Recently, certain industry commentators claimed that ransomware-as-a-service (RaaS) has declined and could disappear by the end of 2022. That’s a bold claim, especially since it’s based mostly on conjecture as opposed to empirical evidence. Does it hold up? Based on what we see, I don’t think so.
What are the reasons claimed for this supposed death? Firstly, the Conti ransomware operators declaration of support for Russia at the beginning of the war in Ukraine was the latest damaging overstep by ransomware operators. Secondly, by being based in Russia, ransomware groups are subject to sanctions against Russia. Victims can’t pay ransoms to groups in Russia or won’t have cyber insurance coverage to do so. The ransomware itself facilitates attribution, tying attacks back into these now sanctioned entities. Third, backup technology has evolved to such an extent that victims don’t need to pay ransoms. Fourthly, data extortion attacks are faster and easier to conduct and harder to attribute.
These arguments seem reasonable, but they don’t add up to the truth. For a start, comparing the first half of 2022 to the same period in 2021 doesn’t show a major drop in the number of reported ransomware victims. Furthermore, many victims never get listed on leak sites at all. We believe that some groups may continue their pivot towards attacking smaller victims, but that may simply lead to a reduction in reporting, not a reduction in victim numbers.
Undoubtedly, Conti shot itself in the foot, as shown by a pro-Ukrainian researcher leaking information about Conti, and the dissolution of the group. However, reports indicate that Conti affiliates have moved to work with other ransomware groups, like the highly-prolific LockBit.
There’s no question that ransomware groups overstep periodically. Individual groups disband but overall, the ecosystem adjusts. The disappearance of Maze or Darkside didn’t mean the end of ransomware. Nor will the disappearance of Conti. New groups that have launched in recent months include BlueSky, Black Basta, Industrial Spy, RansomHouse, Black Shadow, Sparta, and Cheers. At least some of these apparently involve ex-Conti veterans. Many other groups without leak sites continue to conduct low profile attacks that don’t get included in victim counts.
Obviously, there are some great backup products. A good, recent set of backups helps speed recovery. But our incident response work shows that good backup practice isn’t universal, and backups themselves may be encrypted in the attack.
The ransomware itself can link an attack to a particular ransomware group (although not to a specific affiliate – some affiliates work with several operators and most operators work with several affiliates) but it does not usually link it to a specific individual who authorities can prosecute. There remains little personal risk in engaging in ransomware attacks. In addition, victims outside the U.S. may also not consider themselves bound by U.S. sanctions. Plus, not all ransomware groups or affiliates are Russian – many are based in other Commonwealth of Independent states, in Latin America, the U.S., Canada, and elsewhere.
What’s more, removing ransomware from the attribution equation won’t magically stop security analysts from attributing attacks. Multiple other signature threat indicators and tactics, techniques, and procedures help analysts identify threat actors. Indeed, any type of ransom demand requires the threat actor to self-attribute if they want payment.
There’s certainly a diversification taking place in the tactics and extortion factors used in attacks. But diversification is not the same as replacement. We are seeing ransomware operators innovating rather than going away, using languages like Rust to make their ransomware cross platform, or intermittent encryption to speed up ransomware deployment. LockBit has promised to incorporate DDoS techniques into its attacks to pile on pressure to pay.
Further, in terms of business disruption, a data theft attack does not compare to a ransomware attack. Removing business downtime removes one of the biggest reasons to pay a ransom, especially as we have no guarantee that stolen data will not get leaked or sold to other threat actors. Some ransomware attacks take just a few hours or less from access to deployment, while identification and exfiltration of large amounts of sensitive data does not always happen quickly, so data theft is not greatly faster than ransomware. Switching from ransomware to data theft does not reduce the risk of discovery but it may substantially reduce revenue.
The big names may change, but the threat remains largely equivalent. Even if there has been a slowdown (and we contest that claim), the threat hasn’t ceased. Arrests are no more likely than before, and ransomware still pays better than a legitimate IT job in many countries. Now’s not the time for organizations to stop monitoring for and defending against ransomware attacks.
Jane Adams, consultant, Secureworks