BRANDEFENSE BRANDEFENSE
  • Home
  • Product
    How it works?
    Platform Overview
    Cyber Intelligence
    Brand & Reputation Protection
    Exposure Management
    Solutions
    Threat Intelligence Service
    Brand Protection
    Vulnerability Management
    Attack Surface Management
    Fraud Protection
    VIP Security
    Vulnerability Intelligence
    By Use Case
    Preventing Data Leakage
    Phishing Monitoring
    Account Takeover Detection
    Stolen Credit Cards
    Dark Web Monitoring
    Remediation and Takedown
    brandefense background
    Eliminate risks
    Explore the Brandefense
  • Blog
  • Resources
    Security News
    Threat Intelligence Researches
    Digital Risk Protection – FAQ
    We in the Press
  • Partners
    Channel Partners
    Deal Registration
  • Company
    About Us
    Career
    Privacy Policy
    Terms of Use
    Contact Us
Free Trial

BRANDEFENSE

  • Home
  • Product
    How it works?
    Platform Overview
    Cyber Intelligence
    Brand & Reputation Protection
    Exposure Management
    Solutions
    Threat Intelligence Service
    Brand Protection
    Vulnerability Management
    Attack Surface Management
    Fraud Protection
    VIP Security
    Vulnerability Intelligence
    By Use Case
    Preventing Data Leakage
    Phishing Monitoring
    Account Takeover Detection
    Stolen Credit Cards
    Dark Web Monitoring
    Remediation and Takedown
    brandefense background
    Eliminate risks
    Explore the Brandefense
  • Blog
  • Resources
    Security News
    Threat Intelligence Researches
    Digital Risk Protection – FAQ
    We in the Press
  • Partners
    Channel Partners
    Deal Registration
  • Company
    About Us
    Career
    Privacy Policy
    Terms of Use
    Contact Us
How Ransomware Groups Evolve in Time and What to Expect in the Future

How Ransomware Groups Evolve in Time and What to Expect in the Future

BRANDEFENSE
Ransomware
11/10/2022

Introduction

Ransomware, in which an attacker steals or freezes an organization’s computer systems or data and demands a ransom payment to restore access to them, is one of the fastest-growing and most common cybersecurity threats facing businesses today.

The U.S. Treasury Financial Crimes Enforcement Network, or FinCEN, reported that more than $590 million in ransomware payments were made in the first half of 2021 alone, with the top 10 hacking groups making nearly $5.2 billion worth of ransomware payments in Bitcoin. Last three years. As staggering as these numbers are, they probably underestimate the true scope of the threat, as many ransomware victims never report the crime to the authorities or publicly agree to pay the ransom and fail to account for ransoms paid via other cryptocurrencies.

While we’ve started seeing ransomware attacks in the headlines lately, the threat has been around for much longer. The attack method and techniques have evolved over time, but the incredible damage that ransomware attacks can do to organizations and individuals remains the same.

To understand how to better protect against ransomware attacks, we must first look at where we came from.

First Ransomware Attack

The earliest known ransomware attack in 1989, an AIDS researcher named “Dr. Joseph L. Popp” made a total of 20000 floppy disks and sent them to random mailing addresses. The software in this floppy disk encrypted all the files of the computer and demanded a ransom of $189 to restore the files. In the image below you can see the message left for the requested ransom.

earliest ransomware called aids
Figure 1: Earliest known ransomware, AIDS or PC Cyborg Trojan

The Beginning of Today’s Ransomware

With more organizations coming online, cybercriminals have been able to spread ransomware to more victims. But they had a fatal flaw in their method. They used symmetric cryptography. In symmetric cryptography, the same key is used for encryption and decryption. And since this key is inside the malware, it can be easily extracted, and encrypted files can be decrypted. As a result, cybersecurity firms were able to develop universal decryption tools soon after infections were discovered.

As we often see in nature, ransomware strains have evolved as the environment has changed. The next step in the evolution of ransomware was asymmetric encryption, where we used two keys rather than a single key. In asymmetric encryption, one key pair is created. One is called a Public Key, and the other is called a Private Key. Data encrypted with a public key is opened with a private key and vice versa.

While the attacker holds a private key, a public key is stored in the cryptovirus. After infecting the computer, the virus generates a new symmetric key and uses it to encrypt all the files on its disk. The newly created key is locked in an encrypted archive and removed from the victim’s machine.

After the ransom is paid, the victim must send the encrypted archive to the attacker; The attacker uses the private key to open it, extracts the session key, and sends it back to the victim so they can decrypt their files. This way, each infected machine requires a unique key, and even the attacker cannot decrypt files without the session key. A victim’s unlock key will not work for other victims, and the private key will never be shared with victims. This evolution is now the foundation of every crypto virus.

The Next Step in Evolution

With the introduction of asymmetric cryptography, ransomware became much more difficult for victims to remove, resulting in more victims deciding to pay the ransom. However, attackers still needed a more efficient delivery system to spread their virus. Up until this point, attackers have generally relied on distribution via spam emails or phishing attacks that manage to infect single users, not entire organizations. That changed with the emergence of the WannaCry worm in 2017.

WannaCry still infiltrated an organization through a phishing attack, but once inside, it managed to quickly spread across all networks using the SMB vulnerability. This vulnerability, called EternalBlue, allowed the ransomware to quickly spread over a network without any action from the user beyond the initial infection. It is estimated that around 200,000 computers in 150 countries are infected with WannaCry.

In addition to this topic, Ransomware groups may take sides in certain countries. For example, during the Covid-19 pandemic, we saw Chinese-backed threat actors trying to steal data from the Covid-19 vaccine. In another example, the Conti ransomware group had some internal conflicts during the Ukraine-Russia war. The Conti group stated that it was on the side of Russia in this war. But one or more of the team members supported the Ukrainian side. This caused an unprecedented internal conflict and leaked all the data related to the Conti group. It was an interesting example of taking sides between ransomware groups.

Ransomware as a Service

Over time, threat actors found a way to spread their malware to more people. They would allow others to use their own malware as a service. Thus, they would reach more victims, and their reputation in the media would rise.

Today, ransomware groups have chosen to give them to more experienced threat actors rather than selling exploit kits and letting malicious people use them freely.

It is important to note that today RaaS is not a simple subscription model as it is often described. Instead, ransomware operators develop the malware and run the infrastructure.

After a successful attack, the ransomware operators and their affiliates split the ransom. Generally, the affiliates get the biggest share. This rate varies between 80% and 90%.

Previously, the attacks were opportunistic and used worm-like behavior (WannaCry), focusing on the most direct way to monetize. Under today’s profit-sharing model, threat actors have adopted tactics, techniques, and procedures from advanced persistent threat (APT) groups with a focus on maximizing damage and pressure, not speed.

This enables today’s ransomware groups to manage the multimillion-dollar ransomware we see in the headlines. They spend weeks or months carrying out an attack.

Simply encrypting random data is no longer enough. They encrypt the data and, at the same time, steal it and threaten to sell it.

What to Expect in the Future

Ransomware is expected to increase in the future. Because it is easier to program than other malware, and the payments are increasing. Additionally, ransomware is attractive to attackers as it does not need to be disguised like other types of malware. Malware is usually designed to evade detection, but ransomware is designed to be detected after files have been encrypted—usually in a pop-up message on the victim’s machine.

Additionally, more anti-ransomware companies will start to rise. Investments in cyber security will increase as threats increase.

You can take precautions yourself by following the steps below.

  • Provide regular training in order to raise awareness of cyber security among your employees
  • Identify, prioritize and back up the asset that you need to protect at regular intervals and keep 3 different copies of the created backups in two different media types and one outside the institution.
  • Behave suspiciously against e-mails of unknown origin and the file attachments they contain. If possible, do not open them.
  • Use licensed and up-to-date operating systems.
  • Use reliable anti-virus solutions.

As Brandefense, we regularly monitor ransomware activities. And in this regard, we regularly inform our customers about attacks on a sector-oriented basis. At the same time, we publish reports for each quarter in which we evaluate the important ransomware activities, news, and impact on the industry during that period.

Share on Facebook Share on Twitter
Search
Categories
APT GroupsBlogDark WebDRPSFraudRansomwareSector AnalysisSecurity NewsVIP SecurityWe in the PressWeekly Newsletter
Recent Posts
  • What is BEC (Business Email Compromise) Attack?
    What is BEC (Business Email Compromise) Attack?
  • What Is Smishing and How To Protect Yourself?
    What Is Smishing and How To Protect Yourself?
  • Security Newsletter | March 30, 2023
    Security Newsletter | March 30, 2023
  • What is Incident Response and How to Build It?
    What is Incident Response and How to Build It?
2022 Ransomware Trends Report
Report
Download Report
Follow us!

    Continue Reading

    Previous post

    More than 400 Mobile Apps Detected to Hijack Facebook Login Credentials

    facebook credentials hijack
    ransomware groups retarget
    Next post

    YES! Ransom Gangs Retarget Same Companies, Learn Why!

    particle element
    We know what hackers know about you
    Our cyber threat intelligence and security research team is ready to help you.
    Request a demo
    Free Trial
    Contact
    Login

    Follow us on

    brandefense logo brandefense

    Brandefense is solving SOC’s complex challenges. We are here to help Brandefense customers to protect their brands and reputations against cyber threats.

    United States:

    300 Delaware Ave. Ste 210 #328 Wilmington, DE 19801 / USA

    Turkey:

    Üniversiteler Mahallesi, 1605.Cadde, Kapı No:3/1, No: 204, 06800 Çankaya/Ankara 06800

    © 2022 Brandefense. All rights reserved.

    Solutions
    Threat IntelligenceBrand ProtectionVulnerability ManagementFraud ProtectionVIP SecurityAttack Surface ManagementVulnerability Intelligence
    Use Case
    Data LeakagePhishing MonitoringAccount Takeover DetectionStolen Credit CardsDark Web MonitoringRemediation / Takedown
    Partners
    Channel PartnersDeal Registration
    Company
    AboutCareerPrivacy PolicyTerms Of UseContact
    Manage Cookie Consent
    To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
    Functional Always active
    The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
    Preferences
    The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
    Statistics
    The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
    Marketing
    The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
    Manage options Manage services Manage vendors Read more about these purposes
    View preferences
    {title} {title} {title}
    Close
    Search

    Hit enter to search or ESC to close