We Need To Stop Preparing For The Last War

It is the beginning of a new year, and the internet is full of articles reviewing the previous year in cybersecurity or predicting what to expect in 2022. Unsurprisingly, “ransomware” is one of the most popular topics—both when looking at the past and predicting what the future holds for us.

2021 was “the year of ransomware.” But so were 2017, 2018, 2019, and 2020—and 2022 will probably not be very different. Ransomware is no longer a problem discussed only in the cybersecurity and tech communities—it is now a regular occurrence in mainstream media headlines and executive board meetings.

So why is ransomware such a menace, and why can we not seem to get rid of it? One of the reasons is that we seem to miss the continued evolution of ransomware—we keep preparing for the last war. Ransomware in 2022 is very different than ransomware in 2017, yet we still treat it the same way. We must understand how the threat landscape is changing to protect our organizations in the future. So, what is the most important transformation of modern ransomware?

Time for the heist!

The cybercrime ecosystem is driven by the same economic forces as regular markets. A new business concept or idea can quickly become the new standard, eventually replacing previous business practices.

When Ransomware-as-a-Service (RaaS) appeared on the scene, it initially failed to change the cybercrime industry. First experiments were based on a subscription model where affiliates were paid a fee for access to ransomware infrastructure and tools, but everything else was up to them. It raised some concerns in the cybersecurity industry but didn’t really have a big impact on the way we protected our organizations from risk. The model changed, but the activities to prevent, detect and respond mostly remained the same.

The real deal was the introduction of the profit-sharing model. In this model, ransomware operators work with affiliates. Ransomware operators are responsible for developing the malware and running the infrastructure, focusing all their attention on running a platform for others. Affiliates are specialists in penetration testing and work in the field, gaining access to victims’ networks. After successful deployment, ransomware operators negotiate and collect the ransom and distribute their share to affiliates. If this reminds you of a heist movie, you are correct. It’s a group of experts getting together to do a special job and escape with a large sum of money.

But the often overlooked, important factor to understand is the revenue sharing ratio between these two partners. Modern ransomware revenue distribution favors affiliates, who often get around 80% of the total ransom. While ransomware operators usually get all the credit for a successful attack and lead negotiations, affiliates get the largest share of profit.
In the last few years, the power has shifted from those who control the ransomware code to those who control access to networks.

When ransomware operators cannot increase their share of revenue without losing affiliates to competitors, they need to focus on maximizing the ransom payout. A rising tide lifts all boats, and increasing the total payout is fueling this whole profit-sharing scheme. Planning, execution, and exit require careful planning, but the payout can be in tens of millions, as we have seen in the last few years.

New challenges bring new opportunities

To reach these astronomical ransoms (compared to an average ransom just a few years prior), threat actors are focused
on maximizing pressure on their victims. They carefully stage their attack, first locating your backups, learning about your incident response strategy, your cyberinsurance coverage, and anything else that could help them to put more pressure or increase the maximum potential ransom. Double, triple, or even quadruple extortion is now a common practice. Some groups, like Karakurt, don’t even bother with the encryption anymore and focus strictly on the data exfiltration. The supply chain attacks are a hit because they act as a force multiplier.

There is a silver lining, though—while these attacks are much more devastating, they require more time to prepare. The time from the initial infection to the encryption of all files is no longer seconds or minutes as it was with opportunistic ransomware— now it can be weeks or even months.

In many ways, defense against modern ransomware is similar to protection against APT threats. Defense-in-depth (once again) is an effective strategy to combat this new generation of ransomware. Robust prevention security controls are a good foundation that needs to be complemented with detection and response tools. Separating noise from the real alerts and keeping a low false-positives ratio is critical. When adversaries make a mistake (and they usually do), you need to detect it and respond before the full-scale attack can be launched.

Small and medium businesses are not safe from these attacks. Some affiliates are specialized in targeting the SMB segment, often using different initial vectors than for enterprises. Ransom is based on revenue, and a small company with robust revenue is the perfect target. When choosing the victims, threat actors can also increase the pressure by focusing on industries where downtime has serious implications to business, for example, manufacturing. MSP, MDR, and other managed security services should be used to complement your own security teams.

Finally, global leaders, the private sector, and law enforcement agencies can disrupt the relationship between ransomware operators and affiliates. For example, releasing decryptors is not only impacting the cash flow of ransomware groups, but it’s also very damaging to their reputation in the underground. Global threats should trigger a global response, as recently seen with operation GoldDust—a global collaboration between 19 law enforcement agencies and the private sector that shut down REvil operations in 2021.

Ransomware still looms large

The year 2022 is going to be the year of ransomware again. And it will stay that way until we start paying attention to the latest trends on the other side of the front. If we keep building trenches while the enemy is already using airplanes, we will see $100+M ransoms soon.

Learn more about what the future of cybersecurity holds for MSPs.

This essay was released as part of an eBook combining a group of cybersecurity experts from different fields, companies, and backgrounds to give their predictions for what they see as the future of cybersecurity.