initiatives and, second, the move to embracing digital services and a hybrid way of working. However, in parallel, the evolution of ransomware-as-a-service (RaaS) and the increased specialisation of cybercriminals have also contributed to the rise in ransomware attacks. Threat actors quickly took advantage of an expanded attack surface, as new digital systems required multiple access points for customers, partners, and employees. This, in turn, created a vastly expanded attack surface.

As a result, cybercrime has escalated, and a record-breaking number of ransomware attacks with increasing severity are taking place year-on-year. In fact, in the past couple of years, ransomware attacks have doubled and – in some instances – quadrupled in frequency, as noted in BlueVoyant’s Ransomware Series.

Extortion Techniques

The surge in attacks has been fuelled in part by an increase in “triple extortion” ransomware technique, whereby attackers encrypt a network, illegally obtain the data and threaten to release it to the wider population unless a payment is made, and finally, issue a ransom demand to the victim. But it is more than just a criminal money-making enterprise holding individuals and companies to ransom; it has become a tool for geopolitics, an issue for policymakers, and a threat to individuals’ health and safety.

Fascinated by the development of this industry, BlueVoyant has sought to demystify and explain some of the basic questions around ransomware attacks and the actors involved. To do this, we compiled five mini reports that shed light on how ransomware attacks happen, why and what happens when they do, as well as the impact they have on various different stakeholders. 

In the first blog, we examined how ransomware has become so prevalent in the cybercriminal economy, and how ransomware gangs have evolved. We have traced the evolution of leak sites and RaaS while exploring how this has fuelled growth. Additionally, we looked at how advanced threat groups behind ransomware such as REvil, Maze, Darkside, Ryuk, WastedLocker, and Netwalker have evolved in the underground economy.

How the First Leak Site Fuelled the Industry

In 2019, Maze ransomware operators set up the first leak site, which shamed victims who would not pay up or would not pay fast enough and, by 2020, the practice of double extortion had become widespread. Very quickly, the attacks listed on these leak sites led to increased reporting across news sites, and ransomware gangs and cybercriminals quickly recognised that there was big money to be earned from such practices. At the same time, the lack of ransomware groups being held accountable for their actions fuelled the growth of ransomware, as the low risk/high reward model attracted an increasing number of bad actors.

At the same time, the RaaS model evolved, which is the practice within the cybercrime economy of providing ready-made tools or services for sale. It may involve leasing out the use of a ransomware service so that a less tech-savvy criminal pays for the ability to launch their own attack with these services. This has lowered the barrier to entry and has the added benefit of making attribution more difficult, as many attackers share similar service infrastructure.

Ransomware gangs and cyber criminals are experiencing some hefty payouts. For example, Canadian Sébastien Vachon-Desjardins reportedly earned US$27mn from his cybercriminal exploits. Similarly, the ransomware gang behind the REvil ransomware earned an US$11mn ransom payout from global meat supplier JBS. Additionally, a spokesperson for the REvil ransomware gang known as UNKN noted that one of their affiliates earned US$50mn before he decided to retire.

The RaaS Model Has Diversified

It is mesmerising how those early ransomware innovations have now spawned a layered, complex industry. Gangs have structured themselves into businesses, while creating their own ecosystem of partners and vendors who develop marketing campaigns and other initiatives, just like any other legitimate business. 

And as it has grown, the RaaS model has become quite varied depending on the operation and their level of maturity. There are often buy-in or lease requirements to use the service; potential affiliates are vetted for skills or by country of origin. Affiliates can be asked to prove prior work or a constant stream of potential accesses for exploitation, just like any legitimate salesperson is asked to verify their previous experience and take their little “black book” of contacts from one employer to another.

The UK Launches First-Ever Cybersecurity Strategy

Level-of-threat concerns have prompted governments globally to shore up their cyber security strategies. In January, the UK government launched its first-ever Cyber Security Strategy, targeted at protecting the public services upon which citizens rely. The strategy aims to make core government functions, such as the delivery of essential public services, more resilient than ever before to cyberattack from malicious actors, with ransomware viewed as one of the most prolific threats.

Ransomware in 2022 will continue to evolve, with ransomware operators using new and more complex techniques in addition to targeted attacks. Data exfiltration will be big, as will attacks on the supply chain. When it comes to cybercriminals, it’s a faceless and nameless way to earn money. With little risk of being caught, ransomware gangs keep expanding. Therefore, organisations and security practitioners must be mindful and prepared as ransomware gangs will continue to grow until the risk outweighs the reward, a milestone we’re unlikely to hit anytime soon.