Understanding the rise in human-operated ransomware attacks

The US Department of Justice has just released reporting on ransomware filings to its Financial Crimes Enforcement Network (FinCEN) from January to June 2021.

The headline in this report is that FinCEN received more ransomware disclosures in the first six months of this year than in any one of the past 10 years. FinCEN assesses that if this trend continues, the dollar value of ransomware reports this year will be more than the past 10 years combined.

FinCEN acknowledges that this significant increase is partly due to increased reporting of attacks, thanks to Government outreach and engagement. But, this clearly demonstrates the significant, sustained and rapid increase in the ransomware threat. So, what’s behind this?

Ransomware is hugely profitable

The key driver for this increase in ransomware is the massive amount of money that can be made. FinCEN reports that one ransomware variant alone made over $75 million in the six-month period covered by the report (i.e. $12.5 million a month), and the average revenue across all reported variants during this time was $15 million.

Key financial statistics for ransomware incidents reported to FinCEN between January and June 2021, by variants (not named for operational security reasons)

Further to this, FinCEN also reports that their intelligence identified another ransomware variant that had made $3.6 billion in revenue in the 25 month period between September 2019 and the report’s publication, making monthly revenue an eye-watering $144 million.

Key financial statistics for ransomware variants tracked by FinCEN, identified through intelligence analysis and reporting

Barriers to entry for ransomware are low

Another driver for this increase in ransomware is the very low barrier to entry. This has been enabled by the increasing criminal “ecosystem” around ransomware, as operators have diversified away from purely conducting attacks.

For example, ransomware-as-a-service and ransomware affiliate models (as well as the broader proliferation of “offensive security tools”) minimise the technical skills required to conduct ransomware attacks. Also, initial access brokers allow ransomware groups to choose victims they assess as likely to pay, and to focus their efforts on deploying ransomware and conducting negotiations across a relatively small pool of victims.

Also, while not part of this criminal ecosystem, cryptocurrencies such as Bitcoin and the surrounding infrastructure enable the profits from attacks to be easily laundered and cashed out.

Ransomware operators face minimal consequences

Another key driver for the increase in ransomware is the almost complete lack of consequences for perpetrators of attacks.

Given ransomware attacks are criminal acts, developing and prosecuting criminal cases is perhaps the most logical option to hold the individuals behind them accountable. However, ransomware operators are often located in countries unfriendly to the countries their victims are located in, or where the rule of law is limited. This makes successful extradition and prosecution near impossible (except in some recent notable cases).

There are, of course, other options. For example, the US government is increasingly using diplomacy to pressure the countries which harbour ransomware operators to take action themselves, and Ciaran Martin has considered how offensive cyber might have a role to play in combating ransomware. However, these other options are seemingly untested or unproven, and may yet be shown ineffective.

The impact on society and the economy

The combination of these three factors (high revenue potential, low barriers to entry, limited consequences) have incentivised existing ransomware groups to grow their operations, existing cyber crime groups to diversify into ransomware, and new actors to move into cyber crime.

As demonstrated by recent high-profile attacks on critical national infrastructure organisations, the consequences of this to society and the economy have been significant, far-reaching and will continue to grow.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store