Governance, Security
To pay or not to pay: this is the lock(Bit)-in data dilemma
The conclusion of 2022 has brought with it, inevitably, what is the overall tally of ramsomware attacks scored during the year: in fact, it is estimated that approximately $456.8 million was extorted in the whole of 2022.
A figure that, when compared to the record $765 million recorded in the previous two years, would point sharply to a decline of about 40 percent, boding well.
Analyzing the data on a trend that would thus seem to be encouraging was, among others, Chainalysis -a U.S.-based blockchain analysis company- which attributes the drastic drop in ransomware profits not so much to fewer attacks, but more to the firm resolve of victims not to pay what the malicious actors demand.
And the change in trend would seem to depend, primarily, on three different and interrelated factors:
- Victims have a heightened awareness that paying does not always equate to getting their data back, intact
- Reputational damage from ransomware attacks appears to be mitigated due to public perception becoming more mature and lenient over the years
- Thanks in part to the security standards that government agencies, and even insurance agencies for ransomware coverage, recommend and require to be implemented, organizations are able to adopt increasingly effective response and back up strategies
And even more corroborating the annual budget analysis is the realization that 2022 was, in fact, precisely one of the most active years in terms of ransomware activity: there were, in fact, thousands of strains of file-encrypting malware that affected organizations of the widest range of sizes; but, probably thanks precisely to the recorded decrease in profits, the average duration of a ransomware attack dropped to “only” 70 days in 2022, compared to 153 in 2021.
The year 2022 was also marked by the end of Operation Conti and the emergence of new ransomware-as-a-Service (RaaS) businesses such as, for example, Royal, Play, and BlackBasta, while ransomware operators such as LockBit, Hive, Cuba, BlackCat, and Ragnar maintained a relatively constant and efficient attack flow throughout 2022.
In fact, it was only a few days ago that news broke that the Royal Mail-British postal service part of the International Distribution Services delivery group, valued at £2.2 billion on the London Stock Exchange-was grappling with the consequences of a ransomware attack claimed by LockBit itself.
The group had already struck the City, in October 2022, by attacking Kingfisher Insurance, but Royal Mail now holds the sad record of being among LockBit’s biggest targets: much of the infrastructure has in fact been prevented from sending any kind of mail outside the British Isles, and in a post published on a private forum LockBit is keen to let it be known that the perpetrator of the attack is one of the elite members of the LockBit top ten, who specializes precisely in decrypting and then deleting stolen data upon ransomware collection.
And although Royal Mail has yet to officially confirm that it was LockBit that breached its cyber defenses by encrypting and holding its data to ransom, Royal Mail CEO Simon Thompson nonetheless told British MPs that “Discussing any details […] would actually be damaging.”
But LockBit appears to have launched a real extreme attack campaign over the past year, thanks precisely to the disbanding of rival gangs and the launch of a new version of their malware (LockBit 3.0) capable of automating the most basic tasks.
But LockBit’s ‘market’ strategies went even further: they launched real marketing promotions ($1,000 for anyone who had the group’s name tattooed in plain sight), and they also provided victims, potential and otherwise, with a kind of vademecum on how to defend themselves (e.g., investing 10 percent of one’s budget in cybersecurity or the advice to apply updated patches and hire external agents to test weaknesses in one’s organization).
We are then faced with what is a lucid, albeit diabolical, group efficiency capable of wreaking havoc around the world: de facto, according to Israeli security firm CyberInt, LockBit accounted for just over a quarter of all ransomware attacks disclosed in 2022.
Shmuel Gihon, a security researcher at CyberInt who has been following the group closely, foreshadowed how the group is now poised to gain more and more power, stating that “LockBit knows how to handle themselves much better than many legitimate companies, they are professional, they take care of their public relations, they focus on their product, their business, and they stay away from politics. […] They are presenting themselves as an organization that cannot be ignored, at this rate they will be everywhere and there is not much that can be done.” And LockBit’s strength is precisely its “Ransomware as a Service” model, which allows them to rent its malware and later provide technical assistance to remote “affiliates” who will then penetrate the target’s networks by installing the LockBit malware.
Only at that point do the more experienced and senior members of the group come into play, infiltrating the most secure areas of the victims’ network, identifying their most crucial files to be encrypted and then carrying out the actual negotiation stages of the ransomware.
All of this, it goes without saying, subject to a fee, which is often substantial and estimated to be up to 20 percent of the total ransom value.
So unless Royal Mail decides to escape the 2022 statistic and pay the ransom, weeks, if not months, of inconvenience lie ahead, said Hanah Darley, head of threat research at Darktrace.
“In situations like this,” Darley continued, “recovery from the attack takes, at ‘best,’ days or weeks and, at worst, weeks and months.
[…] It’s like a ripple effect: the real effects will only be discovered over time.”
For his part, Royal Mail CEO Simon Thompson, on the other hand, told Parliament in recent days that there are many solutions under consideration aimed at restoring services.
Thus, let us conclude with a dutiful reflection that pulls back a bit on 2022 and may provide an outlook for 2023: although it would seem that victims handle ransomware attacks differently than they did two years ago, and yes, by now we are even tired of hearing about it, but ransomware will remain at the top of the list of risks to organizations for a long time to come.
In 2023, we are likely to see more intrusions conducted by unorganized attackers and non-national states with the goal of strengthening their “brand.”
In Europe, the number of ransomware victims is increasing, and if this increase continues, in 2023 Europe is likely to become the most targeted region compared to the United States, where policymakers and law enforcement are promoting a more secure environment.
The United States is currently doing more than Europe, as it is heavily focused on security enforcement through proactive assessment of critical national infrastructure by 5 different government agencies.
Europe, however, is finally coming into line, with new regulations (DORA and NIS2) to support infrastructure and businesses.
The use of ransomware-as-a-service platforms targeting data exfiltration is also set to increase due to their greater availability, ease of use, and higher profits for attackers.
Data exfiltration as part of a ransomware attack that focuses on data exfiltration offers attackers the opportunity to multiply their financial gains not only based on paying the ransom, but also by selling the data.