Cybercrime and Dark Web Research / The Business of Extortion: How Ransomware Makes Money

The Business of Extortion: How Ransomware Makes Money

The Business of Extortion: How Ransomware Makes Money
Sean Nikkel
Read More From Sean Nikkel
June 9, 2021 | 8 Min Read

We can’t stop talking about it: Ransomware. It’s dominating a lot of security news for sure, which also means it’s definitely in the media cycle and on everyone’s mind. Ransomware groups have recently upped the ante with their attacks with adaptations of various tactics, techniques, and procedures (TTP) in the threat landscape. As if it weren’t enough to worry about the threat of having your data encrypted and held for ransom, groups these days are offering the additional threats of Distributed-Denials-of-Service (DDoS) and data disclosure to their arsenal. Several of these ideas have been around for a while, but with all of the recent upheavals in the ransomware market, many of these tactics have been adopted, dropped, and renewed by some fairly notorious groups to ensure that one way or another, payment will be made. 

Many blogs, articles, and researchers keep talking about things like “double-extortion” or other terms you might’ve been afraid to ask about when we talk about ransomware in 2021. We want to shed light on what’s going on now as a “back-to-basics” on how attacks work and some of the history behind them. In this article, we’ll walk through some of the basics as we see ransomware attacks today, which break down to extortion based on threats of encryption, disclosure, or network attack and how your organization can protect itself from data loss.

Ransomware by Encryption

Encryption and extortion were the original basis of ransomware threats. If this tactic is news to you, please say “Hello” to Wilson the volleyball for us because you may have been on a desert island for the last few years (probably more preferable to 2020). In the beginning, the targets varied between individuals and businesses; however, it would seem these days it’s all about the enterprise now. According to the Verizon DBIR, that victim profile was typically located in North America or Europe, in the manufacturing, energy, or healthcare sectors.

The execution also varied among groups, but the model was simple, pay or get encrypted. The decryption part was where things often got tricky, especially for victims, because this is where the variance occurred. It also meant a huge (and potentially expensive) leap of faith. 

In short: 

  • In the best-case scenario, victims pay and get their data back. 
  • In a worse-case scenario, they might pay, but the decryption fails, resulting in corruption or some loss of data. 
  • In the worst-case scenario, they might pay, and nothing gets decrypted. 

As ransomware attacks began to hit more news cycles worldwide, more and more voices in the security world advised that the best tactic–especially if backups existed or a decrypter was available–was not to pay. Ransomware operators increasingly were likely at a crossroads: It was still probably reasonably profitable, but how to increase pressure while at the same time increasing the likelihood of payment, especially with cyber insurance involved? As ransomware began to look more and more like a service, threat actors were forced to add new revenue streams to their business model.

Ransomware by Disclosure

The “All your data belongs to us” approach—public data disclosures have been around practically since the early years of the public internet, but the practice again changed the landscape when added with ransomware. Intentional data disclosure dates back to the 1990s and was often used in response to feuds among various groups, which brought actual personas out of the shadows and anonymity of the internet.

 Varying hacktivist groups, as well as lone-wolf actors, have used this technique–often referred to as “doxing”–in recent years as a method of public shame, generally in response to a person or organization running afoul ethically or socially. In its latest form, ransomware actors opting to include disclosure in their threats will typically exfiltrate critical data first before encrypting it. If a victim fails to meet demands for payment, the added pressure of a public disclosure might be just enough to nudge that victim towards the finish line. Previously, unless disclosed publicly in some fashion, ransomware incidents sometimes could be pretty quiet.

The added pressure of having sensitive data, whether customer or financial data, information on internal projects or plain old intellectual property out there for everyone to see might be too much for an enterprise to bear. Especially in a competitive landscape. One group, REvil, stands out in particular for their brand of nefarious behavior, as they seek to disclose victim information publicly and profit from it. 

Ransomware by Network Attack

The old “Extortion or DDoS” gambit is not new. Prototypes of this activity were spotted in the wild as far back as 2015, and in the years following, each were also very newsworthy years for DDoS attacks. Attacks in recent years gained notoriety because of attacker claims to be part of other well-known groups such as Armada Collective, Anonymous, and Fancy Bear, among others; not to mention, they grew in scale and type.  They also targeted many different sectors, which left much of the press at the time breathless trying to attribute the threat correctly. In essence, the fake Bears were attacking with extortion threats while the actual Bears were off making big news with espionage campaigns. Several groups have recently adopted the practice, either as a standalone threat or alongside traditional ransomware encryption attacks and newer disclosure tactics.

Distributed-Denial-of-Service in itself is noteworthy because of how an attack originates from widespread IPs, potentially from multiple regions of the world, to shut down networks. The wide distribution of IPs also makes it difficult to attribute directly or even block with some traditional network security methods, especially since botnets can be rented out for this purpose. The very nature of DDoS makes it different from a standard Denial-of-Service attack in this regard. 

Akamai’s Tom Emmons recently looked at historical comparisons with known DDoS activity and incidents, which was interesting given Akamai’s unique position as a leading content delivery network (CDN). An interesting takeaway from this research is that DDoS “stresser” kits saw average prices fall, which lines up with our marketplace research: the lowest observed price for a kit was less than a Big Mac meal at a McDonald’s in the US. These low prices provide a shallow barrier to entry for just about any criminal group or wannabe out there. They would be a drop in the bucket for a well-financed threat actor currently making waves in ransomware who might opt for DDoS-as-a-service rather than stand up their own infrastructure. 

The good news about DDoS attacks is that despite the bandwidth issues it might create temporarily, there is evidence that these attacks can be mitigated if caught early and through proactive measures that may include a vendor solution or network configurations. The question in this instance is if network availability or data integrity is the priority when faced with all threats in a potential ransomware attack.

Change is Constant in the Ransomware Threat Landscape

In the time since this blog’s inception to its finish, the Babuk ransomware group recently announced they were rebranding their services, with some members moving on to a disclosure-extortion–only model. As we saw throughout May 2021, there were many ripples in the usual marketplaces after the Colonial incident. As time goes on, it will be interesting to see what the potential fallout is as more people are attuned to the ransomware threat. There have already been several high-profile attacks in the wake of ransomware operators moving to other safe-havens.

There should be some healthy debates happening in the private and public sectors about ransomware. Still, as we predicted in 2020, this is just going to keep happening until something new comes along (likely), ransomware operators decide to go quiet and stop attacking everyone (probably not), government and law enforcement bodies manage to arrest everyone and stop all the crime (also unlikely), or we get better about security as a whole (hopefully). Whether these debates and changes result in a free-for-all for attacks, changes in attack methodology, or if any of the rhetoric from governments resulted in slowing or stopping attacks, we’ll know in a year from now if this will be another year of ransomware. 

As an aside, we don’t often talk about the attacks that didn’t happen or were prevented through either tooling, law enforcement measures, or a combination of factors, but kudos to those successes. Those stories should be told and passed down to generations of SOC defenders and security teams everywhere. I can’t take the credit for this, but the other debate we should all be having is whether to publicize these incidents or change how they’re presented. In any case, we’ll continue to monitor and update as needed, but if you are curious about how intelligence may help you stay informed in the fight against ransomware, you can always take Searchlight for a test drive with a free 7-day trial. If you like reading some of the complex data we’ve seen this year, take a look at our Q1 2021 report on ransomware trends, which should hold you over until we can publish the Q2 results.

Building successful teams on the cybercriminal underground

Building successful teams on the cybercriminal underground

September 15, 2021 | 7 Min Read

We’ve all been socialized since childhood to...
AlphaBay’s Return: SWOT Findings

AlphaBay’s Return: SWOT Findings

September 9, 2021 | 14 Min Read

Hot on the heels of our recent blog titled...
What We’re Reading This Month

What We’re Reading This Month

September 8, 2021 | 6 Min Read

Another busy month goes by, but the team has...
Protecting Against Ransomware: What Role Does Threat Intelligence Play?

Protecting Against Ransomware: What Role Does Threat Intelligence Play?

September 7, 2021 | 4 Min Read

Ransomware actors are thriving at the moment:...