Unregulated cryptocurrency fueling ransomware attacks globally: Report

The biggest change Sophos observed is the shift from threat actors, who make and then attack organizations using their own ransomware, to a model in which one group builds the ransomware and then leases that ransomware to another group so that the similar attack can be implemented. Such threat actors who offer ransomware as services are called RaaS groups.

According to Sophos researchers, attacks by single ransomware groups gave way to more ransomware-as-a-service (RaaS) offerings during 2021. RaaS groups sell the ransomware as a service. The author of the ransomware makes the malware available to other groups called affiliates, who then use their malware/services to hold people’s data hostage.

Interestingly, some of the most high-profile ransomware attacks of this year was done through RaaS groups, including the famous ransomware attack in May against Colonial Pipeline, an American oil pipeline company, where the cybercriminal leased the service of DarkSide, a RaaS group.

The Conti RaaS group has been one of the most prolific in the industry since it was originally observed in 2020. A recent insider leak identified a manual for Conti affiliates. The leak found out the information on pre-attack reconnaissance, the types of information that actors should focus on. It also included a list of suggested passwords that the threat actors could use to break into accounts within a system.

Meanwhile, the research highlights that the established cyberthreats will continue to adapt to distribute and deliver ransomware. “Ransomware thrives because of its ability to adapt and innovate,” said Chester Wisniewski, principal research scientist at Sophos. “For instance, while RaaS offerings are not new, in previous years their main contribution was to bring ransomware within the reach of lower-skilled or less well-funded attackers. This has changed and, in 2021, RaaS developers are investing their time and energy in creating sophisticated code and determining how best to extract the largest payments from victims, insurance companies, and negotiators.”

Interestingly, ransomware attackers often demand ransom in cryptocurrency such as Bitcoin due to its perceived anonymity and ease of online payment. “As a method of evading sanctions, cryptocurrencies are well suited to the task, which may be why criminals based in regions of the world that remain under traditional economic sanctions exclusively deal in cryptocurrency. Beyond that, because cryptocurrency is anonymous, it can be difficult to determine where the money ends up,” states the report.

“It is no longer enough for organisations to assume they’re safe by simply monitoring security tools and ensuring they are detecting malicious code. Certain combinations of detections or even warnings are the modern equivalent of a burglar breaking a flower vase while climbing in through the back window. Defenders must investigate alerts, even ones which in the past may have been insignificant, as these common intrusions have blossomed into the foothold necessary to take control of entire networks,” Wisniewski added.