Solutions
Go Back

Make Security Possible

Reduce Alert Noise and False Positives

Boost your team's productivity by cutting down alert noise and false positives.

Automate Security Operations

Boost efficiency, reduce burnout, and better manage risk through automation.

Dark Web Monitoring

Online protection tuned to the need of your business.

Maximize Existing Security Investments

Improve efficiencies from existing investments in security tools.

Beyond MDR

Move your security operations beyond the limitations of MDR.

Secure with Microsoft 365 E5

Boost the power of Microsoft 365 E5 security.

Secure Multi-Cloud Environments

Improve cloud security and overcome complexity across multi-cloud environments.

Secure Mergers and Acquisitions

Control cyber risk for business acquisitions and dispersed business units.

Force-Multiply Your Security Operations

Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Explore Our Solutions
Security Operations Platform
Go Back

The GreyMatter Platform

Detection Investigation Response

Modernize Detection, Investigation, Response with a Security Operations Platform.

Threat Hunting

Locate and eliminate lurking threats with ReliaQuest GreyMatter

Threat Intelligence

Find cyber threats that have evaded your defenses.

Model Index

Security metrics to manage and improve security operations.

Breach and Attack Simulation

GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.

Digital Risk Protection

Continuous monitoring of open, deep, and dark web sources to identify threats.

Phishing Analyzer

GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.

Unify and Optimize Your Security Operations

ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Explore the GreyMatter Platform
Resources
Go Back

Resources

Blog

Company Blog

Case Studies

Brands of the world trust ReliaQuest to achieve their security goals.

Data Sheets

Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.

eBooks

The latest security trends and perspectives to help inform your security operations.

Industry Guides and Reports

The latest security research and industry reports.

Podcasts

Catch to the latest cybersecurity perspectives, tutorials and industry discussions with various guest speakers.

Solution Briefs

A deep dive on how ReliaQuest GreyMatter addresses security challenges.

Threat Advisories

The latest threat research report from ReliaQuest Photons research team.

Upcoming & On-Demand Webinars

Upcoming and on-demand webinars addressing the latest challenges and solutions security analysts must know.

White Papers

The latest white papers focused on security operations strategy, technology & insight.

Videos

Current and future SOC trends presented by our security experts.

ReliaQuest Resource
Center

From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Resource Center
Company
Go Back

Company

About ReliaQuest

We bring our best attitude, energy and effort to everything we do, every day, to make security possible.

Executive Leadership

Security is a team sport.

Careers

Join our world-class team.

Press and Media Coverage

ReliaQuest newsroom covering the latest press release and media coverage.

Become a Channel Partner

When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.

Contact Us

How can we help you?

A Mindset Like No Other in the Industry

Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
Search
Go Back

Generic selectors

Exact matches only

Exact matches only

Search in title

Search in title

Search in content

Search in content

Search in excerpt

Post Type Selectors
Hidden

Hidden

Hidden

Hidden

Back to blog

The Business of Extortion: How Ransomware Makes Money

admin 9 June 2021

We can’t stop talking about it: Ransomware. It’s dominating a lot of security news for sure, which also means it’s definitely in the media cycle and on everyone’s mind. Ransomware groups have recently upped the ante with their attacks with adaptations of various tactics, techniques, and procedures (TTP) in the threat landscape. As if it weren’t enough to worry about the threat of having your data encrypted and held for ransom, groups these days are offering the additional threats of Distributed-Denials-of-Service (DDoS) and data disclosure to their arsenal. Several of these ideas have been around for a while, but with all of the recent upheavals in the ransomware market, many of these tactics have been adopted, dropped, and renewed by some fairly notorious groups to ensure that one way or another, payment will be made.

Many blogs, articles, and researchers keep talking about things like “double-extortion” or other terms you might’ve been afraid to ask about when we talk about ransomware in 2021. We want to shed light on what’s going on now as a “back-to-basics” on how attacks work and some of the history behind them. In this article, we’ll walk through some of the basics as we see ransomware attacks today, which break down to extortion based on threats of encryption, disclosure, or network attack and how your organization can protect itself from data loss.

Ransomware by Encryption

Encryption and extortion were the original basis of ransomware threats. If this tactic is news to you, please say “Hello” to Wilson the volleyball for us because you may have been on a desert island for the last few years (probably more preferable to 2020). In the beginning, the targets varied between individuals and businesses; however, it would seem these days it’s all about the enterprise now. According to the Verizon DBIR, that victim profile was typically located in North America or Europe, in the manufacturing, energy, or healthcare sectors.

The execution also varied among groups, but the model was simple, pay or get encrypted. The decryption part was where things often got tricky, especially for victims, because this is where the variance occurred. It also meant a huge (and potentially expensive) leap of faith.

In short:

In the best-case scenario, victims pay and get their data back.
In a worse-case scenario, they might pay, but the decryption fails, resulting in corruption or some loss of data.
In the worst-case scenario, they might pay, and nothing gets decrypted.

As ransomware attacks began to hit more news cycles worldwide, more and more voices in the security world advised that the best tactic–especially if backups existed or a decrypter was available–was not to pay. Ransomware operators increasingly were likely at a crossroads: It was still probably reasonably profitable, but how to increase pressure while at the same time increasing the likelihood of payment, especially with cyber insurance involved? As ransomware began to look more and more like a service, threat actors were forced to add new revenue streams to their business model.

Ransomware by Disclosure

The “All your data belongs to us” approach—public data disclosures have been around practically since the early years of the public internet, but the practice again changed the landscape when added with ransomware. Intentional data disclosure dates back to the 1990s and was often used in response to feuds among various groups, which brought actual personas out of the shadows and anonymity of the internet.

Varying hacktivist groups, as well as lone-wolf actors, have used this technique–often referred to as “doxing”–in recent years as a method of public shame, generally in response to a person or organization running afoul ethically or socially. In its latest form, ransomware actors opting to include disclosure in their threats will typically exfiltrate critical data first before encrypting it. If a victim fails to meet demands for payment, the added pressure of a public disclosure might be just enough to nudge that victim towards the finish line. Previously, unless disclosed publicly in some fashion, ransomware incidents sometimes could be pretty quiet.

The added pressure of having sensitive data, whether customer or financial data, information on internal projects or plain old intellectual property out there for everyone to see might be too much for an enterprise to bear. Especially in a competitive landscape. One group, REvil, stands out in particular for their brand of nefarious behavior, as they seek to disclose victim information publicly and profit from it.

Ransomware by Network Attack

The old “Extortion or DDoS” gambit is not new. Prototypes of this activity were spotted in the wild as far back as 2015, and in the years following, each were also very newsworthy years for DDoS attacks. Attacks in recent years gained notoriety because of attacker claims to be part of other well-known groups such as Armada Collective, Anonymous, and Fancy Bear, among others; not to mention, they grew in scale and type. They also targeted many different sectors, which left much of the press at the time breathless trying to attribute the threat correctly. In essence, the fake Bears were attacking with extortion threats while the actual Bears were off making big news with espionage campaigns. Several groups have recently adopted the practice, either as a standalone threat or alongside traditional ransomware encryption attacks and newer disclosure tactics.

Distributed-Denial-of-Service in itself is noteworthy because of how an attack originates from widespread IPs, potentially from multiple regions of the world, to shut down networks. The wide distribution of IPs also makes it difficult to attribute directly or even block with some traditional network security methods, especially since botnets can be rented out for this purpose. The very nature of DDoS makes it different from a standard Denial-of-Service attack in this regard.

Akamai’s Tom Emmons recently looked at historical comparisons with known DDoS activity and incidents, which was interesting given Akamai’s unique position as a leading content delivery network (CDN). An interesting takeaway from this research is that DDoS “stresser” kits saw average prices fall, which lines up with our marketplace research: the lowest observed price for a kit was less than a Big Mac meal at a McDonald’s in the US. These low prices provide a shallow barrier to entry for just about any criminal group or wannabe out there. They would be a drop in the bucket for a well-financed threat actor currently making waves in ransomware who might opt for DDoS-as-a-service rather than stand up their own infrastructure.

The good news about DDoS attacks is that despite the bandwidth issues it might create temporarily, there is evidence that these attacks can be mitigated if caught early and through proactive measures that may include a vendor solution or network configurations. The question in this instance is if network availability or data integrity is the priority when faced with all threats in a potential ransomware attack.

Change is Constant in the Ransomware Threat Landscape

In the time since this blog’s inception to its finish, the Babuk ransomware group recently announced they were rebranding their services, with some members moving on to a disclosure-extortion–only model. As we saw throughout May 2021, there were many ripples in the usual marketplaces after the Colonial incident. As time goes on, it will be interesting to see what the potential fallout is as more people are attuned to the ransomware threat. There have already been several high-profile attacks in the wake of ransomware operators moving to other safe-havens.

There should be some healthy debates happening in the private and public sectors about ransomware. Still, as we predicted in 2020, this is just going to keep happening until something new comes along (likely), ransomware operators decide to go quiet and stop attacking everyone (probably not), government and law enforcement bodies manage to arrest everyone and stop all the crime (also unlikely), or we get better about security as a whole (hopefully). Whether these debates and changes result in a free-for-all for attacks, changes in attack methodology, or if any of the rhetoric from governments resulted in slowing or stopping attacks, we’ll know in a year from now if this will be another year of ransomware.

As an aside, we don’t often talk about the attacks that didn’t happen or were prevented through either tooling, law enforcement measures, or a combination of factors, but kudos to those successes. Those stories should be told and passed down to generations of SOC defenders and security teams everywhere. I can’t take the credit for this, but the other debate we should all be having is whether to publicize these incidents or change how they’re presented. In any case, we’ll continue to monitor and update as needed, but if you are curious about how intelligence may help you stay informed in the fight against ransomware, you can always take SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) for a test drive with a free demo request. If you like reading some of the complex data we’ve seen this year, take a look at our Q1 2021 report on ransomware trends, which should hold you over until we can publish the Q2 results.