Security Market Segment LS
Monday, 02 November 2020 06:06

Ransomware booms, but how many attacks achieve their ends? Featured

By
Ransomware booms, but how many attacks achieve their ends? Image by Mediamodifier from Pixabay

Ransomware attacks have grown massively in number over the last 12 months and these days most attacks on Windows systems are invariably through the use of this genre of malware.

But how many are successful, in that they net the people behind the attack the money that they are seeking? It is not easy to compute this as different attack groups have different approaches.

In general, actors behind an attack first gain entry to a system, exfiltrate the data — to be used as an extra bargaining chip later — and encrypt the files on the system. A ransom note is then generated and the attackers wait for the victim to respond.

At times, the victim responds speedily and then there is no way any security firm that looks for these kinds of attacks will ever know, not unless the victim makes it public. It is more common for a victim who pays a ransom to stay mum.

Often, victims do not respond as speedily as their attackers want. In such cases, screenshots of some of the stolen data may be posted to the dark web - or in some cases the clear web - as a means of squeezing the victim.

If the victim responds at this stage, then the attackers remove those screenshots and nobody would be any the wiser. Security researchers would notice only if they happen to be monitoring the sites in question very often.

Brett Callow, ransomware researcher at New Zealand-based security outfit Emsisoft, said it depended on how one defined success as some groups may have a lower conversion rate but would extract more per victim and vice versa.

"Also, keep in mind that the groups which publish the most may not be the most active nor the most successful," he told iTWire. "There’s no set formula for calculating a ransom demand, and some groups likely aim higher than others.

"That means they may get paid more when they’re successful, but that they’re successful less frequently than groups which make lower demands. In other words, the groups which publish most could be the least successful. Maybe. Or maybe not. Who knows?"

Chester Wisniewski, principal research scientist at Sophos, said in recent months, the ransomware ecosystem had split into two distinct types of threat actor.

"The first are focused on ransomware-as-a-service tools to provide to unskilled attackers and are either charging for the toolset or taking a commission on every ransom payment," he said in response to a query. "They primarily target individuals and small businesses where the barrier to entry is very, very low.

"The second are the ones going after the multi-million-dollar ransoms of enterprise-size victims. These attackers usually work in small groups of uniquely skilled individuals and often at least one of them has similar talents as a very advanced penetration tester.

"This set of attackers have been seen demanding upwards of US$10 million (A$14.25 million)."

Callow said the strategies varied from group to group. "NetWalker posts a couple of screenshots fairly quickly, but delists if/when the company comes to the negotiating table," he said. "Mespinoza, on the other hand, seems not to publish until they deem the case a lost cause. So NetWalker's victims are perhaps a little more visible."

He said Emsisoft had used a figure of 33% success in a country-by-country analysis of attacks. "That seems like a reasonable middle ground, as other research claims either a higher or lower number.

"In many ways, this highlights the problem of information being held in pockets with each company producing stats that are based on its own client base - enterprises or SMBs, insured or uninsured, Europe or Australia, etc."

Callow said STOP accounted for more than half the submissions to ID Ransomware, a site to which one can upload a ransom note and/or sample encrypted file to identify the ransomware that had been used to carry out out the encryption.

STOP was spread only through pirated software so any anti-virus firm would list a low percentage for STOP as people who used pirated software were unlikely to use any anti-virus products.

Callow said he was not criticising any anti-virus firm. "Our data likely suffers from similar biases at times," he pointed out. "It's just an example of how companies' users/audiences can result in distorted stats."

Wisniewski said as the second set of attackers had moved to very high ransom demands, most of them had also moved into extortion over disclosure of stolen data to try to apply additional pressure on victims.

"There is no evidence I have seen that this has had much impact, but anecdotally it seems about half or more of victims are paying these high ransom demands," he said.

"Some of this has been fuelled by 'ransom negotiators' as well as insurance companies. This is likely why the US Department of the Treasury has hinted that paying ransoms may be illegal and they are looking to enforce these rules against facilitators as well as victims."

iTWire also contacted Russian security firm Kaspersky for its take on this topic, but a company spokesperson said it had no information to offer.


Subscribe to ITWIRE UPDATE Newsletter here

GRAND OPENING OF THE ITWIRE SHOP

The much awaited iTWire Shop is now open to our readers.

Visit the iTWire Shop, a leading destination for stylish accessories, gear & gadgets, lifestyle products and everyday portable office essentials, drones, zoom lenses for smartphones, software and online training.

PLUS Big Brands include: Apple, Lenovo, LG, Samsung, Sennheiser and many more.

Products available for any country.

We hope you enjoy and find value in the much anticipated iTWire Shop.

ENTER THE SHOP NOW!

INTRODUCING ITWIRE TV

iTWire TV offers a unique value to the Tech Sector by providing a range of video interviews, news, views and reviews, and also provides the opportunity for vendors to promote your company and your marketing messages.

We work with you to develop the message and conduct the interview or product review in a safe and collaborative way. Unlike other Tech YouTube channels, we create a story around your message and post that on the homepage of ITWire, linking to your message.

In addition, your interview post message can be displayed in up to 7 different post displays on our the iTWire.com site to drive traffic and readers to your video content and downloads. This can be a significant Lead Generation opportunity for your business.

We also provide 3 videos in one recording/sitting if you require so that you have a series of videos to promote to your customers. Your sales team can add your emails to sales collateral and to the footer of their sales and marketing emails.

See the latest in Tech News, Views, Interviews, Reviews, Product Promos and Events. Plus funny videos from our readers and customers.

SEE WHAT'S ON ITWIRE TV NOW!

BACK TO HOME PAGE
Sam Varghese

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

Share News tips for the iTWire Journalists? Your tip will be anonymous

WEBINARS ONLINE & ON-DEMAND

GUEST ARTICLES

VENDOR NEWS

Guest Opinion

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News

Comments