Complex Made Simple

Lone wolves exist but say hello to Ransomware Inc.

Ransomware operators have consolidated their activities, becoming organized crime outfits that span the globe, conducting business with affiliates, sister companies, and the like

For a cybercriminal, the best country is Russia Data breaches and ransomware attacks alone cost the healthcare industry an estimated $4 billion in 2020 There are coders who create and rent the actual ransomware strain via services called Ransomware-as-a-Service

Ransomware operators range from rogue lone wolves to crime outfits that target government institutions and companies.

One such lone wolf gave the media a glimpse into his activities and the motivations behind them.

But the real threat is much bigger. Today, ransomware operators have consolidated their activities, becoming organized crime outfits that span the globe, conducting business with affiliates, sister companies, and the like, similar to how multinational organizations run a traditional business. 

Let’s first look at one lone operator’s tale and the motives that led to his criminal activity. 

Russia, a ransomware haven

A LockBit ransomware controller has given researchers a glimpse into lone-wolf operations and the reasons why he chose to go down a criminal route. 

In an interview with the Cisco Talos cybersecurity team (.PDF), an operator of LockBit explained his modus operandi, his preferred targets, tool use, and why it is difficult to become a white-hat specialist in Russia. 

This guy knows that once a ransomware variant infiltrates a corporate network having completed its encryption spree, victims are faced with disruption and may be forced to suspend core services unless they pay. 

According to Coveware, the average payout in Q4 2020 was $154k, while in Q3 2020, it was around $234k.  

This guy’s demands are no exception. 

The LockBit operator referred to as “Aleks” claimed to be self-taught in skills including penetration testing, network security, and reconnaissance. 

Aleks, believed to be in his early 30s, secured a job with an IT company while finishing a university degree, but demonstrated “a general sense of disappointment and resentment for not being properly appreciated within the Russian cyber industry,” Talos says. 

The interview noted his perceived under-appreciation and that low wages drove him to participate in unethical and criminal behavior.

Several examples of such “under-appreciation” were noted, including being rebuffed when he reported security issues in websites, including a Russian social network. His “well-intentioned efforts were ignored,” Aleks claimed, which further drove him down a cybercriminal path. 

His motives for becoming a ransomware operator, however, do not seem to be purely financial. During the interview, Aleks said that while ransomware is profitable, he also wanted to “teach” companies the “consequence of not properly securing their data.”

Aleks also said that “for a cybercriminal, the best country is Russia.” 

The threat actor claimed that when it comes to organizations with cyber insurance, a payout is “all but guaranteed.” 

He said that in Europe, companies are also under more pressure to pay as they are “scared” of the consequences of violating the EU’s GDPR data protection regulations.

Read: Over 140 ransomware families down

Read: 40% of Consumers Hold the CEO Personally Responsible for Ransomware Attacks, research shows

Healthcare sector attacks

“The UAE has been one of the most affected countries in the region, accounting for the bulk of COVID-19 themed attacks in GCC,” says Anand Choudha, CEO at Spectrami.

The UAE has seen at least a 250% increase in cyber-attacks in 2020 as the pandemic forced organizations around the world to an immediate remote working scenario.

The cyber-attacks vary from ransomware to data breaches and from fake vaccines to unemployment fraud. 

Globally, healthcare organizations were the most exposed industry to cyber-attacks throughout 2020. Research shows that data breaches and ransomware attacks alone cost the industry an estimated $4 billion, accounting for more than 4 in 10 breaches. 

In 2021, a cyber-attack incident is expected to occur every 11 seconds, according to Cybersecurity Ventures.  

Ghost accounts

The research states that cybercrime will cost the global economy $6.1 trillion annually by 2021, making it the world’s third-largest economy.

Sophos, a global leader in next-generation cybersecurity, published its latest findings into real-world attacks and details how a failure to keep close tabs on “ghost” account credentials facilitated two recent cyberattacks, one of which involved Nefilim ransomware.

Nefilim, also known as Nemty ransomware, combines data theft with encryption. The target hit by Nefilim had more than 100 systems impacted. Sophos responders traced the initial intrusion to an admin account with high-level access that attackers had compromised more than four weeks before they released the ransomware during which time credentials were stolen.

The hacked admin account that enabled this belonged to an employee who had passed away around three months previously and the company had kept the account active because it was used for a number of services.

Ransomware, a modern business

A report published by blockchain investigations firm Chainalysis confirms that cybercrime groups engaging in ransomware attacks don’t operate in their own bubbles but often switch ransomware suppliers in a search for better profits. 

The report analyzed how Bitcoin funds were transferred from victims to criminal groups, and how the money was divided among different parties involved in the ransomware attack, and how it was eventually laundered.

Today, the ransomware landscape is very similar to how modern businesses operate.

There are coders who create and rent the actual ransomware strain via services called RaaS, or Ransomware-as-a-Service, similar to how most modern software is provided today.

Some RaaS operators rent their ransomware to anyone who signs up, while others prefer to work with small groups of verified clients, which are usually called “affiliates.”

The affiliates are the ones to usually spread the ransomware via email or orchestrate intrusions into corporate or government networks, which they later infect and encrypt with the ransomware they rented from the RaaS operator.

In some cases, the affiliates are also multiple groups themselves. Some are specialized in breaching a company’s network perimeter and are called initial access vendors, while some groups are specialized in expanding this initial access inside hacked networks to maximize the ransomware’s damage.

All in all, the ransomware landscape has evolved from previous years and is now a collection of multiple criminal groups, each providing its own highly-specialized service to one another, often across different RaaS providers.