Ransomware Remains a Top Concern
Ransomware is big business. While the players, methods, and tools have changed over time, the primary motive is simple – disrupt an organization’s operations and hold it for ransom. Given the straightforward nature of most attacks, most ransomware incidents are hardly “sophisticated.” Instead, they are opportunistic strikes using tried and true techniques. Though there has been a decline in ransomware, there is no reason to expect threat actors to give up on this wildly profitable (albeit criminal) line of work.
Decline in Ransomware
The United States has generally seen a decline in the volume of ransomware incidents over the past few months. Despite the downturn, ransomware attacks are still happening regularly and with great effect. In recent weeks, confirmed attacks have impacted a hospital system in Texas, the Los Angeles Unified School District (LAUSD), and the hotel giant InterContinental Hotels Group, to name a few. (IHG has only confirmed an attack, not necessarily ransomware, but all indicators point to ransomware)
The LAUSD incident affected the district just as classes were starting up again. The group claiming responsibility for the incident has also claimed to have stolen 500 GB of data from the school district. On September 6, 2022, a message from the FBI, CISA, and MS-ISAC warned that school districts might experience an uptick in attacks.
OakBend Medical Center in Houston suffered a ransomware attack that took clinical and communication systems offline. It’s important to note that, according to OakBend, patient care was never at risk.
IHG, which operates over 6,000 hotels worldwide, saw its booking and customer-facing sites taken offline by an attack. The organization has not yet confirmed that the attack was ransomware. However, the Lockbit group claimed a successful attack against an IHG hotel in late August 2022. From the outside, the operational effects are consistent with ransomware.
Still Devastating
Each of these incidents is an example of the widespread impact that ransomware actors can inflict. These incidents can have unpredictable and devastating effects on organizations and individuals. The disastrous results are the same whether it’s an interruption to the school year, a medical center without communications, or a hotel group that can’t accept reservations.
Russian Sanctions
It’s unclear why there’s been a downturn in volume, although sanctions in the wake of Russia’s invasion of Ukraine are one likely cause. Many of the most infamous ransomware gangs and their affiliates have been alleged or confirmed to be operating freely from within Russia for years. Before the invasion, the United States did not sanction these actors. Thus, victim organizations in the United States could pay a ransom if they had no choice but to restore operations. Once the sanctions started flying, many cryptocurrency payment providers enhanced due diligence efforts and refused to pay ransoms that had any possibility of ending up in Russia.
During this US downturn, some groups – notably, Lockbit – have remained very busy attacking organizations outside the United States. A recent look at Lockbit’s dedicated leak site (“DLS”) showed a dizzying number of victims whose names or data had been posted. Very few of the victims are based in the US. Ransomware actors are known to keep up with the news and, perhaps, decided to shift focus to countries with less mature frameworks around ransom payments.
Ransomware Cycle
It’s worth noting that ransomware has developed a cyclical trend. Whether threat actors are taking time off (we know Conti actors made formal requests for vacation time), planning and preparing for a new wave of attacks, or regrouping and rebranding after having the spotlight shined too brightly for comfort (e.g., DarkSide after Colonial Pipeline), this most recent decline in ransomware is nothing new. It’s reasonable to expect incidents to continue ramping up.
Ransomware is, at its core, still a very profitable (criminal) enterprise. BreachQuest’s analysis of the leaked chats from Conti affiliates showed operating costs of at least $6 million. Chainalysis estimated the group pulled in at least $180 million from victims in 2021 – enviable profit margins by any measure.
Resources
https://go.chainalysis.com/rs/503-FAP-074/images/Crypto-Crime-Report-2022.pdf
Written by Sean Cordes, BreachQuest’s Associate Director of Incident Response.