The threat and disruption posed by ransomware has been prolific in 2024, but as Dave Cartwright, CISSP explains, the threat is also evolving beyond its original form, moving beyond just holding systems and data in place to ransom to conducting acts of extortion.
There’s no question that the cybersecurity sector is one that drives a
considerable amount of investment and financial activity. According to the
FBI’s
2023 Internet Crime Report, revenues generated by cyber criminals came
in at $12.5 billion in the U.S. alone. In comparison, the
estimated global market
for legitimate cybersecurity activity in 2023 was $238 billion. It means the
proceeds of U.S. cybercrime alone equaled just over 5% of the global
investment in legitimate cybersecurity.
The statistics around cybercrime are very fuzzy, but the most believable estimates we found claim that around 6,000 people were arrested for cybercrime in 2023, and that around 5% of cyber criminals get arrested. Extrapolate this and it suggests the global cybercriminal population is around 120,000 people. Sharing $12.5 billion between them nets $104,000 per head. That’s a significant amount of money per head and a 95% chance of not getting caught (unlike, say, burglary where the capture rate is closer to 30%-35% and the proceeds much less lucrative).
Where’s the Money Coming From?
One of the more lucrative and active cybercrime tactics that has contributed to the proceeds of crime figure above is ransomware. However, for the last couple of years ransomware has been falling out of fashion.
From an attacker’s point of view, true ransomware has some very fundamental problems – the main one being that most of the world understands how it works and how to defend against it. Ransomware relies on the victim being unable to decrypt the affected files (the number of decryption tools developed over time by the good guys continues to grow) or to restore them easily from backup (people have now realized that air-gapped backups are simple to implement and use). It also relies on being able to get into the organization in the first place (anti-malware software, along with endpoint detection and response – EDR – continue to improve rapidly over time, thwarting more and more attacks) and ever-widening adoption of the Principle of Least Privilege means that if an attack breaches the perimeter of the network, the number of files the malware can encrypt is smaller than ever before.
If you read the statistics, though, ransomware appears to remain popular. This is because the word “ransomware” is being used less and less accurately to describe what’s happening.
According to Oxford Dictionaries, a ransom is “a sum of money demanded or paid for the release of a captive”. However, this is not where the industry (if we may call it that) is heading: the future is, actually, extortionware.
To Extort or to Ransom?
Extortion is “the practice of obtaining something, especially money, through force or threats”, and this is exactly where the ransomware industry is turning – or more accurately has largely turned.
Extortionware is an attractive concept for criminals for four main reasons. First, it is much easier simply to exfiltrate data than it is to encrypt it on a victim’s systems: the code is simpler to write; code that reads data is less likely to trigger EDR agent alerts than code that tries to write or change data; and the average user has read-only access to far more data than they have write access to. If, as an attacker, you can infiltrate some code into a victim’s network and find a mechanism to trickle data out to your nefarious file store, that’s all that’s needed to carry out an extortion attack.
Once the data has been extracted and saved somewhere, no amount of remediation by the victim will mitigate the risk. As we mentioned earlier, the victim can use backups or, sometimes, decryption tools to reverse the effects of many ransomware incidents, but once data has been exfiltrated there is no technological remedy.
Changing the Threat
When it comes to demanding payment for stolen data, bad actors can use the law to maximize their revenue. With data protection legislation in particular, the threat of avoiding a massive regulatory fine versus a much lower cost of paying out to the extortionist can appear attractive to many victims: It was the proposition tabled by criminals in the UK Post Office attack and no doubt many others. (Incidentally, in the Post Office case the attackers told the negotiator: “As long as we haven’t published any of your files, you can’t be fined” – which is completely wrong, but on the other hand paying the criminals to delete the stolen data may well have been far less costly than the potential fine).
Finally, on the demise of ransomware: even some of the cyber attack groups have formally abandoned traditional ransomware, at least in some market areas. A reproduction of the LockBit ransomware group’s “affiliate rules” states that: “It is [not permitted] to encrypt files in critical infrastructure, such as nuclear power plants, thermal power plants, hydroelectric power plants and other similar organizations. [You are] allowed to steal data without encryption”. One can only imagine that the criminals in this case are happy to be seen in a negative light for extorting money, but that the reputational hit and increased likelihood of being chased by law enforcement as a result of disabling utilities and similar critical infrastructure would be a reputational hit too far.
So, then: despite the sums of money involved, capitulating to cybercrime is really not the way forward: at the very least you would be breaching ISC2’s code of ethics fairly convincingly, particularly the element that says: “Act honorably, honestly, justly, responsibly, and legally” (not to mention, you simply can’t trust an attacker to do what they promise they’ll do even if you do pay the ransom or the extortion fee).
Do expect to see a decrease in the amount of traditional ransomware attacks in the world, with a corresponding ramp-up in extortion-based attacks. The latter is easier to carry out, ripe for inflated monetary demands and impossible to mitigate once the attacker has exfiltrated your data.
Related Insights