The Evolution of Ransomware: From Ransomware to RansomOps Ransomware attacks are steep upward, and the gradient isn't softening its progression. Individuals and organizations continue to fall victim to this age-old cybercrime — and it's far from a new phenomenon. recently released its quarterly report (2022 Q2) regarding ransomware. There are some interesting facts that I want to share with you. Coveware No More WannaCry But Something More Lethal Take a step back and review what happened in 2017. Then, — seeking to collect hundreds of dollars worth of Bitcoin from each company. This year, we have supply chain attacks. WannaCry was a small-dollar ransom Compared to the ransomware of recent times, it has shifted toward high-value targets from well-funded threat actors to extort millions of dollars from each victim. But, first, let's look into modern ransomware's technological changes and business models. Introduction — Ransomware 1.0 Ransomware has been around for several years. Furthermore, according to well-known , it has become a huge problem even more lately — surpassing email compromise to become the most popular attack. . Security Company Kroll FUD — Fear, Uncertainty, and Doubt- makes ransomware so profitable The fear of losing the data forever; the uncertainty of knowing what to do instead, and the doubt of whether paying can get the data back. Giving a push with a countdown timer on the screen would give victims a chance to learn about cryptocurrency — as most of the ransom is paid by it. While original ransoms were not serious, usually estimated in hundreds of dollars, recent ransom demands can go way up to hundreds of thousands or even millions of dollars. The old hacker's way of a typical ransomware attack: compromise target, encrypt their data, demand a ransom. — the only way for a victim company to resume operations without the burden of dealing with cyber criminals. It cannot be remediated entirely by effective backup routines The Ransom Exists Solely in the Cyberspace — "Double-Extortion" Ransom in the physical world would only end with two outcomes: . But in cyberspace, hackers' creativity is limitless. Because in the digital world, you can release the "prisoner" and request ransom again. the prisoner's release or death One reason the cost of ransom payments has grown so fast is the increase in attack activity and bitcoin price, where most ransom is demanded. Additionally, one of the trends that are concluding last quarter ransomware attacks is undoubtedly the new wave of attacks adopting the approach called "double-extortion The pioneer of this technique The attacker said in their email to Bleeping Computer that they had downloaded the victim's data from their network and threatened to release them if additional payment was not met.." was the "Maze Crew" in November 2019 . By adopting double extortion, attackers can force organizations to pay a ransom using data backups — due to the threat of a data breach — in these "ransomware 2.0" attacks. even if they can recover their information threat of a data leak can stress the victim's urge to pay a ransom since the potential economic and, more importantly, reputational damage could be more devastating than data loss. With double extortion attacks, the availability of a backup could become worthless. Moreover, attackers' Ransomware 2.0 According to an analysis by cybersecurity company (Q1, 2021), the average ransom payment in the first three months of 2021 was USD220,298 — Coveware's Quarterly Ransomware Report a significant rise from USD154,108 in the last quarter of 2020. (Q3, 2020) gives us more insight into this matter. The report shows We see that more ransomware attacks are not just a business continuity or disaster recovery matter but also data thefts and The Coveware's Quarterly Ransomeware Report nearly half of ransomware attacks steal data before the encryption begins. a complete cybersecurity incident response. Criminals now put several layers of extortion in place; some even if unsuccessful ransom (nonpayment), notifying them of the cyberattacks. All those threats give cybercriminals various threaten to send press releases to media or email notifications to your customers opportunities to monetize their attack: For example, criminals could threaten to release or sell the data on different "black markets" if the victim did not pay the ransom. Moreover, this was typically followed by a solemn promise to erase the stolen data if the victim paid the ransom. Criminals may promise to erase data, but even after receiving the ransom, they sell it anyway, as most companies would not investigate further the post-ransomware impact. Another group of cybercriminals contact a victim and explain that they stole a copy of the victim's data from the original thieves and will release (or sell) it unless they receive an additional payment. Ransomware-as-a-Service (RaaS) The development of numerous smaller ransomware-as-a-service (RaaS) operations that recruit associates from recently disbanded syndicates and carry out lower-tier, opportunistic attacks is another recent development that . Coveware has noticed “This trend reflects the shift of RaaS affiliates and developers towards the mid-market where the risk to reward profile of attack is more consistent and less risky than high profile attacks,” Ransomware-as-a-service (RaaS) is a subscription model that allows affiliates to use already-developed ransomware tools to launch ransomware attacks. In the end, affiliates earn a percentage of each successful ransom payment. Ransomware as a Service (RaaS) adopts the Software as a Service (SaaS) business model, as we use in other cloud computing technologies. In the past, coding erudition was a requirement for all successful hackers. But with the introduction of the RaaS model, this technical prerequisite has been entirely diluted — low technical barrier of entry, and prodigious affiliate earning potential, make RaaS solutions engineered explicitly for victim proliferation. Ransomware attacks are no longer the privilege of advanced hackers. Instead, the Ransomware Econ 101 Multiple economic factors influence the final ransom. A worrying aspect is that attackers usually know how much victims will pay beforehand. They also know whether the victim encounters an attack the first time, which gives attackers the upper hand. In the report, it stated: “… the total profit is not only influenced by the amount of ransom they demand from the victim…It also depends on whether the victim decides to pay, and the costs of the operation. ” Costs to ransomware groups can include: ransomware-as-a-service fees,fees to launder extorted cryptocurrency,commissions, andthe cost of carrying out the attack itself. Another exciting factor is — As the price is too high, pushing the victim to give up the data, the attacker gets nothing. Therefore, the most profitable method is to increase the percentage of victims instead of the price of each hack. In other words, ransom price and the willingness to pay negatively correlate. the victim's willingness to pay Some interesting findings: In other words, a smaller company pays less in absolute amount but higher in the percentage of its revenue. Smaller companies generally pay more from a rate-of-return point of view. As a result, attackers must simultaneously lower their costs and increase "sales" to maximize profit like other businesses. Attackers must choose a business model where or a more significant number of victims pay a smaller ransom. Thus, the final ransom price should be: a smaller number of victims pay a higher ransom, Tall enough to cover the cost of hosting malware, penetration testing, and developing toolsets for attackers, and;Low enough that a high percentage of victims still settle. So their business model depends on learning how potentially lucrative a target might be and how likely a company is to pay. More Victims Not Paying According to Coveware's , the average ransom was $228,125 in Q2 2022, an increase of 8% from Q1 '22. However, the typical ransom payment was $36,360, a sharp decrease of 51% from the previous quarter. This continues a declining trend that began in Q4 2021 when average ($332,168) and median ($117,116) ransomware payments peaked. report for Q2 2022 This quarter, 86 percent of the reported cases employed the double extortion strategy, which threatens to expose files that have been stolen before they have been encrypted. Coveware emphasizes that threat actors continued their extortion or disclosed the stolen files despite collecting the ransom in many instances. Data exfiltration was frequently the primary extortion technique for many attackers; hence, many incidents didn't include file encryption. As a result, the average time systems were offline due to ransomware assaults fell to 24 days, an 8 percent decrease from Q1 2022. Final Words Ransomware is in the spotlight now and may never go away, but stealing credit card numbers and hacktivism was in the limelight before, and it will be something refreshing in the future. So let's keep pressure on the government to do its part and focus on what we can do within our organizations to do ours. When addressing this persistent threat, the government must focus on educating and providing resources to guide organizations (e.g., )— to disrupt the criminal activities and economic drivers that allow this threat vector to grow. https://www.cisa.gov/stopransomware Meanwhile, organizations should focus on This includes: reducing the attack surface and building the fundamentals of a comprehensive security operation. knowing what's in your environment (enhance visibility), ensuring everything is configured correctly (security posture management), managing vulnerabilities and patching, limiting access (or even better micro-segmentation), and having an incident response plan. Thank you for reading. May InfoSec be with you🖖. Also Published here