Ransomware attacks are becoming more severe and sophisticated in all industries, particularly against governmental organizations, financial institutions, and healthcare facilities. The victims’ laxer cybersecurity measures, such as insufficient system backups and ineffective incident response capabilities, have increased these attacks.
Today, cybercriminals frequently use tried-and-true strategies like mass phishing and targeted spear-phishing campaigns to trick victims into downloading malicious files or visiting malicious websites, exploiting software bugs and remote desktop protocol endpoints, or using “drive-by” malware attacks to infect legitimate websites with malicious code.
The majority of ransomware variants use file encryption as a method of extortion. Data is encrypted on the victim’s device, and the hacker demands a ransom to unlock the files. The Master File Table (MFT) or the computer’s entire hard drive could be encrypted by ransomware. A denial-of-access attack prevents computer users from accessing files because it is impossible to decrypt them without the decryption key.
The best defense against ransomware is frequently proactive prevention through good cyber hygiene, cybersecurity controls, and business continuity resiliency. This article will look at some recent ransomware incidents and related payment patterns.
Cybercriminals use “double extortion schemes” more frequently, which involve removing private information from targeted networks, encrypting system files, and requesting a ransom. If the victim does not pay the ransom, cybercriminals threaten to publish or sell the stolen data. The use of the system breach by cybercriminals to target additional parties connected to the initial victim, such as the victim’s business partners and customers, to identify follow-on targets has also surfaced in other extortion schemes. These outside parties might give the attacker new power over the victim.
Use of Anonymity-Enhanced Cryptocurrencies (AECs)
Cybercriminals typically demand that ransomware payments be made in CVCs, most frequently in the form of Bitcoin. However, they also more frequently demand or encourage victims to make payments in AECs that lessen the transparency of CVC financial flows through features like mixing and cryptographic enhancements that make transactions anonymous. Cybercriminals have even offered victims who pay their ransoms in AECs discounted rates. Monero is one such AEC that ransomware criminals are increasingly requesting.
Unregistered CVC Mixing Services
Cybercriminals frequently use mixers to hide their illegal activities and protect their illicit gains. Mixers combine CVC from other mixer users and divide the value into numerous small pieces that travel through numerous intermediary accounts to “break” the connection between the sender and the receiver of the CVC transaction. As a result, cybercriminals exchange CVCs that are directly connected to a specific crime for other CVCs of comparable value coming from different sources. Mixers are companies that offer both anonymizing services and anonymizing software.
Cashing Out Through Foreign CVC Exchanges
Cybercriminals frequently use CVC exchanges with lax compliance controls or that operate in regions with little regulatory oversight to launder and cash out illicit proceeds. These exchanges frequently occur in high-risk zones or zones without active information-sharing agreements with other nations. Cybercriminals and their associates may use these exchanges to enable the conversion of “dirty” CVC to their preferred fiat currency or legal tender for reintegration into the financial system.
Ransomware Criminals Forming Partnerships and Sharing Resources
Through ransomware-as-a-service (RaaS), a business model in which ransomware developers sell or otherwise deliver ransomware software to individuals or groups that have independently obtained unauthorized access to the victim network, many cybercriminals participate in profit sharing. Ransomware infections on computer networks are possible by RaaS, enabling online criminals of all skill levels to profit from their unauthorized access. A portion of any ransom paid by the victim is frequently given to the RaaS developer as part of the profit-sharing agreement. The DarkSide ransomware, which cybercriminals used against Colonial Pipeline in early 2021, is a recent illustration of this model.
Use of “Fileless” Ransomware
Because the malicious code is written to a computer’s memory rather than a hard drive file, fileless ransomware is a sophisticated tool that can be difficult to detect. This allows cybercriminals to get past standard antivirus and malware defenses.
“Big Game Hunting” Schemes
Cybercriminals are increasingly selecting larger companies to target to demand larger payouts; this practice is known as “big game hunting.” Due to the importance of their services, cybercriminals may target businesses with lax security measures and a higher propensity to pay the ransom.