Few things elicit terror quite like switching on a computer and viewing a message that all its files and data are locked up and unavailable to access. Yet, as society wades deeper into digital technology, this is an increasingly common scenario. Ransomware, which encrypts data so cybercriminals can extract a payment for its safe return, has become increasingly common—and costly. A 2019 report from security vendor Emisoft pegged the annual cost of ransomware in excess of $7.5 billion in the U.S. alone.1
"Individuals, businesses, hospitals, universities and government have all fallen victim to attacks," says Chris Hinkley, head of the Threat Resistance Unit (TRU) research team for security firm Armor. In a worst-case scenario, ransoms can run into the tens of millions of dollars and close down an organization's operations entirely. It has forced hospitals to redirect patients to other facilities, disrupted emergency services, and shut down businesses.
The problem is growing worse, despite the development of new and more advanced ways to battle it, including the use of behavioral analytics and artificial intelligence (AI). "Cybergangs use different cryptographic algorithms and they distribute software that is remarkably sophisticated and difficult to detect," Hinkley says. "Today, there is almost no barrier to entry and the damage that's inflicted is enormous."
Money for Nothing
The origins of modern ransomware can be traced to September 2013. Then, a fairly rudimentary form of malware, CryptoLocker, introduced a new and disturbing threat: when a person clicked a malicious email link or opened an infected file, a Trojan Horse began encrypting all the files on a computer. Once the process was complete, crooks demanded a cryptocurrency payment, usually a few hundred dollars, to unlock the data. If the person didn't pay in cybercurrency, the perpetrator deleted the private key needed to decrypt the data and it was lost permanently.
Today, a dizzying array of ransomware exists, with each variation developed by different cybergangs. Once they reside on a computer, the likes of Dharma, Maze, Ryuk, Petya, Sodinokibi, Lazarus, and Lockbit unleash malware that spreads across systems and networks—until the crooks decide to pull the trigger. Making matters worse, some cybergangs sell ransomware kits for as little as a few hundred dollars (or via a subscription that may run as low as $50 to $100 per month). These "customers," who have zero coding skills or software expertise, take advantage of a ransomware-as-a-service (RaaS) model to gain sophisticated capabilities, says Keith Mularski, a former FBI agent and now managing director of the cybersecurity practice at Ernst & Young.
According to security firm Sophos, 51% of organizations it sampled globally found themselves the targets of ransomware attacks in 2019. The crooks succeeded in encrypting data in 73% of these attacks. Just over a quarter of these organizations paid the ransom, or their insurance companies forked over the cash. For instance, University Hospital of New Jersey paid a $670,000 ransom in October 2020 after a group called SunCrypt captured 240GB of its data. A more catastrophic outcome occurred in July 2019, when Portland, OR-based PM Consultants, a managed services provider (MSP) for dental practices, was hit with ransomware; customers could not access key files or data for months, and the firm shut down.5
Not surprisingly, dozens of major ransomware gangs now exist worldwide, including in Russia, Eastern Europe, and North Korea. Incredibly, many of these operations look and function like authentic businesses. "They rent office space, they have development teams, data architecture teams, help desks, phone support, and people that negotiate ransoms with targets," says Alexander Chaveriat, chief innovation officer at Tuik Security Group. "They buy server space all over the world using cryptocurrency, change servers as needed, and use virtual private networks and other tools to hide their location."
Although ransomware attacks vary, an episode begins when a computer executes an infected file. The malware usually downloads additional components that establish a connection to a Command and Control (C&C) server. This allows data to flow across the machines—including an IP address, geo-location data, and information about access permissions. This connection is referred to as a "call home" or "C2," and it typically taps Port 80 and HTTP or Port 443 and HTTPS protocols. At some point, the crooks load an encryption key needed to lock the files onto the target computer.6
The encryption process ensues over days, weeks, or months, normally progressing through hard drives, attached drives, and network devices. The C&C server decrypts files as they are needed. Along the way, crooks place a ransom note in every folder that has encrypted files; they might also plant other types of malware on systems. During the final stage of an attack, the ransomware uninstalls itself, the thieves remove the encryption key from the infected system and the victim sees a ransom note on the computer screen.7
The mechanics of ransomware have advanced considerably over the last few years. Early assaults were largely automated and focused on infecting large numbers of computers. Demands of $400 to $1,000 were common, says John Shier, senior security advisor at Sophos. As patching and endpoint security have improved, ransomware has evolved. In many cases, cybergangs—sometimes with the support of nation-states—target specific businesses, hospitals, or cities. In fact, they frequently seek out organizations with cyber-insurance, which increases the odds they can cash in.
Consider Emotet, a ransomware "dropper" that lands on a system after a person clicks on a malicious e-mail link, executes an infected file, or clicks on a hijacked online ad that contains malicious code. This installs the initial Emotet malware on a computer. That malware, in turn, downloads scripts, macros, and code that pull data from address books, use password stuffing to break into other accounts, and install spyware. Emotet components hide in sandboxes, slip into cloud containers, and escape detection by firewalls as a result of encrypted communications channels.
Along the way, different cybergangs and various forms of malware go to work. This includes banking trojans like Dridex and Trickbot, "middle-stage infectors that steal credentials so that criminals can perpetrate some type of financial crime," Shier says. "Once a group is finished stealing credentials, they hand things over to a ransomware operator, who encrypts the machine and demands the payment." Sophos identified upward of 700 unique Emotet binaries appearing per day in 2019, something that makes conventional signature-based identification next to impossible. "What started as a monolithic code base, including a credential stealer, has become a highly modular payload that allows operators to mix and swap out components," according to Shier.
"Suddenly, you have people with limited ability using powerful software to discover, exfiltrate, and encrypt files. They wind up with many of the same capabilities that sophisticated cybercriminals have."
Another common ransomware package, Dharma (previously known as CrySis), attacks small and medium-sized businesses. While the average ransomware demand is now $191,000, according to Sophos, Dharma lands at a relatively low figure of $8,620. "The ransomware crew that produced Dharma has put it in the hands of lower-skilled criminals," Shier says. "Suddenly, you have people with limited ability using powerful software to discover, exfiltrate, and encrypt files. They wind up with many of the same powerful capabilities that sophisticated cybercriminals have at their disposal."
Sophos has found that 85% of Dharma infections were associated with vulnerabilities in Remote Desktop Protocol (RDP), a proprietary Microsoft communications protocol that facilitates connections between corporate networks and remote computers. Vulnerable systems typically lack multi-factor authentication, so after paying a fee or buying a subscription, an affiliate obtains a menu-driven PowerShell script that establishes a connection to a business through RDP. The package includes a credential-stealing tool called Mimikatz, along with various other system utility tools.9
Methods to the Madness
Ransomware techniques continue to evolve. A good example is a program called Snatch, introduced in 2019. During the initial infection phase, the malware sets registry keys that are needed to run a particular file in Safe Mode. After planting the encryption program, it points the registry keys at it and then reboots the machine. Once the computer is in safe mode, with normal security tools switched off, it can encrypt files unimpeded. Other evasive techniques it uses include initiating attacks within virtual machines, and encrypting files in memory to avoid behavioral detection methods.10
Gangs also have begun encrypting backup systems, including cloud storage services such as Office 365 and Drop-box. Although 56% of the firms surveyed by Sophos regained control of their data through backups, that window appears to be closing. "[Cybergangs] have realized that the ransom demand becomes powerless if you have a full backup set in place and you can revert to it," Shier says. The gangs also are discovering ways to ratchet up the pressure. Beginning in November 2019, a group associated with Maze ransomware began copying data from targeted systems before encrypting it—something other groups have since copied. This can include human resources records, legal information, and intellectual property. Frequently, they post samples online to verify they hold these documents and data.
In May 2020, for instance, celebrity law firm Grubman Shire Neusekas & Sacs found itself in the crosshairs of an initial ransomware demand of $21 million, Armor says. The ransomware gang responsible for the attack claimed it held thousands of documents, containing the private information of Lady Gaga, Nicki Minaj, Bruce Springsteen, LeBron James, Christina Aguilera, Mariah Carey, and others. When the law firm failed to respond to the ransom demands, the gang doubled the ransom to $42 million. On July 10, the gang began auctioning the private data on the Dark Web for as much as $1.5 million per cache.11
Living in a world teeming with ransomware is a growing concern. It is impossible to know the full extent of the damage, because many victims don't report attacks.
The ability to capture financial data has other consequences. "Ransomware operators can use it to determine how much money an organization can afford to pay for a ransom," says Chaveriat. Not surprisingly, this can drive up the price of the ransom, while defusing any argument the business does not have the cash the bandits are demanding. "There have been cases where the thieves asked for the exact amount of money covered by the insurance and corporate policy. This indicates they have access to extracted data," he says.
Ransomware attacks also are spreading to industrial control systems. In 2019, Norwegian aluminum manufacturer Norsk Hydro suffered an attack that forced the company to switch some operations to manual mode. The company reported total estimated losses from the incident exceeded US$40 million. Now there is concern that ransomware will spread to connected Internet of Things (IoT) devices such as automobiles, home automation systems, and medical devices, Hinkley says.
Exiting the Maze
Living in a world teeming with ransomware is a growing concern. It is impossible to know the full extent of the damage because many victims don't report attacks. According to Sophos, 94% of organizations whose data was encrypted regained control of it by paying a ransom, or through backups. "It's in the best interest of gangs to ensure that people do get their data back. You're more likely to pay if you trust criminals to honor their end of the deal," Shier says. Yet that came at an average cost of nearly $1.5 million per incident, when downtime, people time, device cost, network cost, lost opportunity and the ransom paid are factored into the equation.13
For a number of reasons, including a lack of international extradition treaties, few ransomware gangs are ever brought to justice. Some, including the U.S. Treasury, have promoted the idea of making it illegal to pay a ransom, though the idea has not gained widespread support. One way the computing industry is fighting back is by taking down C&C servers. Last October, Microsoft disrupted an enormous hacking operation after it obtained a U.S. federal court order to disable the IP addresses associated with Trickbot's servers and worked closely with telecom providers to eradicate hackers.15
Cybersecurity experts do not see an end to ransomware anytime soon. Artificial intelligence, blockchain, and other technologies may improve detection and protection—and employee training may improve detection—but every time there is an advance in defense, cybergangs find a new way to breach systems and extract ransoms. Says Mularski: "As cybersecurity has improved, ransomware gangs have continued to find the weakest links and exploit them. When people asked Willie Sutton why he robbed banks, he replied: 'That's where the money is.' Today, ransomware is where the money is."
Richardson, R. and North, M.M. Ransomware: Evolution, Mitigation and Prevention, 2017, Faculty Publications, 4276, https://digitalcommons.kennesaw.edu/facpubs/4276
Kok, S.H., Abdullah, A., and Jhanjhi, N.Z. Early detection of crypto-ransomware using pre-encryption detection algorithm, July 4, 2020, https://doi.org/10.1016/j.jksuci.2020.06.012
Hull, G., Henna, J., and Arief, B. Ransomware deployment methods and analysis: views from a predictive model and human responses, Crime Science, February 2019, https://link.springer.com/article/10.1186/s40163-019-0097-9
1. The State of Ransomware in the US: Report and Statistics 2019, Emisoft, https://bit.ly/36qYkbf
2. The State of Ransomware 2020, Sophos, https://bit.ly/3dtlIbb
4. New Jersey hospital paid ransomware gang $670K to prevent data leak, BleepingComputer, https://bit.ly/3jXOWBj
5. The new target that enables ransomware hackers to paralyze dozens of towns and businesses at once, GCN, https://gcn.com/articles/2019/09/12/ransomware-msp.aspx
6. "Ransomware: How an attack works," Sophos, https://support.sophos.com/support/s/article/KB-000036277?language=en_US
8. Color by numbers: Inside a Dharma ransomware-as-a-service attack, Sophos News, https://bit.ly/379rkGd
10. The realities of ransomware: The evasion arms race, Sophos News, https://bit.ly/2Il88v0
11. The Dark Market Report: The New Economy, Armor, https://www.armor.com/resources/the-dark-market-report/
12. The State of Ransomware 2020, Sophos, https://bit.ly/3dtlIbb
14. Ransomware attacks are increasing at an unprecedented rate — and the US is now begging people not to pay ransoms, Business Insider, https://bit.ly/3k59Oqh
15. Microsoft takes down massive hacking operation that could have affected the election, CNN Business, https://cnn.it/3dtLXOu
©2021 ACM 0001-0782/21/4
Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and full citation on the first page. Copyright for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, to republish, to post on servers, or to redistribute to lists, requires prior specific permission and/or fee. Request permission to publish from [email protected] or fax (212) 869-0481.
The Digital Library is published by the Association for Computing Machinery. Copyright © 2021 ACM, Inc.