What will ransomware crews do when the pay out isn’t worth the risk?

It’s not just colloquialism either, according to ACSC’s Annual Cyber Threat Report, there was a 15 per cent increase in ransomware attacks in Australia from last year. Globally, data breach average cost increased by 2.6 per cent from US$4.24 million in 2021 to US$4.35 million in 2022.

Clearly, ransomware is paying off for attackers today, but with governments actively disrupting the key culprits and organisations tackling it as their number one risk, it begs the question – what will be the new path of least resistance?

Government intervention

Spikes in ransomware and escalating geopolitical tensions with Russia and China set the scene for President Biden’s Executive Order on Improving the Nation’s Cybersecurity. The order was a comprehensive reaction to the Colonial Pipeline Attack and set out bold guidelines and offered serious investment in private cyber security infrastructure. Naturally, Australia followed suit with the Australian government's Ransomware Action Plan.

This intervention by governments has put serious pressure on ransomware crews who are slowly being cornered. Increased powers to law enforcement, the establishment of the multi-agency task force, Operation Orcus, and modernised legislation "upped the stakes" for perpetrators. The war in Ukraine has also created deep internal frictions within ransomware operators, who are finding the clash between financial gain and political objectives increasingly challenging to balance. Despite recent large-scale attacks against government targets, a shift in focus is likely as high-profile government or critical infrastructure targets become less worth facing the heavy hand of the law.

Coupled with these stronger powers to agencies is the investment in cyber security infrastructure and collaboration. The $1.7 billion CESAR strategy and ASD REDSPICE will go far in bolstering both government and industry cyber security capabilities and introduce transparent reporting on attacks. All this means increasing parity with ransomware crews who have historically been able to share and collaborate tools and tradecraft in a manner not often reflected among the white hats. A united front where lessons are shared and industry responses are targeted and rapid is a far cry from the siloed and secretive responses that have traditionally given ransomware crews the advantage.

New architecture, new vulnerabilities

The spate of ransomware attacks in the last two years has spurned on investment in cyber security from concerned CEOs and CISOs. A 2021 report released by Causticizer valued the Australian cyber security market at US$4.6 billion in 2021 with the industry growing to US$5.8 billion by 2024. With expected growth and renewed attention in cyber security, there is no doubt new improvements will be made making ransomware attacks harder to enact.

VIEW ALL

Heralded among those improvements is implementing zero trust. In the same way that ransomware is the weapon of choice for attackers, zero trust appears to be emerging as a weapon of choice for defenders. Such is its promise that President Biden specifically directed federal civilian agencies to establish plans for zero-trust architecture in his Executive Order. NIST is setting standards on zero trust and CISA is defining a zero-trust maturity model.

Zero trust isn’t a product, it’s a wholistic concept. It eliminates implicit trust by designing systems that assume all components have already been compromised to help prevent breaches, ransomware, and lateral movement. Its development and eventual roll out will pose immense problems for ransomware attackers who have become all too used to quickly traversing organisations sprawling networks, capturing sensitive data.

However, zero trust may also be a victim of its own success. The challenge will be to lock down access without completely halting workflows. People in organisations require access to sensitive data to work and collaborate so being locked out by your own security would drastically affect productivity. Attackers may only need to target a certain network to cause a cascade of network shutdowns, costing companies the same if not more than a ransom.

The next targets

As ransomware becomes an ever-riskier endeavour, it's inevitable that cyber criminals will look for the next easy target to leverage and extort.

The first step is a likely shift in focus, away from big single organisations to a multitude of smaller targets that are less likely to individually attract the attention of authorities but can collectively yield large sums. We have seen a growth in "upstream" attacks already, in which vendors of targets are compromised as the soft underbelly to a big score – the Okta breach of this year is a good example. With a growth in double and triple extortions, it is also likely that managed service providers will become increasingly juicy targets, as their multitude of typically smaller clients produce orders of magnitude, more scope for extortion than hitting a single target.

Similarly, SaaS compromise is a likely candidate for ransomware crews looking for the path of least resistance. The ubiquitous use of SaaS platforms has led to data fragmentation and dilution amongst large organisations and a reduction in the visibility of information assets. This fragmentation has in turn resulted in an explosion of cross-platform tools, complexity in defence, and confusion among staff. With more confusion and complexity comes easier ways for attackers to exploit blind spots and creep into a network. Add to this the surge in "white labelling" of software, and suddenly you have dispersed estates with little centralisation or visibility, and often little transparency of the technical experience of your SaaS provider, leaving you vulnerable to a well-coordinated attack.

The cryptocurrency sector is now well and truly established, with casual investors and big banks alike dipping their toes, and as such, the theft or generation of cryptocurrency has become another easy win for criminals. According to SonicWall research, "cryptojacking" cases rose 30 per cent in the first half of the year as attackers exploit novice retail investors who lack the technical knowledge that attracted early adopters. Beyond individual attacks, criminals looking for a big heist are increasingly targeting crypto exchanges which pose a far lower risk of retribution than government, education and critical infrastructure organisations. The problem is exacerbated by the inherent avoidance of government intervention and the shunning of traditional financial centralisation and regulation that is baked into crypto philosophy. For hackers, this means attacking in an environment with little oversight and often an unwillingness to call on the government for help. In all, the "anti-oversight, anti-bank" philosophy of many crypto exchanges may become a feeding ground for attackers looking for an easy score.

The demise of ransomware is an inevitability as government regulations take effect and new technologies begin to be implemented, but cyber crime will persist, and with that crime will be new vulnerabilities and new targets attackers will look to for exploitation. If we can successfully predict those vulnerabilities, we may be able to save ourselves from the chaos that ransomware has inflicted on our digital world.

Elliot Dellys is the CEO (chief optimist) at Phronesis Security.