Unnatural Selection: Why Cybercriminals are Turning to Encryption-less Ransomware

Originally published by CXO REvolutionaries.

Written by Sam Curry, VP & CISO in Residence, Zscaler.

There is a form of decidedly unnatural selection happening online, but it is nevertheless a selective process in an evolutionary sense. It is unnatural because it is online and driven by humans and our tools. It is selective because there is pressure to make choices and refinements towards a goal: to make more money for less investment.

This isn’t the blind pursuit of top-line at all costs, like an irresponsible startup in an economic bubble, but is rather focused on margin and efficient return on investment. This is the inexorable march of capital, and it’s happening in cybercrime today with the oxymoronic-sounding encryption-less ransomware (ELR) phenomenon.

Zscaler’s ThreatLabz team recently published first-hand data and insight into ELR, with 25 new ransomware families emerging in 2023 alone, typically around large volumes of data extraction from victims. These attacks involve data theft and extortion, but not the long-time trait of ransom attacks involving cryptographic immobilization and bricking of systems and processes within companies. To understand how we have reached this point, why it matters, and where things might lead, let’s look back in time at the evolution of ransomware to date.

A long and sordid history

Ransomware began longer ago than most realize. Early practitioners primarily targeted consumers for hundreds of dollars per hack. The first recorded instance occurred in 1989 with the AIDS trojan, which extorted $189 and demanded payment through the mail. It became a more sustained phenomenon only when large numbers of consumers arrived on the internet after the Dot-com Boom. Home users and their stand-alone systems became the most readily extort-able for the least investment.

This pattern had become apparent by the mid-2000s with early spyware and grew into a consistent, measurable threat to home PCs, photos, and personal data a decade ago. We would even hear the occasional story of attackers showing kindness to the poor and giving decryption keys back at Christmas or some other feel-good story in the news. This doesn’t happen today except on the rarest of occasions largely because ransomware has been industrialized.

Most significantly, it moved next to companies, which were larger and could be extorted for more money. Even so, ransomware remained a cottage industry marked by structurally simple organizations with unsophisticated “supply chains” from hack to cash-out on the dark side. At the same time, cybercriminal business models were making a lot of money with credit card fraud and retail scams, which fueled economic growth. The arrival of cryptocurrencies like Bitcoin added further momentum by enabling liquidity and anonymity at a crucial point in ransomware groups’ growth. Innovation in ransomware was steady, but slow until it was accelerated by new alliances and new tools.

Since around 2015, ransomware technical and business innovation has grown in dark parallel to the legitimate economy. All of it is, actually, predictable if we look at this evolution through the lens of profitability. There are intelligent players making informed decisions for investment and growth: technical research, business partnerships, alliances, specialization in an ecosystem, and changes in process to both reduce waste (where ELR comes in) and leave no money behind. Modeling rational choices to understand hackers’ behavior is not new, but it is an ongoing force steering motivated, intelligent, and adaptable actors.

Let’s dive a little more into this notion of specialization, which is critical to understanding how selection functions. In nature, you can tell the oldest populations by the specialized niches they fill. After an extinction event occurs, for example, it takes time before genetic and phenotypic diversity is replenished. You also see this in linguistic evolution, as is the case with families of languages like Proto-Indo European leading to languages as different as Russian, Sanskrit, and German in over 5,000 years.

The same happens in economics with supply chains specializing at various, sequential stages for delivering services. This is what happens with virus writers, as opposed to the channel-like organizations that develop attacks, or the so-called gangs that manage compromises, which is again distinct from how money is cashed out by other “partners.”

As ransomware has become more profitable, rogue states, independent labs, organized crime, and other groups have partnered, invested, contributed, or taken part in this growing dark economy. Capital is moved around in search of returns in the dark economy as much as in the light one.

New tricks for an old trade

Now we come to the latest developments. First, we saw new ways to extort money, sometimes called double, triple, or multi-extortion rackets: victims pay to prevent operations failure, then to prevent the “outing” of the breach, then to prevent the publishing of the stolen data, and so on. It all started with encryption because the biggest top-line revenue came from operational impact. Other forms of extortion like preventing disclosure or paying to limit distribution of stolen data followed. Now, however, in the inexorable march of unnatural selection, data shows that the encryption and prevention of operational impact seems to be of lesser importance to some attackers than multiple forms of extortion.

Why? A hypothesis is that, like other former boom investment areas when capital becomes scarce, the top line is less important than the bottom line. Rather than waiting for companies to decide whether to pay or replace all affected IT systems, the yield for which is dropping while attacker costs stay the same. In contrast, even if the yield for ELR is less per hack but leads to more opportunities to collect. In other words, a better return on investment for some cybercriminals.

The trend may yet die out, as macroeconomic trends like the current capital scarcity, a sudden drop in Bitcoin value, or geopolitics affect the ecosystem. It might continue, however, as a smart business practice. Whatever the root cause, ELR is a trend to watch, measure, and research as it continues to grow.

In the meantime, ELR should inform threat modeling, risk modeling, and threat exercises. It’s time to update the tabletops and re-evaluate processes and contingencies now in the hot summer months of the northern hemisphere (or the final cooler months of the southern hemisphere) before the crunch of calendar year-end. As we enter November and the holiday shopping season from Black Friday and Cyber Monday through the New Year, we must be ready with contingencies.

Of course, it’s never a good idea to pay a ransom for a host of reasons. But that decision, the calculation to pay or not, and the reasons why should be settled on before the note arrives threatening extortion and blackmail, maybe more than once.