The threat of ransomware for businesses in 2023
Every year, thousands of businesses, organizations, government entities, institutions, etc., become victims of cyberattacks. And every year, there are at least a few attacks that top the ones from previous years. According to a study by the IDC, 37% of global organizations were victims of cyberattacks involving ransomware in 2021. This year, the attacks on Colonial Pipeline and Kaseya were two of the most serious ones. But there were thousands of businesses and organizations that fell victim to ransomware in 2021.
Damage caused by ransomware increases every year. By 2031, it is expected that ransomware costs will reach $265 billion. Ransom demands are also increasing. Perpetrators behind the Kaseya VSA supply chain attack demanded a $70 million ransom. Though the biggest ransom payment was $40 million by an insurance company.
Ransomware is not going anywhere, and will likely remain one of the biggest threats for businesses in 2023.
Ransomware effect on businesses in previous years
One of the most serious ransomware attacks to occur in 2021 was the Colonial Pipeline ransomware attack. On May 7, 2021, the American oil pipeline was hit with a ransomware attack that crippled the company’s billing system. To contain the attack, the pipeline shut down all operations as a precaution. The downtime lasted for six days. Colonial Pipeline is one of the US’s largest fuel providers, and 45% of all fuel consumed on the East Coast comes from the pipeline. The downtime that lasted almost a week caused fuel shortages in numerous states made worse by panic buying. The average fuel prices also hit their highest since 2014. As a result, US President Joe Biden declared a state of emergency in order to alleviate potential fuel shortages.
Immediately after getting hit with the ransomware, Colonial Pipeline received demands to pay a ransom of 75 Bitcoin ($4.4 million at that time). To further complicate matters, the perpetrators stole approximately 100GB of data. In hopes of restoring operations as quickly as possible, the pipeline agreed to pay the ransom. However, the tool that the perpetrators sent them worked too slow to restore the network.
Soon after the attack, the cybercrime gang DarkSide was named as the perpetrator. DarkSide was believed to have been operating from Russia though there was no evidence that the attack was state-sponsored. A month after the attack, the Department of Justice revealed that they were able to recover 63.7 Bitcoins ($2.3 million at the time). The group has since shut down operations, supposedly due to pressure from the US. The DoS is also offering $10 million for information on DarkSide leaders.
Another major incident happened on 2 July 2021, when cybercrime gang REvil launched a supply chain ransomware attack using a VSA (Virtual System Administrator) software developed by Kaseya. The remote monitoring and management software had an authentication bypass vulnerability that allows threat actors to distribute malicious payloads through hosts managed by the software. Managed service providers (MSPs) using Kaseya’s VSA software and over 1,000 of their customers suffered ransomware attacks as a result.
REvil quickly took credit for the attack and demanded a $70 million ransom for a universal decryptor that would help all victims. Whether Kaseya paid the ransom or not is not known but they did receive a universal decryptor from a “trusted third party”. And almost two weeks after the attack, REvil’s entire infrastructure disappeared from the Internet. Months later, it was revealed that 7 individuals have been arrested in connection to REvil. One of the arrested, a Ukrainian national Yaroslav Vasinskyi, is believed to be one of the main people behind Kaseya’s cyberattack.
Considering that the percentage of businesses/organizations that fall victim to ransomware attacks increases every year, 2023 will likely see many more victims. And ransomware will become an increasingly bigger and more sophisticated threat for everyone.
Ransomware-as-a-service (RaaS) is bad news for businesses
The days of disorganized cybercrime are over. Ransomware is now a sophisticated business that operates like any other legitimate business, with professionally-made websites, advertising and marketing campaigns, instruction videos, etc. And that’s bad news for everyone on the other side.
Furthermore, it’s now easier than ever for cybercriminals to launch attacks against businesses and organizations. Even malicious actors with little technical knowledge can launch ransomware attacks. That’s primarily because of the ransomware-as-a-service (RaaS) model. If cybercrooks lack the technical knowledge to develop their own file-encrypting malware, they can simply rent an already developed one. That’s ransomware-as-a-service. Depending on the case, criminals would either need to pay a subscription fee or give developers some percentage of their profits. An example of RaaS is DarkSide ransomware. Commonly, RaaS comes with technical support, access to forums, etc. So those threat actors are given everything they need to launch a ransomware attack. They can even buy access to target networks to launch their attack. Depending on the ransomware, renting one out can cost from a couple of hundred to a couple of thousand dollars.
For ransomware developers, RaaS has many advantages. Because the attacks are not carried out by them, it’s more difficult for law enforcement to track and identify them. For everyone else, RaaS becoming the norm brings many issues. Considering that operating ransomware no longer requires technical skills, attack frequency will increase exponentially in 2023 and in the coming years. And all businesses should take this threat seriously. Otherwise, they may find themselves with stolen and encrypted data.
The double extortion ransomware attacks will be the new norm
Just as RaaS is the new norm, the so-called double extortion ransomware attacks are becoming increasingly more common. Double extortion ransomware attacks involve threat actors stealing data during an attack and then encrypting it. If they steal data in addition to encrypting it, cybercriminals can threaten to release it if the ransom is not paid. This isn’t an unexpected shift as cybercrime naturally adapts to potential victims having backups of data.
Considering that most businesses and organizations have reliable backups, double extortion ransomware attacks will dominate in 2023. So backups are no longer enough to deal with ransomware attacks. There have already been numerous major double extortion ransomware attacks in 2021. In February, video game developer CD Projekt Red was hit with ransomware that stole the source code of several games, as well as other files. When the company refused to pay the requested ransom, the threat actors attempted to auction the data for a minimum of $1 million. The Colonial Pipeline cyberattack was also double extortion ransomware, as threat actors stole 100GB of data from the pipeline. Though because the ransom was paid, no data was publicly released.
Double extortion ransomware attacks have a much higher chance of being successful than regular attacks. So in 2023, there will certainly be a significant increase in these kinds of attacks against businesses.
The future is not as gloomy as it may seem
While ransomware is not going anywhere, businesses have many opportunities and means to protect themselves from ransomware attacks. It’s important that they take proactive positions and anticipate how threat actors could attack them. After all, it’s safe to say that it’s no longer a question of if ransomware strikes, but rather when. Businesses need to prioritize employee training and organizational security, practice even the most basic cybersecurity, and prepare for the worst.
2021 wasn’t all bad, there were also many wins. 7 cybercriminals from the REvil cyber gang, including the mastermind behind the Kaseya VSA cyberattack, were arrested in 2021. These arrests were the result of coordinated law enforcement operations involving many countries. Among those arrested were threat actors responsible for up to 3000 ransomware attacks. There were also many other arrests made in connection to other ransomware gangs.
Law enforcement agencies and governments are also taking the threat of ransomware much more seriously nowadays. After the Kaseya VSA ransomware attack, during a conversation with Russia’s President Putin, US President Biden stressed that Russia has the responsibility to act if ransomware operations are coming from Russia’s soil. The US government is also offering millions of dollars in rewards for information about key members of ransomware gangs like REvil/Sodinokibi.