Is ransomware plague ebbing? Defenders improving, but so are attackers

By some measures, it looks like the ransomware plague may be inching from pandemic to endemic — still bad, but not quite as bad and not getting worse. Which would be much better.

How to tell? Follow the money. According to Chainalysis, which as the name suggests is a blockchain analysis firm, payments to cryptocurrency addresses it says are connected to ransomware attacks dropped 40% in a single year, from $766 million in 2021 to $457 million in 2022.

That’s the kind of decrease that leads to “restructuring” (translation: layoffs) in the legitimate business world.

Chainalysis and another cybersecurity firm, Coveware, also noted that the percentage of victims paying the ransom has dropped. According to Coveware, the drop was from 85% at the beginning of 2019 to 37% by late 2022. The Chainalysis statistics were similar over the same time period, a decline from 76% to 41%.

Besides that, the FBI announced in January that it had been able to infiltrate the notorious Hive ransomware gang, “captured its decryption keys, and offered them to victims worldwide, preventing victims from having to pay $130 million in ransom demanded.”

The agency reported that it had gained access to allegedly Russian-based Hive’s network in July 2022, and provided more than 300 decryption keys to Hive victims that were under attack, plus more than 1,000 additional decryption keys to previous Hive victims.

That was a significant takedown. According to the FBI, the Hive gang, which appeared in August 2021, “has targeted more than 1,500 victims in more than 80 countries […] including hospitals, school districts, financial firms, and critical infrastructure.”

Even better news is that the FBI, with the help of law enforcement in Germany and the Netherlands, was able to locate and seize the dark web servers that the Hive gang was using.

That’s hard to do. As the Sophos Naked Security blog put it, “The dark web doesn’t just shield the identity and location of the users who connect to servers hosted on it, but also hides the location of the servers themselves from the clients who visit.”

Don’t raise a glass …

So, major kudos to the FBI. But hold the champagne. There’s always a “but…” in stories like this. Ransomware may be down by some measures but it’s not out. Attack techniques evolve much more quickly than even a deadly virus like COVID. And, like wounded animals, ransomware gangs can be more ruthless and dangerous as the resistance of defenders improves.

Among the bad-news indicators

• Chainalysis acknowledged a couple of caveats in its report. “[T]he true [payment] totals are much higher, as there are cryptocurrency addresses controlled by ransomware attackers that have yet to be identified on the blockchain and incorporated into our data,” the company wrote, noting that it had to revise its 2021 total up from $602 million to $766 million. And it acknowledged another reality that is widely known — the “massive underreporting of attacks by victims.”
• The FBI’s 2022 Internet Crime Report documented 800,944 complaints, with losses of $10.3 billion from ransomware attacks — a 5% decrease from the previous year in complaints but a 49% increase in dollar losses. Also, criminal gangs breached the networks of at least 860 critical infrastructure organizations last year, according to the report.
• Wired magazine reported that ransomware gangs are becoming more aggressive and “heinous” in their extortion techniques. In one attack on a Pennsylvania physician practice, when the victims refused to pay, the attackers posted “graphic and intimate” images of patients receiving breast cancer treatments. In another attack in Minneapolis against a school, the gang released handwritten notes naming students allegedly involved in a sexual assault case.

This is now typical, according to Naked Security, which reported that most ransomware gangs “treat any and all networks as fair game for blackmail, attacking publicly funded organizations such as schools and hospitals with the same vigor that they use against the wealthiest commercial companies.”

Also, even a major takedown like the one against Hive doesn’t make a major dent in the overall ransomware plague.

“Unfortunately, you’ve probably already heard the cliché that cybercrime abhors a vacuum, and that is sadly true for ransomware operators as much as it is for any other aspect of online criminality,” the Naked Security blog noted.

“If the core gang members aren’t arrested, they may simply lie low for a while, and then spring up under a new name (or perhaps even deliberately and arrogantly revive their old ‘brand’) with new servers, accessible once again on the dark web but at a new and now unknown location.”

Rapid evolution

Indeed, rapid evolution is a hallmark of the ransomware business model, which functions much like any legitimate franchise model. One relatively small group creates the malicious programs that encrypt an organization’s files, while a larger group of “affiliates” distribute the malware, and when they succeed, kick back a percentage of their winnings to the first group.

The creators are prolific — Chainalysis reported that more than 10,000 strains of ransomware were used in the first half of 2022. And the criminals who use them are more rapidly changing what they use. “In 2022, the average ransomware strain remained active for just 70 days, down from 153 in 2021 and 265 in 2020,” Chainalysis reported, adding that “this activity is likely related to ransomware attackers’ efforts to obfuscate their activity, as many attackers are working with multiple strains.”

“We can think of it as the gig economy, but for ransomware. A rideshare driver may have his Uber, Lyft, and Oja apps open at once, creating the illusion of three separate drivers on the road — but in reality, it’s all the same car.”

So while defenders get better and less willing to pay, attackers keep getting better and more aggressive as well. As noted, it’s not enough for defenders to keep an offline backup of their files, since the extortion isn’t just about scrambled data but also the threat to leak private and/or proprietary information.

So what should they do? There is no digital vaccine that guarantees protection from ransomware attacks. But it is possible to make it difficult enough to make a successful attack unlikely. The FBI has a list of recommendations. And at the top of the list is to “be a cautious and conscientious computer user. Malware distributors have gotten increasingly savvy, and you need to be careful about what you download and click on.”

Human problem, human solution

That’s right. Ironically enough, the most effective preventive measure against ransomware isn’t high tech. It’s not tech at all. The most successful attack technique is social engineering — tricking people into clicking a malicious link or providing access to an organization in some other way. And a human problem requires a human solution.

“Ransomware is a technical exploit of a people vulnerability,” said Jamie Boote, associate principal consultant with the Synopsys Software Integrity Group. “Ransomware can’t gain entry to a network without people doing the wrong thing. Social engineering attacks don’t currently have a technical solution and can fool even technically savvy users who let their guard down. As long as people are people, criminals will exploit them one way or another.”

Boote’s colleague, Boris Cipot, senior security engineer with the Synopsys Software Integrity Group, agrees. “When talking about ransomware or cyberattacks in general, we always think they are highly sophisticated attacks on the cutting edge of hacking expertise. But often it is just a simple mistake the IT guy made to let a door open for the attacker.”

That means the most effective prevention measure is employee training. Most employees want to protect the organization’s assets. But if they fall for a phishing email, reuse passwords, or don’t create complex ones, the best technology in the world can’t overcome those failures. That’s why more than 90% of all attacks on organizations are phishing.

There are technical measures as well, of course, that can help mitigate, if not prevent, attacks.

• Keep operating systems, software, and applications up-to-date.
• Make sure antivirus and anti-malware solutions are set to automatically update and run regular scans.
• Back up data regularly and double-check that those backups were completed.
• Secure your backups. Make sure they are not connected to the computers and networks they are backing up.
• Harden your endpoints and virtual private networks. Besides email phishing, the top two most popular intrusion methodsare unsecured remote desk protocol endpoints and exploitation of corporate virtual private network appliances. That is in part because millions of people are still working from home two or more days a week and are therefore outside a better-protected office environment. That means maintaining them with upgrades and patches, requiring strong passwords and two-factor authentication for users, and limiting access only to those who need it.
• Create a continuity plan in case your business or organization is the victim of a ransomware attack.

That last item — a response plan, can be highly effective, but only if it’s rehearsed. “Imagine you have a football team and the only training they get is a written advisory on how the game is played,” Cipot said. “No one trains for the game or even sees the ball before the game. You can’t expect they will be able to do anything in a game against a trained opponent. The same goes for basically anything you do. How can you know if your plan works if you never test it?”

Finally, another reality is that increased tensions among nations coming from Russia’s war against Ukraine means international cooperation on fight ransomware is unlikely.

“This leaves the responsibility for solving ransomware or minimizing its impact with the individual company,” Boote said, adding that it will take a combination of human and technical measures.

“They can train employees to exercise vigilance and limit downloads or email attachments. Network teams can limit access by walling off network access to prevent the spread of ransomware and the reach of any single event. Disaster recovery and IT teams can treat ransomware as another event and ensure that operations can be resumed with minimal disruption,” he said.