The Covid-19 pandemic has forced major changes in our work habits, with remote work and telecommuting becoming the new norm for many organizations and employees. A major theme of the pandemic is that the entire world has been participating in work-from-home setups, with lines between work and home blurring. Although the ardor for remote work has cooled down with many economies reopening, many more organizations are willing to adopt a hybrid of in-office and at-home working work style than before the crisis.
Unfortunately, the global migration to remote work over the last year has also coincided with a sharp spike in cyberattacks, especially ransomware attacks.
Nowadays, an employee doing something as simple and as mundane as clicking a seemingly innocuous link in their email can easily open the doors to a massive attack that can bring a company to their knees, cripple critical service delivery and have ripple effects throughout the global economy.
According to Singapore based cybersecurity firm Group-IB, ransom attacks surged 150% over the previous year with the amount paid by victims of these attacks increasing by more than 300%.
The current year has not been any better, with high-profile ransom attacks against private companies, critical infrastructure, and municipalities grabbing headlines almost on a daily basis.
The problem has become so insidious that the FBI has taken upon itself to investigate about 100 different types of ransomware.
In a new statement, the FBI says it has made investigations into the proliferating ransomware attacks ‘a top priority’ and encourages private companies to contact their local FBI field office if they suspect they have been targeted.
The FBI crackdown comes in the wake of the recent high-profile ransomware attacks against Colonial Pipeline and meat processor JBS Foods.
Back in April, ransomware attackers gained access to Colonial Pipeline computer networks using a compromised password, leading to the deliberate shutdown of one of America's most important fuel distribution companies and panic gas buying.
The password had been linked to a disused virtual private networking (VPN) account used for remote access, cybersecurity solutions company FireEye Inc. (NASDAQ:FEYE) has confirmed. Further, the VPN account was not protected using an extra layer of security commonly known as multi-factor authentication.
Although it remains unclear how the attackers managed to obtain the compromised credential, the fact that hackers could so easily force a critical supply chain company to its knees with something so simple underscores the lax cybersecurity standards by multi-billion dollar businesses that should know better.
Luckily for the oil and gas infrastructure company, an FBI-led operation has been able to recover approximately $2.3 million in Bitcoins paid to notorious hacking group DarkSide. Colonial Pipeline Co. CEO Joseph Blount says the company complied with the $4.4 million ransom demand because it was unaware of the extent of the intrusion and how long it would take to restore operations.
The decentralized nature of bitcoin and cryptos in general makes them the perfect currency for hackers.
"The misuse of cryptocurrency is a massive enabler here. That's the way folks get the money out of it. On the rise of anonymity and enhancing cryptocurrencies, the rise of mixer services that essentially launder funds. Individual companies feel under pressure - particularly if they haven't done the cybersecurity work -- to pay off the ransom and move on. But in the long-term, that's what drives the ongoing ransom [attacks]. The more folks get paid the more it drives bigger and bigger ransoms and more and more potential disruption,’’ Deputy National Security Advisor Anne Neuberger has told CNN.
The changing face of ransomware attacks
Like many other tools employed by hackers, ransomware attacks have been evolving and becoming more complex over the years.
A few years ago, the majority of ransom attacks involved only the deployment of ransomware. Hackers would send a phishing email that would deploy malware when an unwitting employee clicked on a link. The extortionist would then offer decryption keys in exchange for a ransom--sometimes in six figures. Once the ransom was paid, the hackers would send the company decryption keys that would allow it to gain access to its servers and even promise not to target the company again.
Ransom attacks have become more sophisticated than that, and have evolved into massive businesses. Modern attacks are mostly focused on exfiltrating sensitive company information. The attacks are usually perpetrated by organized criminal rings that usually do intensive research on their target companies. In addition to deploying malware to encrypt company systems, the threat actors conduct reconnaissance of company files, ultimately exfiltrating large amounts of data, in the order of several terabytes in many instances.
Group-IB says the average ransom demand stood at $170,000 last year, but groups like Maze, DoppelPaymer, and RagnarLocker were able to collect much larger amounts in the $1 million and $2 million range. Maze (20%), Egregor (15%) and Conti (15%) are the most notorious ‘Big-Game hunters’ accounting for most of the attacks analyzed by Group-IB though nation state groups like North Korea’s Lazarus and China’s APT27 are becoming increasingly involved.