The ransomware threat landscape continued heating up into the spring, with a number of exciting ransomware news events. Overall, the total number of attacks and average ransom size continued to rise. The total damage caused by cybercrime is on pace to top $6 trillion this year, with ransomware driving a large portion of that growth.
Not all the news was bad, however- a number of ransomware gangs were shut down, and some under mysterious circumstances.
We’ve rounded up some of the most important ransomware news so that you can stay up to date on the latest happenings in the dark underworld of ransomware.
Colonial Pipeline Attack
Awareness is growing of the national security threat posed by ransomware, and the Colonial Pipeline attack underscored this trend. In what was probably the most disruptive ransomware attack in history, an important pipeline that transports gasoline and jet fuel from Texas to the East Coast of the United States was shut down by the DarkSide ransomware gang.
This led to fuel shortages and increased gas prices for millions of people. Colonial apparently had no choice but to pay up; the Bitcoin address associated with the Darkside gang received a payment of 25 BTC shortly before the pipeline went back online.
This draws attention to the need of essential service providers to pay more attention to cybersecurity. With ransomware attackers empowered by record profits, there is a heightened need for vigilance going into the future.
Cyber Extortionists Under Pressure?
So when are the governments of the world going to strike back against the scourge of ransomware? Maybe sooner than you think.
In May, the Darkside ransomware gang announced that it was shutting down. The gang explained that they had lost access to important parts of their infrastructure, including payment servers and CDN servers. This rendered the gang inoperable. It’s speculated that this might be in retaliation for the Colonial Pipeline shutdown. In the announcement, the gang made a vague reference to “pressure from the US.”
Darknet was not the only gang that went offline in May. The QLocker gang also unexpectedly disappeared, leaving many affected users unable to encrypt their files, even if they were willing to pay. The QLocker gang was able to infect a huge number of devices by way of a vulnerability of QNAP servers, a type of network attached storage device. Their approach was to infect a large number of devices and demand relatively small ransoms.
It’s unclear why the QLocker gang would shut down- they were raking in an estimated $350,000 in profits a month.
In related news, the XSS forum, which was once the go-to location for ransomware-as-a-service (RaaS) providers looking to build their networks, unexpectedly announced it would no longer be hosting posts related to RaaS. The forum admins also cited the press generated by the Colonial Pipeline attack as one of the reasons for the change.
All of these events seem to indicate that something is going on in the dark underworld of ransomware. Perhaps it’s an indication that someone is finally striking back against the hackers.
New Extortion Methods
As if double extortion wasn’t bad enough, hackers are now searching for even more ways to squeeze money out of their victims. The most common form of extortion was locking down a victim’s file system and demanding payment for the decryption key. Data exfiltration attacks, which involve blackmailing victims by threatening to publish sensitive data, are becoming more popular.
Some ransomware gangs like Avaddon are now also conducting DDoS (Denial of Service) attacks. Sometimes this can involve using the same exploits used to gain access to the network, encrypt it, and steal data. This can further disrupt an organization’s operation and increase the pressure to pay.
As ransomware awareness spreads and many companies improve their backup procedure, hackers are shifting towards data exfiltration as a method of extortion. This means that hackers are targeting companies dealing in sensitive data more. In particular hackers are targeting, law firms, medical firms, and defense sector firms more frequently.
Ransomware gangs seem to be willing to do just about anything to get companies to pay up; they’ve even resorted to threatening companies’ customers in some cases. For example, one gang targeted a large psychotherapy practice and attempted to extort patients by threatening to release notes from therapy sessions to the public.
Another tactic that has recently appeared is double encryption, whereby hackers place layers of ransomware onto the victim’s file system to force additional payments.
This is likely in response to the increased levels of security as many company’s respond to the rising ransomware threat.
The Struggle is Real
While there were some exceptions like QLocker, in general, we have seen a consistent trend towards larger, more targeted ransomware attacks. These attacks require a bigger investment by hackers, so ransom demands are also usually higher. Average downtime is also increasing.
Sodinokibi retained its top position as the most widespread ransomware variant. RDP’s still topped the list for the most common vulnerability exploited to deliver ransomware payloads.
The shifting dynamics in the ransomware space illustrates the never-ending arms race between cybersecurity professionals and criminals. Hopefully we will see some kind of political solution soon so there will be fewer safe havens for cyber criminals. For the time being, however, cybersecurity is taking on more importance than ever before.
For some general tips on protecting yourself from ransomware, check out our handy guide. If you do end up getting hit by ransomware, you can refer to our free guide. Or reach out to us for a free consultation.