Traditionally, cybercrime was a “numbers game”. If someone sent out a million phishing emails, there would be some poor person who would click. That’s all criminals would need to turn a profit.
That has all changed. As people and organisations started losing money and became more aware, their cyber defences improved, but so have the attacks and the people who launch them. Ransomware attacks are meticulously planned with a specific target and outcome in mind.
One of the recent developments that has really helped cybercriminals develop and deploy sophisticated attacks on companies and organisations is “ransomware as a service”. This allows for a criminal network to outsource and buy in from specialists and affiliates who are experts in one part of an attack, sometimes on a profit-sharing model.
“These ransomware groups are effectively businesses,” says Satnam Narang, senior staff research engineer at cyber exposure company, Tenable. “They have people that do recruitment, they do marketing, they do onboarding, they have developers. They operate like startups out of Silicon Valley,” he says.
While one group may be brilliant at identifying targets and putting together the research to craft the perfect attack, another group might be experts at gaining access to systems. Another still might specialise in writing the code for the ransomware itself.
The ransomware author could typically expect a cut of 20 percent from an attack using their tools – fail to pay and they can kill off those tools and hence the attack. However, the ability to essentially “buy in” the malware and the access has enabled a huge proliferation in ransomware attacks perpetrated by cybercriminal gangs.
“The ransom demand is their primary source of income, because they can make anywhere from hundreds of thousands to tens of millions of dollars,” Nareng said. A lot of that will go towards their costs as they essentially pay a salary and expect regular hours. The franchising or outsourcing model also enables ransomware developers to stay at arm’s length should their products be used in an attack that attracts the interest of security services.
On top of the “as a service” model, the other significant development in recent times is the use of “double” extortion, where rather than just focusing on encrypting data the threat actor “exfiltrates” (steals) it as well and can then threaten to publish it. Nareng and other cybersecurity professionals have been seeing this more commonly since 2019. That data could be sold on to other cybercriminals, for example, the personal details of a victim’s staff or customers, which could then be used in phishing attacks, generating another income stream.
On the other side, cybercriminals have also improved their “customer” service offer too. A lot of victims of cybercrime do not know how to get bitcoin to pay a ransom, or to use the unlocking key to decrypt their data. This also means they have an interest in maintaining a brand or reputation of sorts in order to encourage ransomware victims to pay out.
“If you want to make money today [as a cybercriminal], you would get involved in ransomware in some way, whether developing, partnering, creating your own or becoming an affiliate,” Nareng says.