The Evolution of Ransomware: Risks and Solutions
Oscar Raimes | 9 February 2024
Summary
Ransomware networks are highly sophisticated and have the ability to cause major short-term disruption.
Law enforcement has limited ability to effectively target ransomware groups.
Large organisations should focus on improving their cyber security infrastructure to dissuade attackers.
From its origins as lone hackers targeting individuals for small payoffs, ransomware gangs have evolved into highly sophisticated and lucrative networks. The term now incorporates any activity where hackers compromise systems and demand a ransom for the restoration or non-exposure of encrypted and/or stolen data and systems. Groups now have the necessary competence to engage in ‘big game hunting’, whereby they identify large wealthy organisations and then probe for weaknesses and develop a plan of attack. Attacks like those on the Colonial Pipeline, Ireland’s Health Service Executive (HSE), and Transnet in South Africa, have put ransomware on the map and precipitated a long overdue response from western law enforcement. Unfortunately, government actors are hampered by the fact that most ransomware groups are based out of Russia, and are typically either tolerated by Russian state security agencies or work alongside them. Indeed, one of the most high-profile recent ransomware attacks in recent years, the 2017 attack on Ukraine, is widely agreed to have been a form of hybrid warfare centred around disrupting the Ukrainian state, not gaining a meaningful payout.
Organisations looking to decrease their vulnerability to such attacks should invest in building and maintaining adequate cyber security infrastructure in order to deter hackers and encourage them to pursue easier targets instead. This is likely to be an expensive undertaking. However, there is no guarantee of success. It only takes a single exploitable weak point for hackers to gain access to a system. Once their networks have been compromised, many companies pay ransoms and are likely to continue to do so, particularly given that cyber insurance firms have provided coverage for ransom payments. Businesses are likely to continue to decide that they have little choice but to pay ransoms and avoid incurring the substantial costs caused by disruption. In fact, ransomware groups have been known to deliberately target critical services and organisations that rely on operating on a 24/7 basis.
However, paying ransoms does not guarantee a resumption in normal service. In both the HSE attack and the Colonial Pipeline attack hackers returned the decryption key almost immediately after the attack began but the organisations still faced enormous disruption trying to resume normal service. Furthermore, even after victims have got their systems working again, they may face ‘double extortion’, whereby hackers demand additional payment in return for not leaking commercially sensitive or reputationally harmful information obtained during the initial attack.
Forecast
Medium-term
Ransomware will remain a threat to large organisations, particularly those involved in the delivery of critical services.
Increased prevalence of hybrid warfare attacks on critical infrastructure under the guise of ransomware attacks.