Big brands become a liability
Midsize businesses are the new frontier for ransomware demands
Mathew J. Schwartz (euroinfosec) •
July 29, 2022
Here’s some unwanted ransomware news: The de-integration of ransomware brand Conti earlier this year had no effect on the volume of ransomware attacks.
The group’s wish for “full support” in the Kremlin on the second day of official Russian hostilities in Ukraine backfired dramatically by politicizing ransomware payments amid a European ground war. The group tried to untie their promise, but it was too late.
This opened the door for successor groups, who observed and adjusted their operations, according to a report by ransomware specialist Coveware.
Among its findings: Brand awareness is no longer a plus for ransomware groups, and attackers have shifted to small and medium-sized businesses. Don’t expect a decrease in the number of attacks – these continue, as always, at their malicious pace.
Which ransomware brands now dominate? Coveware has found based on ransomware incidents it has helped with that Conti spin-off BlackCat, aka Alphv, was the most commonly seen strain behind successful attacks from April to June. This contrasts with the number of alleged non-paying victims listed on group data leak sites over the same period, with LockBit listing the highest number.
But which group is more important is also an increasingly irrelevant question, says Coveware.
Historically, major ransomware brands promised not only technical sophistication – cryptographic locking malware that would encrypt systems faster and more reliably and be harder to spot and block – but also the fear factor caused by their brand name.
But while DarkSide was forced to shut down and rebrand after hitting Colonial Pipeline, and REvil – aka Sodinokibi – and lately Conti went by the wayside, big brands not only seem to have less cachet for affiliates , but be considered more risky. , says Coverware. Big brands are more of a target for law enforcement. For operators, this means having to invest more to keep their infrastructure operational, regardless of attempts to disrupt it (see: Ransomware Evolves: Affiliates Are Ready to Wield Greater Power).
According to Coveware, the operator is also moving away from providing a range of centralized services, such as “seeding initial access – through partnerships with botnets and access brokers, assisting with the storage of stolen data, centrally manage negotiations and handle support via leak sites and decryptors.” Instead, responsibility for these activities increasingly falls on affiliates, in part because it makes the operator less targeted and its efforts harder to disrupt.
Decentralization makes the ransomware ecosystem more difficult for investigators to track. “The resulting environment is one where sophisticated ransomware-as-a-service affiliates are fluid, regularly moving between variants or engaging in attacks without branded malware,” Coveware says. “Attribution has always been difficult, but it’s getting harder and harder in today’s environment.”
Common Data Leakage Threats
The average ransom paid to a ransomware attacker, when a victim chooses to pay, increases.
From April to June, the average ransom payment was $228,125, up 8% from January to March, Coveware reports. These findings are based on thousands of cases the firm has helped investigate, many of which have not been made public.
In the same time frame, the median ransom payment decreased by 51% to $36,360.
This decrease is due to affiliates and developers in RaaS organizations moving more “towards the middle market where the risk-reward profile of attacks is more consistent and less risky than high-level attacks,” says Coveware.
More than a year after the disastrous impact on Colonial Pipeline in the United States sparked a backlash from the White House, ransomware-wielding attackers appear to be more circumspect in their choice of target, as evidenced by the the abandonment of the targeting of large organizations, via so-called big game hunting.
Small and medium-sized businesses remain particularly vulnerable to ransomware, often due to their relatively low investments in cybersecurity.
Collective downtime decreased by 8% between the first and second quarters of this year, reaching an average of 24 days. Coveware claims the decrease is due to more ransomware attackers and not cryptographic lock systems, but rather the pursuit of a pure data leak model, where they simply steal data and hold it for ransom. .
Coveware says that from April to June, 89% of the cases it investigated involved attackers threatening to release stolen data. But not every group that claims to have stolen data has actually done so.
Attackers also regularly demand one or more ransom payments for a series of promises: to provide a working decryptor to decrypt files, not to disclose or sell stolen data, to remove a victim’s logo from their data leak site, or no longer attack the organization.
It should come as no surprise that over the past few months, Coveware “has seen continued evidence that threat actors are not keeping their word when it comes to destroying exfiltrated data.” In other words, if attackers can profit from the sale, they will.
After the attack: be frank
Like government authorities, Coveware recommends that victims never pay ransoms in exchange for promises of what attackers might do or for public relations purposes.
Despite this advice, many victims nevertheless pay a ransom, hoping that the payment will minimize the potential damage of the breach, prove that the organization did everything it could to mitigate the damage, reduce its potential liability in class action lawsuits or simply look better, from a public relations point of view (see: Don’t pay ransoms, request from UK government and privacy watchdog).
“A much better narrative is to be candid, honest, and contrite,” Coveware says. “Your concerned constituents will understand that this is happening and will appreciate the transparency. You won’t be the first counterparty to report a breach to a valued customer, and you won’t be the last. Disclosure of a breach never put a bankrupt company.”