What is Driving the Surge of Ransomware Attacks?

September 14, 2021 | 3 minute read

Some major ransomware attacks have dominated the headlines recently. Back in the beginning of May, for instance, the Colonial Pipeline Company suspended its daily transportation of 100 million gallons of fuel between Houston, Texas and New York Harbor following an infection at the hands of the DarkSide ransomware gang. The ensuing disruption caused fuel shortages as well as panic buying of gas along the East Coast.

Two months later, Kaseya announced a serious supply chain security incident involving one of its solutions. The IT software management company warned customers to disconnect their product servers and to avoid clicking on links that attackers might have weaponized with ransomware.

Huntress examined those ransomware artifacts and determined that the REvil ransomware group was behind the supply chain attack. At first, the attackers focused on double extortion of the victims in the incident individually. That changed when the group demanded $50 million for a universal decryptor, a utility which Kaseya ultimately acquired from a “trusted third party.”

These attacks have helped to elevate the seriousness of the ransomware threat in the eyes of the U.S. government. Indeed, the U.S. Department of Homeland Security (DHS) launched StopRansomware.gov, a website with ransomware resources for individuals, businesses, and organizations. It also called ransomware “a long-standing problem and a growing national security threat.” Around that same time, U.S. President Joe Biden urged Russian President Vladimir Putin to “disrupt ransomware groups operating in Russia,” as quoted by Yahoo News.

Understanding the Ransomware Onslaught

Several factors have contributed to this recent surge of ransomware attacks. First, organizations are generally more reliant on digital infrastructure than they were in the past. More than four-fifths (82%) of chief financial officers (CFOs) told Gartner that they intended to increase their investment in digital capabilities in FY 2021 compared to the previous year, as reported by Campus Technology.

Slightly less than that (70%) said they planned to grow their IT investments in the same period. Those two areas beat out other priorities among CFOs including cultural development, staff/hiring, and risk management at 59%, 35%, and 30%, respectively.

A CFO’s focus on digital capabilities reflects just how much remote working, online education, and related developments have reshaped life following the events of 2020. Organizations’ digital security is no exception to that reality. Greater digital infrastructure means organizations have more digital assets that attackers can use as entry vectors to establish a foothold in the network before moving laterally and deploying their ransomware payloads.

Second, ransomware actors continue to rely on cryptocurrency for their operations. They demand that their victims pay their ransoms using cryptocurrency, and Ransomware-as-a-Service (RaaS) schemes rely on cryptocurrencies to divide up the profits of an attack between developers and affiliates. The Wall Street Journal provided an explanation as to why:

Ransomware can’t succeed without cryptocurrency. The pseudonymity that crypto provides has made it the exclusive method of payment for [malicious] hackers. It makes their job relatively safe and easy…. Before cryptocurrency, attackers had to set up shell companies to receive credit-card payments or request ransom payment in prepaid cash cards, leaving a trail in either case. It is no coincidence that ransomware attacks exploded with the emergence of cryptocurrency.

Not everyone agrees with that assessment. Marcus Hutchins, the British hacker who stopped the WannaCry ransomware attack outbreak in 2017, clarified to CoinDesk that cryptocurrency has helped to make ransomware more available to wannabe attackers without technical skills and has thus contributed to the threat’s proliferation.

Even so, he said that “these kinds of attacks would have persisted” without cryptocurrency, noting how ransomware attackers can use money laundering networks that rely on USD for their operations.

The final factor is that victims are paying ransoms, giving digital criminals an opportunity to stage follow-up attacks. A 2021 survey revealed that more than half (56%) of ransomware victims had paid a ransom in 2020 to restore access to their data.

Four-fifths of those victims that paid ended up suffering another attack, according to a global research report conducted by Cybereason, titled Ransomware: The True Cost to Business. Nearly half (46%) said that they believed that the attack originated from the same malicious attackers, while 34% said that they thought the attack came from a different ransomware group.

Defending Against Ransomware

The best strategy for organizations is to prevent a ransomware attack from being successful in the first place. To do that, they need to invest in a multi-layered solution that leverages Indicators of Behavior (IOBs) to detect and prevent a ransomware attack at the earliest stages of initial ingress, prior to the exfiltration of sensitive data for double extortion, and long before the actual ransomware payload is delivered.

The Cybereason Operation-Centric approach provides the ability to detect ransomware attacks earlier based on rare or advantageous chains of malicious behavior. This is why Cybereason is undefeated in the battle against ransomware and delivers the best prevention, detection, and response capabilities on the market, which include:

    • Anti-Ransomware and Deception: Cybereason uses a combination of behavioral detections and proprietary deception techniques surface the most complex ransomware threats and end the attack before any critical data can be encrypted.
    • Intelligence Based-Antivirus: Cybereason block known ransomware variants leveraging an ever-growing pool of threat intelligence based on previously detected attacks.
    • NGAV: Cybereason NGAV is powered by machine learning and recognizes malicious components in code to block unknown ransomware variants prior to execution.
    • Fileless Ransomware Protection: Cybereason disrupts attacks utilizing fileless and MBR-based ransomware that traditional antivirus tools miss.
    • Endpoint Controls: Cybereason hardens endpoints against attacks by managing security policies, maintaining device controls, implementing personal firewalls and enforcing whole-disk encryption across a range of device types, both fixed and mobile.
    • Behavioral Document Protection: Cybereason detects and blocks ransomware hidden in the most common business document formats, including those that leverage malicious macros and other stealthy attack vectors.

Cybereason is dedicated to teaming with defenders to end cyber attacks from endpoints to the enterprise to everywhere - including modern ransomware. Learn more about ransomware defense here or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.

Cybereason Security Team
About the Author

Cybereason Security Team

The Cybereason Security Team champions cyber defenders by providing future-ready attack protection that unifies security from the endpoint, to the enterprise, to everywhere the battle moves. The Cybereason Defense Platform combines the industry’s top-rated detection and response (EDR and XDR), next-gen anti-virus (NGAV), and proactive threat hunting to deliver context-rich analysis of every element of a Malop (malicious operation). The result: defenders can end cyber attacks from endpoints to everywhere.

All Posts by Cybereason Security Team