Are Ransomware Attackers Ever Caught?
Originally published by ShardSecure here.
The growing threat of ransomware
Ransomware has become a major concern for individuals, small businesses, major corporations, and the public sector alike. With recent high-profile victims ranging from oil and gas pipelines to software companies, public health agencies, and meatpacking plants, it’s abundantly clear that ransomware attackers pose a significant threat to national security.
The US Cybersecurity and Infrastructure Security Agency (CISA) has noted that it’s particularly concerned with the impact of ransomware on government systems, municipalities, police and fire departments, medical facilities, and other vital infrastructure. And the problem is not limited to the United States; the European Union Agency for Cybersecurity (ENISA) noted a 150% rise in ransomware attacks between 2020 and 2021.
Over the past few years, we’ve seen ransomware attackers band together in well-organized operations to carry out highly sophisticated cybercrimes. We’ve also seen the rise of Ransomware-as-a-Service (RaaS), where malware developers sell software leases or subscriptions to other cybercriminals.
The problem shows no sign of slowing down. A Cybersecurity Ventures report estimated that ransomware will cost the economy around $265 billion annually by 2031, with dozens of new attacks happening each minute.
The massive rise in the quantity and sophistication of ransomware attacks has left many wondering whether and how these criminals can be deterred. Unfortunately, though, the vast majority of ransomware attackers remain at large.
First, it’s worth noting that a small number of attackers are caught and brought to justice. In late 2021, a Ukrainian attacker suspected to be part of the notorious Russia-based REvil ransomware gang was arrested and charged by the United States, and over $6 million in ransom money was recovered from an associate in the same group. Around the same time, Europol arrested 12 of the suspected cybercriminals behind the 2019 Norsk Hydro attack.
Governments around the world are also stepping up their efforts to combat cyberattacks. In April 2021, the US Department of Justice launched a dedicated task force to crack down on ransomware. Similarly, Europol has begun to tackle ransomware attacks as part of its Joint Cybercrime Action Taskforce (J-CAT).
However, arrests and prosecutions are still very much in the minority when it comes to ransomware attacks. Ransomware is a burgeoning industry with an ever-widening network of criminals to carry out attacks, and it has been difficult to locate — let alone prosecute — many of these malicious actors.
There are many reasons why ransomware attackers manage to evade detection. First, there’s the international nature of cybercrime, which means that investigations often require extensive diplomatic cooperation among multiple nations and agencies.
There’s also the growing technical sophistication of malware itself, which often poses several different threats within the same attack. But at an even more basic level, there are just too many ransomware attackers, operating in too decentralized a manner, with too many strong incentives to continue perpetrating attacks, for most of them to be brought to justice.
Below, we’ll dive into several of these issues and incentives in more detail:
- Ransomware is getting more sophisticated
- Businesses keep paying ransoms
- Ransomware insurance covers the costs
- Cryptocurrency facilitates cybercrime
We’ll also offer some suggestions to help your organization stay safe and mitigate the impact of ransomware attacks.
The ransomware industry has grown more complex on several fronts.
First, attackers have begun to coalesce into highly dangerous criminal enterprises. These enterprises often share crucial infrastructure but operate in a decentralized fashion to make themselves harder to trace. Different teams in these organizations may specialize in different aspects of the ransomware attack, from stealing the data to communicating with the victim to publishing the exfiltrated material.
Second, the underlying technology behind ransomware attacks has grown more complex. According to the Center for Internet Security, ransomware has recently expanded to include data exfiltration, participation in distributed denial of service (DDoS) attacks, and anti-detection components. The result is stealthier encryption and more comprehensive and targeted damage.
Lastly, ransomware attackers are now using a multi-pronged approach to ensure they are paid. If an organization has backups in place to restore affected systems and files, the attackers may target the backups themselves. Or, they may threaten to release an organization’s sensitive data — everything from patient information to financial reports and trade secrets — to get what they want.
The FBI and other cybersecurity experts have urged victims not to pay ransoms, as there is no guarantee that payment will make the attackers actually give up the decryption key or restore access to the affected files or systems. There’s also nothing to prevent a ransomware organization from targeting the same victim a month or a year later.
Despite this fact, the majority of victims opt to pay the ransom. When faced with the loss of crucial data or operating systems, many organizations have no choice but to pay up.
According to a May 2022 CyberTalk report, 63% of affected organizations paid the ransom — including a staggering 26% of organizations that had backups in place to restore their data. Nor were these small payments; the same report noted that one in ten victims paid more than $1 million.
With such significant payouts, it’s no surprise that ransomware attacks are spreading faster than law enforcement agencies and task forces can track and prevent them.
Another incentive for ransomware attackers is the existence of lucrative insurance payouts. An astonishing 83% of mid-sized companies currently rely on cyber insurance to help mitigate the cost of a ransomware attack — meaning that attackers who target this kind of organization are likely to receive the full ransom payment for their trouble.
While this is great news for companies who invest in cyber insurance, it’s worth noting that insurance policies have recently become more difficult to qualify for. Insurers are increasingly reluctant to pay out ransoms unless organizations first adhere to strict compliance frameworks and implement strong data security measures.
A final reason that ransomware attackers are able to evade detection is the use of cryptocurrency for ransom payments. Cryptocurrency transactions are not impossible to trace, but it is often difficult to track them because of their anonymous nature.
Cryptocurrency also facilitates fast international money transfers, making it easier to launder ransom payments without detection.
That’s why many attackers require that ransoms be paid in cryptocurrencies like Bitcoin. No personal identification is required for an attacker to obtain a crypto wallet, receive a large payment, and then vanish into the ether.
With ransomware attackers avoiding detection and prosecution — and with major incentives remaining for them to continue their attacks — the threat of ransomware will likely keep growing. So what can organizations do to keep themselves safe?
Traditional data backups no longer cut it. Backup servers can now be infected with time-delayed ransomware, which means that backups can be compromised without companies realizing it.
Luckily, there are a number of data security recommendations that companies can follow from organizations like CISA and the Center for Internet Security. From training employees on phishing attempts to creating multiple iterations of backups and employing antivirus and anti-spam solutions, businesses can take many solid measures to help minimize the risk of ransomware.
However, for more advanced protection, some companies may turn to outside solutions.
An innovative application of microsharding technology can help neutralize the effects of ransomware by desensitizing sensitive data for use in multi-cloud and hybrid-cloud environments.
Microsharding works by shredding data into tiny fragments (or microshards) that are too small to contain so much as a complete birthdate or other piece of sensitive data. The process then removes file metadata and distributes the microshards across multiple logical containers of the user’s choice. As a result, unauthorized users can only access an unintelligible fraction of a complete data set of microsharded material.
Based loosely on the concepts of RAID 5 and traditional sharding — a process used to distribute a single dataset across multiple databases and increase a system’s total storage capacity — microsharding helps to protect against the data exfiltration aspect of cloud ransomware in which attackers threaten to publish sensitive or confidential data. Once microsharded, confidential material cannot be used for extortion in a ransomware attack, since attackers cannot reassemble it.
Microsharding can also help reconstruct affected data whenever it is tampered with, deleted, or held hostage by ransomware. When microsharding technology is combined with an automated control and multiple data integrity checks, unauthorized modifications from cloud storage ransomware can be detected, and data can automatically be rolled back to its earlier state. This means that, with the right application, real-time ransomware repairs can begin automatically and in a way that is transparent to users.
Microsharding technology can therefore help organizations restore their compromised data, avoid an outage, and maintain business continuity.
Sign up to receive CSA's latest blogs
This list receives 1-2 emails a month.