Ransomware Ecosystem: Big-Name Brands Becoming a LiabilityMidsized Businesses Are the New Frontier for Ransomware Demands
Here's unwelcome ransomware news: Disintegration earlier this year of the Conti ransomware brand hasn't had an effect on the volume of ransomware attacks.
The group's vow of "full support" for the Kremlin on the second day of official Russian hostilities in Ukraine backfired spectacularly by politicizing ransomware payments amid a European land war. The group attempted to unwind its pledge, but it was too late.
That opened the door to successor groups, who have observed and adjusted their operations, finds a report from ransomware specialists Coveware.
Among its findings: brand awareness isn't a plus anymore for ransomware groups, and attackers have shifted to small and medium-sized businesses. Just don't look for a decrease in the number of attacks - those continue along, as ever, at their malicious pace.
Which ransomware brands now dominate? Coveware found based on ransomware incidents with which it assisted that Conti spinoff BlackCat, aka Alphv, was the most commonly seen strain behind successful attacks from April through June. This stands in contrast to the number of nonpaying, alleged victims listed on groups' data leak sites during the same time frame, with LockBit listing the greatest number.
But which group is the largest is also a question shrinking in relevance, Coveware posits.
Historically, big ransomware brands promised not just technical sophistication - crypto-locking malware that would encrypt systems faster and more reliably and be tougher to spot and block - but also the fear factor caused by their brand name.
But as DarkSide was forced to close and rebrand after hitting Colonial Pipeline, and REvil - aka Sodinokibi - and lately Conti have gone by the wayside, big brands not only appear to have less cachet for affiliates but to be seen as carrying more of a risk, Coveware says. Big brands are more of a law enforcement target. For operators, that means having to invest more in keeping their infrastructure up and running, no matter attempts to disrupt it (see: Ransomware Evolves: Affiliates Set to Wield Greater Power).
There's also a move away from the operator providing a range of centralized services, Coveware says, such as "seeding initial access - via partnerships with botnets and access brokers, assisting with stolen data storage, centrally managing negotiations and handling support via leak sites and decryptors." Instead, responsibility for such activities increasingly falls on affiliates, in part because it makes the operator less of a target and makes its efforts tougher to disrupt.
Decentralization makes the ransomware ecosystem tougher for investigators to track. "The resulting environment is one where sophisticated ransomware-as-a-service affiliates are fluid, regularly moving between variants or engaging in attacks with no branded malware," Coveware says. "Attribution has always been hard, but it's getting harder in today's environment."
Data Leak Threats Common
The average ransom paid to a ransomware attacker, when a victim chooses to pay, is going up.
From April through June, the average ransom payment was $228,125, up 8% from January through March, Coveware reports. Those findings are based on thousands of cases the firm helped investigate, many of which have not been publicly disclosed.
In the same time frame, the median ransom payment decreased by 51%, to $36,360.
That decrease has been driven by RaaS organizations' affiliates and developers shifting more "towards the midmarket where the risk-to-reward profile of attack is more consistent and less risky than high-profile attacks," Coveware says.
More than a year after the disastrous hit on Colonial Pipeline in the United States triggered a furious backlash from the White House, ransomware-wielding attackers appear to be more circumspect in their choice of target, as demonstrated by a move away from targeting larger organizations, via so-called big game hunting.
Midsize and smaller organizations remain especially vulnerable to ransomware, oftentimes because of their relatively lower investments in cybersecurity.
Collective downtime decreased by 8% from the first to second quarter of this year, reaching an average of 24 days. Coveware says the decrease is driven by more ransomware attackers not crypto-locking systems, but instead pursuing a pure data leakage model, in which they just steal data and hold it to ransom.
Coveware says that from April through June, 89% of cases it investigated involved attackers threatening to release stolen data. But not all groups that claim to have stolen data have really done so.
Attackers also regularly demand one or more ransom payments for a range of promises: to provide a working decryptor to decrypt files, to not leak or sell stolen data, to remove a victim's logo from their data leak site or to not attack the organization again.
It should be no surprise that in recent months, Coveware "saw continued evidence that threat actors do not honor their word as it relates to destroying exfiltrated data." In other words, if attackers can get any value from selling it, they'll do so.
Post-Attack: Be Candid
Like government authorities, Coveware recommends that victims never pay a ransom in return for promises about what attackers might do or for public relations purposes.
Despite that advice, numerous victims nevertheless pay a ransom, hoping the payment will minimize potential harm from the breach, prove that the organization did everything it could to mitigate the damage, reduce its potential liability to class action lawsuits or simply look better, from a public relations standpoint (see: Don't Pay Ransoms, UK Government and Privacy Watchdog Urge).
"A far better narrative is to be candid, honest and contrite," Coveware says. "Your impacted constituents will understand that this happens, and will appreciate the transparency. You won't be the first counterparty to report a breach to a valued customer, and you won't be the last. Disclosing a breach has never bankrupted a company."