Where does Ransomware come from? Here are 3 common attack origins.
Ransomware attacks were more prevalent in the first six months of 2021 than they were for all of 2020. The global volume of ransomware attacks hit 304.7 million in H1 2021, reported ITProPortal. That’s 0.1 million more than it was the previous year. In that six-month period, organizations in government, education, healthcare, and retail all saw triple-digit growth in the number of attacks confronting them, with three families—Ryuk, Cerber, and SamSam—accounting for 64% of all ransomware infections during that time.
Who’s Behind Today’s Ransomware Attacks?
Knowing the common origins of new ransomware strains can help organizations defend against an attack. Three origins are worth noting. Those are state-sponsored actors, criminal organizations, and security researchers who don’t always think things through.
In this scenario, malicious actors receive monetary, technical, and other means of support from a governmental body to create a new ransomware threat. Those actors then use the ransomware to conduct an attack that advances the governmental body’s interests. As the governmental body didn’t launch the attack itself, it can try to leverage that fact for plausible deniability, thus raising the political costs should another state wish to retaliate.
Let’s look at a recent example. In May 2021, The Hacker News wrote that security researchers had detected a state-sponsored ransomware campaign operated by Iran’s Islamic Revolutionary Guard Corps (IRGC). The campaign, dubbed “Project Signal,” began in the summer of 2020 and sought to conduct ransomware attacks through an Iranian contracting company called “Emen Net Pasargard” (ENP) for four days in October 2020. Those who spotted the campaign suspected IRGC was using it as a subterfuge technique to mimic the tactics, techniques, and procedures (TTPs) of financially motivated ransomware groups to make attribution more difficult.
Digital Criminal Organizations
Not every ransomware operation receives direct support from a governmental agency. But support can come in many ways. These “privateers,” as noted by Threatpost, act according to their own financial agendas while enjoying some protections from governmental bodies.
Take the REvil operation. According to The Washington Post, REvil’s developers appear to be based in Russia, a country which has historically looked the other way at digital crime groups operating within its borders. The ransomware’s creators used that protection to form an RaaS scheme in which they took 20-30% of a ransom payment, with affiliates taking the rest for running the attacks, stealing the data, and detonating the crypto malware. Through that arrangement, the REvil gang ended up making $100 million in two years. That was several months before the operation made news by targeting Kaseya in a supply chain attack.
Security Researchers Who Don’t Think Things Through
Over the years, security researchers have sometimes developed ransomware-like programs for “educational purposes.” Such was the case with Hidden Tear. At the time of its emergence in August 2015, its creator warned users to “not use it as a ransomware,” clarifying that they “go to jail on obstruction of justice charges just for running hidden tear, even though you are innocent.”
But making a service like Hidden Tear publicly available proved too tempting for script kiddies looking to get into the ransomware scene. That explains why the security community documented so many Hidden Tear-based variants in the years that followed. Those derivative strains included RANSOM_HIDDENTEARMAY.A, RANSOM_POGOTEAR.A, and an RaaS program spun up by the FAKBEN Team.
Defending Against a Ransomware Attack
Organizations need to make sure they’re protected against all kinds of ransomware. They can do that by hardening their ability to defend against email-based attacks, one of the most common delivery vectors for ransomware. Learn how the email threat protection tools from Zix | AppRiver can help keep your organization safe.