{{item.title}}
{{item.text}}
{{item.title}}
{{item.text}}
By Robert Di Pietro, Cybersecurity & Digital Trust Leader, PwC Australia
Share this article
Of all the cyber threat vectors, ransomware attacks remain among the most persistent, presenting a serious threat to Australian organisations large and small.
Since the beginning of the COVID-19 pandemic, when the rate of ransomware attacks spiked, we’ve seen a constant and steady increase in their numbers – the Australian Cyber Security Centre’s (ACSC) most recent threat report indicates in the 2020-21 financial year, ransomware attacks increased by 15 per cent. Even more worrying is that this number is likely just a fraction of the real scope, given cybercrime so often goes unreported.
Despite the increasing rate of ransomware attacks, however, lived experience indicates some organisations are failing to effectively mitigate the risk of attack, with some still unsure of what ransomware actually is.
Ransomware is a type of malware that works by locking up or encrypting files so they can no longer be accessed. A ransom, usually in cryptocurrency, is demanded to restore access to the files. Increasingly, cybercriminals also exert additional pressure on victims via ‘hack and leak’ tactics, whereby they threaten to release or sell stolen data on the dark web.
Ransomware is deployed by cybercriminals – both state and non-state actors – who search for IT system vulnerabilities. The use of cryptocurrencies can make transfers to ransomware criminals hard to trace. And because these criminals are often located in extraterritorial jurisdictions - notably some Eastern European nations - where they are able to act with virtual impunity, there is little legal or law enforcement recourse for ransomware crimes.
As the popularity of ransomware as a cyber weapon of choice by cybercriminals has increased, ransomware ‘business models’ have evolved. ‘Ransomware as a service’ models have seen the commoditisation of cybercrime, with ransomware malware sold on the dark web for the use of amateur cybercriminals. An analysis from the US conducted in 2020 found buying malware online was ‘incredibly easy’, with advanced malware tools selling for as little as US$50. Furthermore, it reported “almost all premium malware sellers provide buyers with in-depth tutorials and ideas about using their products for technically unskilled buyers”.
Head of the ACSC, Abigail Bradshaw, recently noted that sophisticated ransomware syndicates are often geographically dispersed to help them avoid traditional law enforcement and prosecution. Highlighting the increasingly slick business model, Ms Bradshaw said: “A ransomware syndicate might have a marketing arm based in one country, an access arm whose sole job is just to obtain access to vulnerable networks in another country, and its franchise operation operating from another country”.
As previously noted, ‘hack and leak’ is a tactic now commonplace amongst ransomware criminals, as it offers the opportunity for double extortion. And while an organisation of any size can be struck, ‘big game fishing’ targeting large organisations remains a lucrative form of attack.
The most common way these criminals get into systems remains via phishing exploits but password guessing, credential stuffing (the use of stolen credentials often bought on the dark web) and the scanning of networks for vulnerabilities are also key methods of entry. Ransomware actors are increasingly targeting executives and employees via ‘grab and go’ tactics, whereby they threaten to release potentially damaging or embarrassing stolen data, which in turn creates additional pressure to pay the ransom.
As ransomware attacks continue to become more sophisticated there are several trends that may evolve. The first will see cybercriminals increasingly enter systems via the backend, cutting out the need for the initial exploit and potentially providing far greater access to and control over systems. The second is that we may see these criminals pivot away from the use of cryptocurrencies for payment. This will be due to increased regulation of cryptocurrency globally, which is currently occurring, as well as severe fluctuations in cryptocurrency exchanges, which can dramatically reduce the profitability of these transactions.
And while it remains uncertain how ransom payment will be demanded, we do know these criminals are creative and will find a way to ensure they get paid.
This story first appeared in The Australian’s Cyber Security special report on 11 October 2022, Ransomware still weapon of choice for attacks.