The Many-Headed Threat of Ransomware

Ransomware-104205851-300x200It may seem that the very term “ransomware” wasted little time going from “newish-sounding threat” to expected, constant presence in the news and IT meetings alike. But, of course, it’s ultimately just a modern word for one of the oldest crimes out there—holding someone or something hostage until someone else pays for its release. Nonetheless, as the targets and means of these attacks have evolved, keeping track of it all has become a bit more complicated than a name on a ransom note. The ransomware landscape is constantly shifting as actors change their targets, find new points of attack and think of fresh ways to leverage encrypted data. Hundreds of variants of ransomware have been documented over the past few years, but here’s a cross-section of types posing a threat right now.

Maze ransomware began attacking U.S. entities, such as the city of Pensacola, Fla., in 2019. According to an FBI advisory, Maze infiltrates systems via spam emails that gave the appearance of being from a government agency or security company. The actors behind Maze distinguished themselves by adding a new ultimatum to the business model: threatening to publish the data of victims who don’t pay ransom.

Cybersecurity experts think the actors behind the now-defunct ransomware GandCrab are also behind Ryuk, which first appeared in 2018 and quickly became one of the most virulent and damaging types operating. No shotgun approach for Ryuk, whose victims are specifically targeted for their assets. Its ransom demand is typically 10 times that of other ransomware types.

Sodinokibi, a ransomware as a service (RaaS), first appeared in April 2019, but famously rang in 2020 by infecting Travelex currency exchange on New Year’s Eve. In that case it exploited an unpatched security system, but it also infiltrates through phishing attacks. Other victims have included a New York airport and government agencies throughout the state of Texas. In July 2021, REvil targeted managed service providers (MSPs), including IBM and Accenture, via a breach in Kaseya VSA’s software.

Phishing is still a top method of attack for ransomware, but PureLocker, a sophisticated new variant, operates far more proactively, using a type of backdoor malware to infect compromised Windows- or Linux-based production servers, where it strategically encrypts data. Cybersecurity experts suspect that PureLocker is a service hired exclusively by well-financed criminal groups.

The extortion-through-data-exposure model that Maze popularized was quickly adopted by DoppelPaymer, which encrypts an organization’s data by gaining administrative access to its systems. In February 2020  the actors behind DoppelPaymer announced they’d launched a website where they will reveal legally compromising information about their victims, which includes Mexico’s state-owned oil company, Pemex.

First identified in 2020, Conti, a Russian-born RaaS outfit, quickly established itself as one of the more malicious forms of malware due to its rapid data encryption speed and double-extortion model. In late 2021 Conti made headlines for being the first cybercriminals to develop the Log4Shell attack chain targeting Apache’s Log4j2 vulnerabilities, creating numerous security concerns for all Java-based systems.

The one predictable thing about ransomware is that when one type is shut down, another one will take its place. Yet the fundamentals for protecting yourself still apply. While law enforcement plays virtual whack-a-mole, put yourself in the best position not to be the next crime victim: use strong passwords, implement multifactor authentication, back up and segment your data, and train your staff to guard against scams.


Ransomware, Data Breaches and the Tension Between Disclosure and Damage Control

News of Note for the Internet-Minded (2/1/22) – AI Colleagues, AR Experiences and Ransomware Dangers

Taking Care of the Data in Proptech