What do ransomware and big business have in common? More than you might expect.
That’s not a swipe at capitalism or Big Tech. (There are plenty of other places you can go for that.) It’s merely a recognition of how rapidly the business operations of today’s “top” ransomware operators have evolved. They’re now behaving more like the major enterprises they’re robbing, according to cybersecurity experts.
Ransomware gangs are renting out office spaces IRL, springing for graphic designers to spruce up their public web presence, and even offering prompt and courteous customer service for victims and clients. “From the outside [these gangs] look just like some other legit tech company,” says Jeremy Kirk, a cybersecurity journalist and host of The Ransomware Files, a podcast dedicated to covering stories of ransomware attacks.
“Many of today’s most successful cybercriminal groups operate like Fortune 500 companies, with deep investments in research and development and marketing of their products and services and day-to-day operations,” says Bitdefender’s Daniel Clayton.
Groups like the FIN8 ransomware gang have actually proved to be “more disciplined than a lot of commercial engineering teams,” says Clayton, who did stints with British intelligence and the U.S. National Security Agency in a prior life. They employ the sort of “agile” development framework touted in Silicon Valley ad nauseum—going offline to develop their malware, coming back online to test their product on a victim, then retreating back to the shadows to work out the kinks.
Spurred on by the proliferation of cryptocurrency and remote work in the COVID age, ransomware is experiencing its own big tech bubble. To set themselves apart from unscrupulous competitors and pull in bigger hauls, some of the leading ransomware gangs began to self-regulate and corporatize their operations over the last several years. And it’s worked. Suddenly, the top dogs in those orgs could afford to “buy a lot of Lamborghinis and Rolexes,” says Evan Wolff, a lawyer who specializes in ransomware incidents.
But bigger paydays in turn attracted more, often less experienced criminals to this illicit market. As a result, the experts I spoke with say, the industry may be on the verge of a relapse, which could revive a world where attacks come from all directions, and paying a ransom today no longer keeps you off a hit list tomorrow. Soon we may long for the good old days when ransoms were high, but at least the cybercriminals were honest.
Once upon a time, ransomware actors were content with simple extortion. The practice of ransomware dates back to the late 1980s, and became a more common feature of the cyber threat landscape in the 2000s, but there remained kinks that needed to be worked out before ransomware could become the massively profitable enterprise it is today. Perhaps the first major sign the industry was taking business development as seriously as their criminal capers came in 2015, when the threat actor behind the SamSam ransomware began offering prompt, reliable customer service to its victims. When a SamSam decryptor didn’t decrypt a network, victims would receive a polite apology from the group that just moments ago was threatening to annihilate their entire business. A fully functioning tool would be waiting in their online mailbox the very next day. Providing something akin to five-star customer service for their victims “changed the game for ransomware operators,” says Charles Carmakal, CTO of the cybersecurity firm Mandiant.
As other threat actors noticed that this customer-first attitude seemed to be working for SamSam, some began to follow suit, according to Carmakal. Now groups like Conti have developed reputations not only for their destabilizing malware, but also for their prompt response times, says Evan Wolff. Many ransomware gangs will reply to emails in a matter of minutes or hours rather than leaving a victim waiting for days, and Clayton says some “even have call centers to make payment easy.”
Other gangs, however, preferred to make the crimes more damaging to victims, rather than more customer-friendly. Early digital heists couldn’t reach their full potential by relying solely on network encryption, as this left the crown jewels of the computerized fortress out of reach to both attacker and victim once the encrypted walls went up.
To solve this dilemma, attackers started looting victims’ networks before encrypting them, employing a technique now known as multifaceted extortion. Mandiant traces the rise of “name and shaming,” where a ransomware attacker publicly announces a victim’s embarrassing data losses online, to 2019. By the following year, more than half of the ransomware attacks observed by Mandiant involved data being transferred off a victim’s network.
With control over the network’s treasures, cybercriminals could credibly threaten to leak trade secrets or employee health records to make victims think twice about calling in law enforcement, and to provide a little extra motivation for those considering forgoing that ransom payment. The same year this tactic took off, average ransom payments increased by 83 percent to more than $150,000, according to Mandiant. Until recently, however, paying a ransom still provided no real guarantee the ransomware operator wouldn’t leak the data anyway once the transaction was complete.
It was here that a gang known as Maze saw opportunity: to build its brand, stand out from an unreliable crowd of threat actors, and ultimately make more money. Starting in 2019, when a victim paid a Maze ransom, they weren’t just buying their network back, say Carmakal. They were buying a guarantee that all their trade secrets would stay out of competitors’ hands, that they wouldn’t incur the wrath of regulators and clients for failing to secure their personal information, that their private internal communications wouldn’t end up on tomorrow’s front page.
By introducing trust into the equation, Maze redefined the “rules of engagement,” according to Carmakal, and ushered in a new era of brand-conscious ransomware gangs that had been first hinted at by SamSam, helping bring into the criminal mainstream helpful hotlines and customer service representatives that allow victims to troubleshoot their own hostage-taking.
Another early inhibitor of ransomware was its indiscriminate distribution model, which relied on sheer luck to land malware in a mailbox belonging to a user who wasn’t aware of the internet’s stranger-danger rule, says Carmakal. Since blasting their malware across the internet via “shotgunlike” mass phishing campaigns left attackers with no way of knowing whether they’d hit a pensioner’s 20-year-old desktop or a multibillion-dollar corporate network, they had to keep their demands restrained just to ensure they walked away with something to show for their crime. Usually, this meant demands in the range of $500 to $15,000. Kirk recalls his own father-in-law’s personal computer getting hijacked via ransomware a decade ago for a few hundred bucks.*
After all, you can learn a lot about someone—and what they’re worth—by spending a little time rummaging through their networks. SamSam became one of the first gangs to pull tens of thousands of dollars in a single attack by adjusting ransom demands according to each victim’s assets and ability to pay. “Back in those days, that was big money,” says Carmakal.
Still, most multifaceted extortions today don’t bother with premeditated targeting or recon-ing the victim environment, according to Carmakal. They just spray and pray. (He even says REvil’s hackers may not have known the true gravity of whom they were hitting when they attacked Colonial Pipeline in summer 2021.) But those who take the time to scout before they strike are rewarded handsomely for doing so. Savvy ransomware operators will often search for cyber insurance documents within a network to gain a window into the victim’s cost-benefit analysis framework and maximize their ransom demands.
In fact, among the experts I spoke with, cyber insurance policies vis-à-vis ransomware are a bit controversial. Although insurance may allow victims to bear the cost of an otherwise unaffordable ransom and restore their businesses, Clayton notes it can also encourage repeat attacks, since paying a demand once can signal a victim is able and willing to do so again. By underwriting the costs of these payments, the cyber insurance market arguably provides the reward that makes this whole criminal enterprise worth the effort, enabling its longevity. Whether that price is worth paying to afford victims a safety net may depend on whose perspective you’re viewing the situation through.
While he understands why a business may feel it has no choice but to pay off cybercriminals during a crisis, Clayton says that macro-level changes are necessary to reduce the financial incentive for ransomware. “The big message here is if organizations continue to pay ransoms, ransomware attacks will continue,” he says. “Simple supply and demand.”
In Clayton’s view, insurers should use their economic influence over their customers to promote better security standards at scale by making eligibility contingent on whether the victim/client has taken the “minimal steps necessary for defending themselves.”
“The good news is insurance companies are reacting because they’re getting hammered” by the huge sums they’ve been forced to pony up to reimburse clients for ransomware losses, says Clayton—something Wall Street Journal reporter Dave Uberti has written about (and discussed on an episode of Slate’s What Next: TBD). As a result, the number of ransomware attacks resulting in payment fell from around 50 percent in 2020 to 12 percent in 2021, says Clayton.
Of course, those suffering what may very well be the worst day of their lives probably aren’t too concerned about these big-picture considerations. “You can’t put this in a vacuum and say if people just stopped paying, the criminals would go away,” especially if the attack is enough to “kill your business,” says Kirk. “Some companies truly don’t have a choice.”
This whole notion of criminal customer service may sound absurd, but victims are taking note. Hired to support ransomware victims through the negotiation process, some legitimate organizations even “keep dossiers” on the various threat actors in this landscape, as noted in a May 2021 episode of What Next: TBD. By grading ransomware gangs on reliability, these organizations can help clients decide whether their hostage-taker is somebody they want do business with.
However, all of this speedy, trustworthy, and user-friendly service comes at a significant price.
Before the pandemic opened the floodgates to ransomware, ransomware transactions were defined by lows, according to Wolff: low-value targets, low payments, and low degrees of confidence. When victims gave in and paid for a decryption tool (about $40,000 to $100,000), they would often only get back 50 percent of their networks.
Today’s victims, in contrast, are more likely to be fully restored, and they’re less likely to suffer data leaks. Carmakal says that 90 percent of the decryptors shared by most big-name groups actually function the way they’re supposed to (after the attackers get their ransom, of course). The flip side is that the victims hit the hardest are now being held hostage for tens of millions of dollars, rather than tens of thousands. And in a COVID era when giving employees remote access to business networks via insecure home computers is standard practice, there are more entry points for attackers to exploit.
Of course, none of this is to say that better customer service translates to benevolent criminals. Two Iranians accused of authoring the SamSam ransomware were indicted by a U.S. federal grand jury for hacking more than 200 victims, including hospitals, universities, and several American cities (though they are unlikely to ever stand trial), while Conti has been implicated in possible links with Russian intelligence since the invasion of Ukraine. Yet creating a better customer experience has certainly made these criminals more profitable. As ransomware gangs evolved from the hacker equivalent of a cold-calling telemarketer toward a far more precise, deliberate, and intelligent targeting model, they were also able to increase the value of their efforts by casting their lures more accurately in the direction of the big fish.
Like Liam Neeson’s character in Taken, software developers possess a very particular set of skills. Building those skills, however, comes with an opportunity cost: The time spent learning to code malware is time you cannot spend, for example, practicing how to evade network defenses. That’s why ransomware developers are increasingly outsourcing various stages of the attack to specialized outside actors, according to Clayton.
One team may build the ransomware tools, while another acquires the initial access to the victim network (often through means like phishing), and yet another unlocks the admin privileges needed to lock the system. After the attackers drop their bomb and encrypt the network, another team sets up a website to shame the victims into making a deal while yet another team negotiates with the victims. Some gangs are even rumored to hire their own vulnerability researchers, according to Kirk, which could offer access to undiscovered (and therefore unpatched) vulnerabilities to exploit.
“Many cybercriminal gangs are often cobbled together based on areas of expertise,” says Clayton. “Profit is the glue that stops them falling apart.”
This multiteam model lends itself to a growing trend known as “ransomware as a service,” or RaaS, in which ransomware developers make their wares available to whomever wants them on a subscription basis.
Think of it like a McDonald’s franchise, as some experts like to describe it. There’s the main corporation, of course, which runs many of the restaurants, but not all. Some are run by the franchisees—folks who may not get mentioned in the formal McDonald’s org chart, but still want in on the brand’s “secret sauce” (and the profits that come with it). They pay Ronald McDonald for the rights to use his branding and sell his products in local stores they manage themselves.
Likewise, with the rise of RaaS, entrepreneurial cybercriminals can execute their very own ransomware attack using the latest and greatest in malware technology for a low, low monthly price. But while the core group that developed and sold the code may turn a nice profit by sharing its tools, reckless “affiliates” (as the franchisees of ransomware are known) have brought unwanted attention to the sector as a whole.
Recent attacks against “high-profile targets” like Colonial Pipeline and JBS Foods were carried out by affiliates that acquired ransomware from brand-name operations, says Kirk. Not only did these attacks famously lead to supply shortages, but by striking nationally vital so-called critical infrastructure, they put the whole ransomware industry on the radar of the most powerful national security apparatus in the world, earning these groups unprecedented attention from U.S. law enforcement.
Under this heat, gangs are increasingly seeing their operations disrupted, and may begin to fight among themselves over how loot should be split. “As the whole racket becomes less disciplined, we’ll see more evidence of internal conflict,” warns Clayton. Dissatisfied parties may splinter off into rogue elements, which may “double ransom” victims after the main team receives payment, potentially pressing their victims past their breaking points while they’re still recovering from their first bout.
Additionally, the growing availability of ransomware tools has made it easier for wannabe cybercriminals to enter the game. Clayton says that ransomware has been increasingly used by “much smaller, much less disciplined gangs” since mid-2021, drawn to the top dogs’ growing revenues. He likens this to the “natural evolution” of business, in which a pioneering organization—whether that be Apple, Microsoft, or Ford—inspires smaller, less resourced firms to spring up and try to mimic its success. But where competition can be a good thing in the legitimate business world, as it forces companies to improve the quality of their products or reduce prices to stand above the crowd, in cybercrime, the results are not quite so positive.
“As smaller groups or lone wolves with less technical capability and resources get into the ransomware game, we will see more focus on short-term gain than the bigger picture of maintaining confidence,” says Clayton. After all, even if maintaining a trustworthy reputation is seen as a value add for those sitting atop the ransomware S&P 500, not every ransomware actor caters to the idea of “honest” criminality. Shortsighted opportunists, unfazed by the thought of losing future business, may prefer to take a ransom and run rather than see their victim’s networks restored to full health.
Ransomware may also be employed as a smoke screen rather than a primary weapon, used to distract victims and investigators after an intruder triggers alarm bells, allowing them to sneak out of the network amid the panic. This may be particularly appealing to “highly sophisticated adversaries with more detailed objectives than exploiting money,” says Clayton.
Similarly, Carmakal says he’s “positive” that the trend away from extraneous data leaks “will change later this year” as a result of conflicts within ransomware operations. If he’s correct, businesses and other victims could see their data leaked regardless of how much they choose to cooperate with their hostage-takers, meaning some victims could see themselves screwed twice over.
While all this suggests a more chaotic future for ransomware—a perpetual stream of reckless highway robberies rather than a discrete number of patient heist jobs—victims may increasingly face attackers with zero intention of living up to their end of the ransomware contract. Perhaps as faith in these negotiations dim, big businesses will stop pumping up this ransomware bubble. But those who don’t keep up with the latest cybercrime trends may feel they have no choice but to acquiesce, and will only grasp the double cross only after the check has cleared.
Correction, May 19, 2022: This article originally misstated that Jeremy Kirk’s stepfather’s computer was hijacked by ransomware. It was Kirk’s father-in-law’s computer.