The growing threat of ransomware attacks – current trends and challenges

Ransomware is a type of malware that encrypts data on a target system without authorisation and negatively affects the availability of data or entire systems for users. Its function is blackmail. In return for paying a ransom to cybercriminals, users may be able to ransom their data, decrypt it and make it usable again. Ransomware usually enters a system via manipulated email attachments or links in phishing emails and then encrypts data on a system, often unnoticed at first. At the end of the process, the victim receives a notification from the blackmailer asking them to transfer a ransom in common cryptocurrencies to a specific address so that the data can be decrypted again. If the transaction is successful, the victim receives a key to decrypt the data (as far as the extortionists promise; it is not always the case that a key is received).

The origins of ransomware date back to the late 1980s. During the 1990s, ransomware was more of a niche cybercrime business: criminals tended to make money from spam, email scams and the sale of credit card and online banking data. Since 2011, there has been a sharp rise in ransomware attacks. One reason for this is the social spread of digital payment methods (such as Western Union, PayPal etc.), but also earlier cryptocurrencies such as Bitcoin from 2008 onwards, for processing ransom payments. Another reason is improved encryption algorithms and the widespread availability of attack infrastructures such as botnets (e.g. Cryptolocker and Zeus), which facilitate the delivery of ransomware.

Ransomware has undergone an astonishing evolution in recent years: It has become more professional, more systematic and more powerful. Today, ransomware is one of the most lucrative business models for cybercriminals. In the so-called Ransomware-as-a-Service (RAAS) business model, attacker groups offer their malware suites for hire to subcontractors, who then hack targets on their behalf and are allowed to keep a portion of the ransom money. These service models also allow smaller, less capable hacker groups to earn money quickly and thus contribute to the proliferation of the problem. Cyber criminals are now organised according to a division of labour and are highly efficient. So-called access brokers sell “backdoor access” to systems of companies that have been scouted in advance and are willing to pay a high price. Specialised developers are constantly designing new, more powerful variants of ransomware malware with additional functions, such as scanning company networks, automatically infecting other devices in the same network (worm component) and mechanisms for dealing with ever new detection mechanisms from the anti-malware industry. Ransomware is now distributed via phishing kits with graphical user interfaces that have a high degree of automation. Communication with victims and the processing of payments in Bitcoin, including money laundering via Bitcoin mixers, money mules and other service providers, is also largely automated today. The individual components are shielded in order to make prosecution more difficult. Communication usually takes place via encrypted messengers and websites and forums on the darknet. There are numerous ransomware groups that are responsible for a large number of attacks, and there seems to be a kind of competition for fame and money among them.

The attackers have now also adapted to common prevention mechanisms for thwarting ransomware attacks. If there are copies of the encrypted data in the companies or organisations, the incentive to pay a ransom is low. Attackers have therefore started to search for back-up systems in the network and encrypt these back-ups as well. The triple extortion scheme has become established: In the first step, company data is stolen; in the second step, the target system is encrypted. In the third step, the attackers then threaten to publish sensitive data if a ransom is not paid. As companies could also face regulatory consequences for user data relevant to data protection, this increases the pressure to pay. Other cyberattacks, such as distributed denial of service, i.e. attacks on the same company, also create additional pressure to pay. It also happens that the same company is attacked several times in a row by the same ransomware group. Big game hunting has also become established in recent years: The attackers carry out financial analyses of their victims, for example by evaluating quarterly reports to check solvency. Larger companies in particular are attacked, which are said to have a high motivation to pay because they cannot afford to have their business operations suspended for a longer period of time.

Comparability with analogue phenomena

Blackmail software is based on well-known blackmail methods used in traditional organised crime, such as hostage-taking. An asset that is important to the company is kidnapped and is therefore no longer available, and a sum of money is demanded in exchange for the hostage’s safety. Payment is made at a location that makes direct observation and prosecution difficult (e.g. dead letter boxes). However, the characteristics of the digital space make ransomware more efficient: The internet allows attackers to operate globally and threaten organisations in other countries remotely. Automation means that hundreds of targets can be attacked and blackmailed at the same time. This means that enormous sums of money can be stolen. According to some estimates, the financial volume of ransomware crime is now greater than that of the entire international drug trade. The risk of prosecution for the attackers is rather low, especially if they operate from countries with weak statehood or poorly equipped law enforcement authorities. Attackers can also disguise their activities using various anonymisation tools. Special cryptocurrencies such as Monero and money laundering tools also make it very difficult or even impossible to track financial flows. One important cause is the availability of freely available attack infrastructures in the form of as-a-service services from the cybercriminal underground. These include the rental of botnets, attack suites and bullet-proof hosting (i.e. servers that are optimised to make prosecution more difficult). The large volume of ransomware also provides a sufficient attack surface: there are enough vulnerable systems on the internet that can be used as a bridgehead in companies and governments. The frequent lack of IT security awareness in large parts of society also contributes to this. In addition, digital payment options are now widely established due to increasing digitalisation; without cryptocurrencies, the business model would not function to this extent.

Social relevance

Social relevance has increased in recent years, both in terms of the quantity and quality of attacks. Today, it is less a question of whether a company will be affected by ransomware, but rather when. 66 per cent of companies state that they have already been affected by ransomware. Small and medium-sized enterprises, municipal administrations and public institutions are just as much a target as large companies. In addition to the very high financial damage, organisations that provide critical services for digital societies, such as credit card terminal operators, supermarket chains, electricity or water suppliers or even hospitals, are increasingly being attacked. A failure of these systems can sometimes even have fatal consequences if, for example, vital operations in hospitals can no longer be carried out because systems are unavailable. The attack on the operator of the Colonial Pipeline in the USA made headlines in 2021, which led to the oil and petrol supply in the USA being disrupted for a short time.

Ransomware is also playing an increasingly important role in inter-state disputes. State cyber attackers such as intelligence services use ransomware attacks to paralyse their opponents, as can be seen in Russia’s war against Ukraine, for example. In addition, some states use cyber criminals as proxy actors who either hack targets on behalf of the state or even act as cover groups for intelligence services and thus carry out cyber attacks on competitors. North Korea, for example, uses ransomware to improve its state budget and finance its nuclear programme.

---