Blog

Ransomware Groups Reinvest Capital to Improve Attack Methods

Sep 17, 2021

Ransomware Groups Reinvest Capital to Improve Attack Methods Ransomware is big business, and it’s getting even bigger. Some successful ransomware groups now operate as efficient organizations, reinvesting the proceeds from ransom payments to grow the business and refine attack methods.

Instead of relaunching the same tried-and-true attacks that have generated their handsome profits, ransomware groups are using the money to invest in R&D, an approach resembling series A financing rounds. As reported by SC Magazine, larger ransomware groups are becoming more professionalized, even holding conferences, hiring web design teams and placing want ads to build their businesses.

“Ransomware, like any business, is a complex economy,” SC Magazine reported. “The well-organized designers let stables of contractors use their ransomware on commission, those contractors purchase pre-hacked access to systems from a third group: initial access brokers. The rising tide of ransomware payments would float all boats.”

In some cases, ransomware groups place money in escrow accounts to show affiliates they have the funds to make payments for services rendered. “More profits can mean more money in escrow, which can increase the comfort affiliates will have in launching more attacks.”

Increased Sophistication

The increased sophistication of ransomware groups is reason for concern. The groups are reinvesting their ill-gotten gains in areas such as encryption and the ability to send files back and forth. “We’ve seen a couple using virtual machine hijacking. That requires engineering and debugging,” James Chappell, co-founder and chief innovation officer at Digital Shadows, told SC Magazine.

Threat actors also are showing interest in attacks like the one in August against remote monitoring and management (RMM) software vendor Kaseya . As reported by Reuters, that attack “paralyzed” at least 1,500 organizations by compromising the vendor’s software, which MSPs use to manage their customers’ IT environments. The attack impacted about 50 MSPs who use the RMM system.

“There’s a lot of interest in underground forums and in private chats where they talk about looking at remote monitoring and management [RMM] tools as a way to deliver force multipliers,” Allan Liska, senior security architect at Recorded Future, told SC Magazine.

Pulling off these types of attacks requires funding, which helps explain why ransomware groups are reinvesting in the business. For those charged with defending against cyber attacks, the stakes are getting higher. If the attack groups succeed in refining their methods and delivering a bigger blow when they attack, how much added strain will it place on already-stretched cybersecurity budgets?

Alastair Paterson, CEO and co-founder of Digital Shadows, posed the question in an interview with SC Magazine: “What happens [when] these exceptionally well-financed groups have bigger offense budgets than you’ve got defense budgets?”

It’s certainly a reason for concern. Cybersecurity leaders should use the prospect of that happening as an incentive to focus their defenses and make the case to the C-suite to invest in a robust security posture. Ransomware is clearly going to remain a major concern for the long term.

In June, (ISC)² highlighted the need to defend against this threat during #RansomwareWeek, posting a number of blogs on the topic and offering a course, “Ransomware: Identify, Protect, Detect, Recover ,” free of charge to the public. Keep checking our website for more ransomware coverage and discussions on how to strengthen your defenses.