The self-sustaining ransomware industry earned $692m from collective attacks in 2020
Even cybercriminals are embracing subscription-based business models aggressively, as many illicit organisations are now providing Ransomware-as-a-Service (RaaS), a new type of malicious subscription-based service to sell or rent ransomware to cybercriminals that lack the technical skills to commoditize ransomware.
In 2021, double extortion ransomware increased by 117% globally. CERT-In noted that the country witnessed double the ransomware attacks in 2021 compared to 2020, leading to more organizations paying ransoms.
Tenable's study claims that ransomware gangs made $692 million from all of their attacks in 2020 alone, a 380 percent rise over the previous six years combined ($144 million from 2013 to 2019). RaaS's popularity has drawn in other participants, including affiliates and initial access brokers (IABs), who frequently play more significant roles in the ransomware ecosystem than the ransomware groups themselves. What this essentially means that compared to earlier when ransomware attacks were carried out only by advanced cybercrime groups, now even an inexperienced cybercriminal can leverage advanced tools to launch destructive online attacks.
Affiliates who earn between 70%-90% of the ransom payment, are charged with the task of doing the dirty work to gain access to networks through tried-and-true methods such as spear phishing, deploying brute force attacks on remote desktop protocol (RDP) systems, exploiting unpatched or zero-day vulnerabilities and purchasing stolen credentials from the dark web.
“Affiliates may also work with IABs, which are individuals or groups that have already gained access to networks and are selling access to the highest bidder. Their fees range on average from $303 for control panel access to as much as $9,874 for RDP access,” the research notes.
The research found that ransomware’s current dominance is directly linked to the emergence of a technique known as double extortion. The tactic, pioneered by the Maze ransomware group, involves stealing sensitive data from victims and threatening to publish these files on leak websites, while also encrypting the data so that the victim cannot access it. Ransomware groups have recently added a variety of other extortion techniques to their repertoire, including launching DDoS attacks to contacting customers of their victims, making it even more challenging for defenders. These tactics are part of the ransomware gangs’ arsenal as a way to place additional pressure on victim organizations.
“With RaaS and double extortion, Pandora's box has been opened, and attackers are finding holes in our current defences and profiting from them. In 2021, double extortion ransomware increased by 117% globally. CERT-In noted that the country witnessed double the ransomware attacks in 2021 compared to 2020, leading to more organizations paying ransoms,” said Satnam Narang, senior staff research engineer, Tenable. “So long as the ransomware ecosystem continues to thrive, so too will the attacks against organizations and governments. It’s imperative that these entities prepare themselves in advance so they are in the best position possible to defend against and respond to ransomware attacks.”
“While ransomware groups get the most notoriety and attention for attacks, these groups come and go. In spite of the turnover, affiliates and IABs remain prominent fixtures in this space and more attention should be given to these two groups in the ecosystem at large.”