As ransomware continues to evolve, volume surged in the first quarter of 2022 compared to the same period in 2021. Ransomware detections rose 80% and have already reached three times the level during the same time last year, according to a report from WatchGuard.
“Our analysts hypothesize that this rise has to do with the increased activities coming from the LAPSUS$ ransomware group during Q1,” the report said.
Ransomware as a business
This is funding a rapid evolution of the criminal ransomware industry as seen most saliently in emergence of the Ransomware-as-a-Service (RaaS) business model, where affiliates pay for ransomware developed by operators to launch attacks.
“In Q1 2022 [there was] a significant increase in ransomware detections of 2,365. To put that in perspective, the total number of ransomware detections for all of 2021 was 1,313.”
A RaaS kit often includes 24/7 support, bundled offers, user reviews, forums “and other features identical to those offered by legitimate SaaS providers,” according to CrowdStrike.
“The price of RaaS kits ranges from $40 per month to several thousand dollars – trivial amounts, considering that the average ransom demand in 2021 was $6 million. A threat actor doesn’t need every attack to be successful in order to become rich,” CrowdStrike says.
Ransomware group turns to bug bounty
LockBit, one of the most active RaaS operators, has added a bug bounty program as it revamps its operation, according to reports. As part of “LockBit 3.0” – replete with the slogan "Make Ransomware Great Again!" – the group said it was inviting “all security researchers and ethical and unethical hackers on the planet” to participate in its bug bounty program, which allegedly offers rewards ranging from $1,000 to $1 million.
The group is seeking website bugs, locker bugs, vulnerabilities in TOX Messenger and the TOR network. LockBit is also seeking doxing targets, with an alleged $1 million bounty reserved for doxing the name of the “affiliate program boss.”
“Ransomware is no longer a game between average malware developers, but an illicit RaaS industry that gives jobs to hundreds of cybercriminals worldwide with various specializations,” Ivan Pisarev, Head of Dynamic Malware Analysis Team at Group-IB’s Threat Intelligence department, said in a statement.
Ransomware sans encryption
While classic ransomware – where data is encrypted and a ransom is demanded to unlock the data – is still the most popular form of extortion, a trend in pure extortion is on the rise, according to a joint Cybersecurity Advisory from the FBI, Cybersecurity and Infrastructure Security Agency (CISA), and the Department of the Treasury.
The advisory (PDF) cites the Karakurt data extortion group, which does not encrypt compromised computers but rather steals data and then threatens to auction it off or release it to the public if payment isn’t received.
Ransom demands have ranged from $25,000 to $13,000,000 in Bitcoin, with payment deadlines typically set to expire within a week of first contact with the victim, the advisory said.
“The instructions include a link to a TOR URL with an access code. Visiting the URL and inputting the access code open a chat application over which victims can negotiate with Karakurt actors to have their data deleted,” according to the advisory.
Karakurt victims have reported extensive harassment campaigns that target employees, business partners, and clients, encouraging them to negotiate to prevent the release of victim data. These communications typically include samples of stolen data such as personally identifiable information (PII), which might include employment records, health records, and financial business records, the advisory said.
More evidence of the evolution of ransomware is multi-faceted extortion, which is “a fancy way of saying data theft paired with extortion," Mandiant Intelligence VP Sandra Joyce told The Register.
This extortion scheme includes discounted ransoms in order to encourage the victim to pay sooner, “with the demanded payment getting larger the longer it takes to cough up the cash,” The Register said.
Other crime groups offer "sliding-scale payment systems" where “you pay for what you get,” Mandiant’s Joyce said.
Mitigating the ransomware threat via code signing certificates
A separate report from Titanium said that while over 70% of organizations have prevention, detection, and backup solutions, nearly 40% have been the victims of ransomware attacks in the last year, proving that existing solutions are not effective.
“There is no single way to tackle ransomware. It’s going to happen,” said Eddie Glenn, Senior Product Marketing Manager at Venafi.
“An easy thing that a company can do is to require all macros to be signed with a company-security-policy-approved code signing certificate that has been issued to an individual. This way the person receiving the macro can be assured that the macro originated with the trusted employee and not a malicious external third party,” Glenn said.
“Adopting more modern security practices, like code signing macros or a Zero Trust security model, can address these threats with minimal hit on efficiency,” according to Glenn.
“Machine identities—like code signing certificates and API keys—are the targets of today and the future. Just one more reason why machine identity management is the most important cybersecurity trend of the decade,” said Kevin Bocek, VP, Ecosystem & Threat Intelligence at Venafi.