Ransomware
Explained
Understanding the Ransomware Ecosystem – From RaaS Operators to Ransom Demands to How Ransomware Attacks Work
While its origins stretch back decades, it’s only in more recent years that ransomware has become a major threat for organisations of all sizes and industries, with ransomware-as-a-service (RaaS) operators and affiliates dominating the threat landscape.
Understanding ransomware — from its origins to its impacts to the TTPs that allow ransomware gangs to exploit victim organisations and make off with millions in ransom payments and extortion fees — is the key to defending against it.
Even when a company employs leading-edge security tools and robust processes throughout its organisation, it still is at risk. But exploring the world of ransomware and the motives of threat actors can help you better understand where your organisation may be vulnerable and how you can protect it more effectively.
Table of Contents
-
Ransomware Groups Behind Dominant Ransomware Variants in 2023Ransomware Groups Behind Dominant Ransomware Variants in 2023
-
What Is the True Cost of Ransomware?What Is the True Cost of Ransomware?
-
How Does Ransomware Work? Root Point of Compromise: Gaining Initial AccessHow Does Ransomware Work? Root Point of Compromise: Gaining Initial Access
-
How to Defend Against RansomwareHow to Defend Against Ransomware
01
Ransomware Groups Behind Dominant Ransomware Variants in 2023
Focusing on engagements in which the Arctic Wolf Incident Response team confidently attributed an attack to a particular ransomware variant, the five variants we encountered the most in 2023 were BlackCat (AlphV), LockBit 3.0, Akira, Royal, and BlackBasta.
Group Name
BlackCat(AlphVM or AlphV)
First Observed
2021
Claimed Victims in '23
401
Preferred Initial Access Method
Compromised Credentials
BlackCat(AlphVM or AlphV)
First Observed:
2021
Claimed Victims in 2023:
401
Preferred Initial Access Method:
Compromised Credentials
Key Traits
May be a rebranding of DarkSide, the ransomware code is written in Rust, and, as a RaaS group, is known for paying affiliates a large share. Deploys .alphVM and .alphV ransomware strains.
Notable Moments:
Launched one of the first public data leak sites and, in September 2023, used their leak site to take credit for the MGM Resorts International attack;1 In February 2024, U.S. Department of State issued rewards totaling up to $15 million USD for information leading to the arrest and/or conviction of individuals participating in BlackCat/AlphV ransomware attacks.
Sources
- 1. Arctic Wolf: Okta Environments Seeing Increased Targeted Threat Activity
Group Name
LockBit 3.0Initially “ABCD,” changed name to LockBit in 2020
First Observed
2019
Claimed Victims in '23
926
Preferred Initial Access Method
Varies The group has been known to brute-force remote desktop protocols (RDP) or employ phishing attacks for initial access.
LockBit 3.0
First Observed:
2019Initially “ABCD,” changed name to LockBit in 2020
Claimed Victims in 2023:
926
Preferred Initial Access Method:
VariesThe group has been known to brute-force remote desktop protocols (RDP) or employ phishing attacks for initial access.
Key Traits
Known for targeting critical infrastructure, LockBit 3.0 functions as an RaaS model and often extorts data while demanding extremely high ransoms. They also tend to publish data to dark web leak sites before payment,1 promising to delete the data upon payment.
Notable Moments:
LockBit 3.0 is one of the most prolific groups operating and is responsible for more than 1,700 attacks since 2020, taking in over $91 million USD in ransoms.2 In February 2024, the National Crime Agency (NCA) of Britain and the Federal Bureau of Investigation (FBI) announced the seizure of the group’s infrastructure (including their leak site), 34 servers, the closure of 14,000 rogue accounts, and the freezing of 200 cryptocurrency accounts, as well as five indictments against members of the group.
Sources
- 1. Arctic Wolf: 1H 2023 Ransomware Landscape Overview
- 2. CISA: Understanding Ransomware Threat Actors: LockBit
Group Name
Akira
First Observed
2023
Claimed Victims in '23
133
Preferred Initial Access Method
Lack of MFA Accessing VPNs without multi-factor authentication (MFA) for initial network access.
Read Blog
Akira
First Observed:
2023
Claimed Victims in 2023:
133
Preferred Initial Access Method:
Lack of MFA Accessing VPNs without multi-factor authentication (MFA) for initial network access. Read Blog
Key Traits
Akira practices multi-extortion tactics and hosts a dark site where, should a victim fail to comply with ransom demands, they are listed alongside stolen data.
Notable Moments:
Starting in October 2023, Arctic Wolf Labs has investigated several cases of Royal and Akira ransomware victims being targeted1 in follow-on extortion attacks, which have involved victims being contacted for extortion after the original compromise took place.
Sources
Group Name
Royal
First Observed
2022
Claimed Victims in '23
199
Preferred Initial Access Method
VariesWorks with initial access brokers, which makes pattern-spotting difficult, but the group is known to use phishing emails in more than half of all recorded attacks, according to CISA reporting.
Royal
First Observed:
2022
Claimed Victims in 2023:
199
Preferred Initial Access Method:
Varies Works with initial access brokers, which makes pattern-spotting difficult, but the group is known to use phishing emails in more than half of all recorded attacks, according to CISA reporting.
Key Traits
This group is known for their .royal or .royal_w file extensions and have drawn comparisons to Conti and Ryuk. Their known TTPs include abusing business website contact forms to spread malicious links, implanting malware files on authentic-looking download websites, and employing malvertising techniques on search engines.
Notable Moments:
Like Akira, Royal has been observed re-infecting victims or deploying follow-on extortion attacks. The group has also targeted critical infrastructure and has earned over $275 million USD1 between 2022 and 2023.
Sources
- 1. CISA: #StopRansomware: Royal Ransomware
Group Name
BlackBasta
First Observed
2022
Claimed Victims in '23
197
Preferred Initial Access Method
Spear Phishing
BlackBasta
First Observed:
2022
Claimed Victims in 2023:
197
Preferred Initial Access Method:
Spear Phishing
Key Traits
BlackBasta is known for their .basta file extension and often first attacks anti-virus products. This group will leave a “readme.txt” file on victims’ desktops and utilise double-extortion techniques. They will often leak data to leak sites as soon as it’s exfiltrated, and they are thought to have arisen from the now-defunct Conti group.
Notable Moments:
Has extorted at least $107 million USD1 since 2022.
Sources
The Blurred Lines of the Ransomware Ecosystem
While ransomware variants originate from specific ransomware operators, behind the scenes, the ransomware ecosystem has blurred lines:
Individual ransomware groups often work with many different affiliates
Affiliates may use several different ransomware variants — from different groups — concurrently
The ransomware groups behind some of the most in-use variants have made claim to some of the biggest attacks in the past year, including:
The U.K. Royal Mail and Boeing By: Lockbit
The City of DallasBy: Royal
Rheinmetall By: BlackBasta
Caesars and MGM casinos By: BlackCat / AlphV
Nissan Australia By: Akira
LockBit, and a handful of other ransomware groups, dominated the ransomware-as-a-service space in 2023, as they did the year prior. This demonstrates both the continuing effectiveness of their operating models and their ability to evade law enforcement — or at least it did.
Law Enforcement Gains Success Striking Back
Despite some of the more prolific groups that have remained active over multi-year periods, international law enforcement operations are having success taking down ransomware operations,1 shuttering dark web marketplaces,2 and closing cryptocurrency mixers/tumblers3 that facilitate laundering of ransomware proceeds.
- 1: TheRegister.com
- 2: Justice.gov
- 3: TheHackerNews.com
- 4: Justice.gov
- 5: arsTECHNICA.com
- 6: KrebsOnSecurity.com
- 7: SecurityBoulevard.com
- 8: State.gov
Hive
One of the most active ransomware operators of 2022, Hive, was infiltrated and taken down in January 2023, as announced by Europol and the U.S. Department of Justice.4
The RaaS group’s payment and data leak sites were seized as part of the international law enforcement operation. This operation captured the group’s decryption keys and offered them to victims worldwide, saving victims over $130 million in potential ransom payments.
AlphV
AlphV, also known as BlackCat, made headlines multiple times in late 2023. First, with their move to file a with the Securities and Exchange Commission (SEC) against a victim company5 as a new pressure tactic, outing the victim for not filing a disclosure in response to becoming one of the group’s latest victims.
By December, AlphV found themselves in the crosshairs of international law enforcement, when the FBI disrupted its operations and released a decryption tool that allowed compromised victims to recover their data. In response to an escalating game of tug-of-war with law enforcement, AlphV promptly moved victim notifications to a different site.6 To date, the new AlphV-owned site continues to post victims.
During this period, which (at least for now) appears to be a temporary setback, AlphV offered incentives to retain its criminal affiliates, who were likely feeling the heat from the close call with the FBI. The FBI operation also gave other ransomware groups like LockBit an opportunity to poach AlphV affiliates.7
In February 2024, the pressure on many of these groups only intensified as the U.S. Department of State announced $15 million USD bounties on three of the most prolific RaaS operators: AlphV, LockBit, and Hive.8 A reward of up to $10 million USD is available for information leading to the identification or location of any individual(s) who hold a key leadership position in these transnational organised crime groups, along with a reward of up to $5 million USD for information leading to the arrest and/or conviction of any individual conspiring to participate in, or attempting to participate in, the three named group’s ransomware activities.
What does this mean for the threat landscape facing today’s organisations?
More groups are competing for the attention and allegiance of more affiliates, with affiliates responding to economic incentives by aligning with groups that have the most reliable tools, strongest track record of fulfilling their agreements, and greatest ability to evade law enforcement.
As the saying goes, no animal is more dangerous than when it’s cornered, and right now ransomware groups are feeling cornered. We expect to see more ambitious ransoms, stricter negotiations, more aggressive naming and shaming, and further experimentation with new tactics throughout 2024.
It’s also possible that some operators will decide to retire altogether or shift to an alternative form of cybercrime, like business email compromise (BEC).
02
What Is the True Cost of Ransomware?
According to Chainalysis, ransomware payments in 2023 surpassed the $1 billion USD mark, the highest number ever observed, and the average cost of a ransomware attack reached $5.13 million USD according to the 2023 IBM Cost of a Data Breach report, up 13% from the average cost of $4.54 million USD in the 2022 report.
And while most in the cybersecurity community have grown accustomed to seeing these massive ransom payment figures, most of the costs incurred from ransomware attacks have nothing to do with the ransom demanded. Lost productivity and the recovery time required to get IT systems running and back to normal operating levels are significant expenses incurred by organisations in the aftermath of a ransomware attack.
Common Costs Associated with a Ransomware Attack
View a detailed breakdown of expected ransomware costs estimated against an organisation’s annual revenue.
Organizations with $0-$25M Annual Revenues
Well-Known Costs:
-
Forensics
-
Incident Response Legal Counsel
-
Restoration & Recovery
-
Notifications to Customers and Vendor Costs
-
PR Costs
-
Regulatory Fines
$409K
Lesser-Known Costs:
-
Ransom Payment
-
Lawsuits
-
Data Mining
-
Credit Monitoring
$1.4M
Where insurance coverage (typically) ends
$338K
Downtime
$61K
Payroll
50% of employees not producing for 22 days
$140K
Revenues
$972K
Decline
Should You Pay the Ransom?
While the FBI does NOT recommend negotiating or paying ransom, the 2023 IBM Cost of Data Breach Report presents some interesting insights regarding how paying or not paying ransom impacts the overall cost of a ransomware event. Organisations that paid the ransom during a ransomware attack achieved only a small difference in total cost, paying $110,000 (£86,000) or 2.2% less compared to victim organisations that didn’t succumb to ransom demands.
However, this data doesn’t include the cost of the ransom itself. With the high cost associated with most ransom demands, organisations that did make payments likely ended up paying more than organisations that didn’t pay the ransom.
How Do Threat Actors Determine Ransom Demands?
Threat actors use a variety of factors to determine an initial ransom demand. Some items that factor into those demands include:
Our Recomendation
Arctic Wolf recommends working with a vetted incident response vendor that has experience with ransomware threat actor negotiations. On average, Arctic Wolf Incident Response customers have seen up to 92% reductions from the original ransom request.*
*All cases are different, and ransom reductions are not guaranteed. It is also never a guarantee that threat actors will live up to their word in a ransom situation.
03
How Does Ransomware Work?
Root Point of Compromise: Gaining Initial Access
External Exposure
In over two-thirds of the ransomware cases we investigated, threat actors gained initial access to victim environments through external exposure — a system exposed, whether knowingly or inadvertently, to the public Internet.
In 2023, threat actors leveraged external remote access in 39% of cases.
Other forms of external exploits, including known vulnerabilities and zero-days, accounted for 29%.
External Exposure
External Remote Access
This form of external exposure typically involves identity-based attacks aimed at breaching an organisation’s identity and access management (IAM) system — the governance, control, and monitoring of users’ identities and access within a system or network. External remote access attacks can take a few different forms, including:
Compromising servers with Remote Desktop Protocol (RDP)
Compromising servers with Microsoft Active Directory
Using valid credentials purchased from an initial access broker (IAB) on a dark web marketplace
External Exposure
External Exploits
External exploits, however, involve leveraging either a known vulnerability or a zero-day vulnerability to gain access to an environment.
More than a quarter of non-business email compromise (BEC) incidents we investigated — of which the vast majority were ransomware — exploited a known (i.e., not a zero-day) vulnerability.
In theory, an effective patching program could have mitigated the attack or at least forced the threat actor into a different course of action.
Zero-Day Vulnerability
While zero-days get all the headlines, they make up a small percentage of cases — just 3.4% of the non-BEC incidents investigated by Arctic Wolf, a majority of which are ransomware.
User Action
While comprising a smaller section of attacks, user action still accounts for nearly one-quarter of all initial access vectors in ransomware attacks.
The team at Arctic Wolf Labs has identified four major ways that user action can lead to a ransomware attack:
It’s important to note that hardening your environment to protect against ransomware will pay deep dividends against all forms of cyber attack, as the same initial access attack vectors are used in many other forms of cyber attack, including BEC and malware attacks.
04
How to Defend Against Ransomware
Like all attack vectors, the best defense involves a comprehensive security strategy that contains proactive and reactive components.
Our Recommendation
By examining the common TTPs exploited by ransomware groups and individual threat actors, we can recommend the following actions, which should occur in parallel and continuously, to reduce your cyber risk while improving your security posture.
Conduct Basic File Backups
As ransomware evolves, threat actors are now regularly exfiltrating data in the early stages of attack, threatening to release it to the dark web if payment isn’t met (double extortion).
In 71% of Arctic Wolf Incident Response engagements for ransomware, the victim organisation was able to leverage backups in some capacity to restore their environment.
It’s best to follow the 3-2-1 principle of file backup, meaning an organisation has:
3 copies of data
1 primary, 2 backup
2 copies stored
At separate locations
1 off-site storage
In a secure private cloud
Secure The Cloud
With the shared responsibility model, it’s important for organisations to understand where their responsibility lies when keeping their cloud environment safe. A security incident originating from within your organisation that destroys or disrupts your cloud data is your responsibility, and many cloud security incidents can be traced back to misconfigurations and/or overly permissive access policies.
Not only can the cloud offer initial access to threat actors, but as data storage and operational applications expand to the cloud, it’s likely threat actors will find their way there (through lateral movement or privilege escalation) to encrypt and/or exfiltrate data.
Enforce Identity & Access Controls
Be it through social engineering, the purchase of stolen credentials, or even a brute-force attack, access often begins with a password. In addition, credentials can be used by the threat actor to gain privileged access, allowing them to deploy malware into critical parts of the network.
Proactive and reactive measures security teams can take to improve credential security include:
- Implementing MFA
- Conducting dark web monitoring
- Hardening Active Directory using tools like PingCastle for visibility
- Embracing the principle of least privilege access (PolP), supported by a zero-trust access model, role-based access control, and privileged access management (PAM)
- Delivering comprehensive user security training
Ongoing Vulnerability Management
While zero-days make headlines, it’s often known, unpatched vulnerabilities that allow threat actors to gain access to a network or system. By staying on top of vulnerabilities, an organisation goes a long way in hardening their attack surface.
A full vulnerability management program prioritises continuous vulnerability remediation and assessment, with other components of the program complementing and assisting overall remediation and mitigation.
Employ a 24x7 monitoring, detection, and response solution
Monitoring is critical for preventing attacks, especially as threat actors utilize legitimate programs, such as PowerShell and Active Directory, for malicious ends. Without proper endpoint monitoring and detection, unusual behavior in those programs would go unnoticed.
In addition, swift detection and response capabilities allow your organisation to stop a ransomware threat while the threat actors try to gain initial access or before they can make lateral movement.
2023 Showed That Ransomware Groups Aren’t Slowing Down.
If tools alone were enough to solve the problem, they would have by now.
This is an operational problem that needs to be solved, and that’s what Arctic Wolf delivers. Learn more about our unique approach to cybersecurity and why Arctic Wolf has emerged as a leader in the industry.
