After several high-profile attacks by authorities in various countries, especially the United States, they effectively equated the ransomware threat with terrorism<\/a>.\u00a0<\/p>\n The search for a solution to ransomware could lead to tighter regulation of cryptocurrencies\u2014an industry favourite for collecting the ransom. In the United States, calls have grown for closer tracing of crypto transactions and tougher KYC\/AML procedures.<\/p>\n ForkLog has examined what lies behind the heightened ransomware threat and what consequences this will have for the cryptocurrency industry.\u00a0<\/p>\n The principle behind ransomware is simple: attackers infect devices, encrypt data or disrupt computer systems, and demand a ransom for the decryptor key.<\/p>\n Ransomware has existed for a long time, but recently it has drawn heightened attention due to the rising damage from attacks and the focus on businesses rather than individual users.<\/p>\n The standard infection method is phishing. Hackers send emails containing malware or links.<\/p>\n These emails are often signed with well-known brands\u2014such as delivery services, banks, or business partners close to the victim\u2014information that fraudsters gather in advance during the preparation of a targeted attack, ForkLog’s ESET experts said.<\/p>\n The history of ransomware began in the late 1980s. One of the first such viruses was the AIDS Trojan. Its author is believed to be Dr. Joseph Popp, who taught at Harvard. The virus was distributed on floppy disks packaged as educational programs about AIDS by a certain PC Cyborg Corporation.<\/p>\n After 90 reboots, the virus on the disks encrypted files and hid folders, demanding $189 for a ‘license extension’.<\/p>\n Over time, ransomware evolved, but truly large-scale attacks began after 2010. In addition to improving malware and finding new intrusion methods, the internet spread worldwide at unprecedented speed, and the number of potential victims grew by hundreds and thousands.\u00a0<\/p>\n New ways to obtain a ransom and evade law enforcement emerged \u2014 at least initially.\u00a0\u00a0<\/p>\n In 2013 hackers began distributing CryptoLocker, targeting Windows users, via emails with malicious attachments, botnets and compromised sites. As ZDNet, citing Dell SecureWorks, reports, CryptoLocker harmed at least 250,000 victims in its early days.<\/p>\n The malware encrypted certain files and the victim received a ransom note with a countdown. Operators accepted payments via MoneyPak cards or in bitcoins. The note also warned that if the ransom was not paid in time, ‘no one will ever be able to recover the files’.<\/p>\n Later, hackers added the option to buy a decryptor key after the deadline through a dedicated service, but the price rose from 2 to 10 BTC.<\/p>\n According to ZDNet, which tracked several Bitcoin addresses to which CryptoLocker victims paid the ransom, between 15 October and 18 December 2013 around 41,928 BTC passed through the hackers’ wallets.<\/p>\n In June 2014, the US Department of Justice announced the dismantling of the Gameover Zeus botnet, used to distribute CryptoLocker and other malware, and Russian national Evgeniy Bogachev was charged with involvement in operating the botnet and ransomware. In the operation, authorities also said they had destroyed CryptoLocker.<\/p>\n Subsequently the world faced several more large-scale ransomware campaigns. The WannaCry damage, by some estimates, exceeded $1 billion, and the Petya worm not only encrypted data but also erased files, affecting many systems across companies and government agencies.\u00a0<\/p>\n While law enforcement and cybersecurity firms fought one set of ransomware groups, others rose to take this crime to a whole new level.<\/p>\n \u00abDespite the authorities’ successes in curbing several ransomware groups, this form of malware has proved to be a hydra \u2014 you cut off one head, and several more appear\u00bb, \u2014 analysts emphasize.<\/p>\n<\/blockquote>\n According to the analysts at Kaspersky Lab<\/a>, 2016 was pivotal, ‘when in a few months the number of ransomware attacks on business tripled’. Data from Statista show that this year saw the highest number of attacks.<\/p>\n Nevertheless, according to Check Point Research<\/a>, ransomware operators intensified in 2021. In the first four months of the year, the number of companies hit by ransomware attacks rose by 102% compared with the start of 2020.<\/p>\n Since the start of the year there have been several high-profile ransomware incidents \u2014 Colonial Pipeline<\/a>, JBS<\/a>, Acer<\/a> and many other firms and agencies have fallen victim. Reuters reports that the United States has elevated the priority of investigations into such breaches to the level of terrorism cases, according to Reuters<\/a>.<\/p>\n Analysts disagree on the total number of ransomware attacks. Reliable data are hard to obtain as many companies do not disclose details or even the fact of a breach.<\/p>\n However, almost all experts agree on the increased level of damage.<\/p>\n According to Chainalysis<\/a>, the average ransom demanded by ransomware operators rose more than fourfold\u2014from $12,000 in Q4 2019 to $54,000 in Q1 2021.<\/p>\n According to Cybersecurity Ventures<\/a>, the damage from ransomware in 2021 will reach $20 billion, rising to about $265 billion by 2031.<\/p>\n One reason for the rising threat, experts say, is the transformation of extortion into an ecosystem, where malware developers are only part of the system.<\/p>\n Ransomware-as-a-Service (RaaS) \u2014 a model that lets you order a cyberattack as a service. Usually: hackers develop the malware and provide it to a client. Depending on the level of involvement, developers take a cut of the ransom.<\/p>\n Independent expert Alexander Isavin told ForkLog that the established ‘market for hired malware-as-a-service’ has significantly boosted the number of attacks:<\/p>\n \u00abSomeone develops, someone seeks paying victims, and the infrastructure for laundering illicit proceeds already existed. It\u2019s clear criminals use the most advanced tools first \u2014 and they were among the first to adopt cryptocurrencies\u00bb.<\/p>\n<\/blockquote>\n A prime example of a RaaS-style attack is the Colonial Pipeline breach, ForkLog\u2019s cybersecurity expert from Kaspersky Lab, Dmitry Galov, said.<\/p>\n The group involved in the Colonial Pipeline attack not only developed the tools but built an entire infrastructure for execution. It helped its clients during negotiations with victims and in obtaining the ransom, and offered special programs to other criminals, pre-selected through a competitive process according to formal requirements and after interviews.<\/p>\n \u00abThe world of ransomware must be understood as an ecosystem and regarded as such\u00bb, \u2014 analysts emphasize<\/a>.<\/p>\n<\/blockquote>\n Attackers often do not know each other. They interact through various forums and platforms, paying for services with cryptocurrency.\u00a0<\/p>\n Thanks to this, arresting any single participant would have little effect on ransomware operations, since it is impossible to identify other actors.<\/p>\n One example supporting this view is the recent Ukrainian law-enforcement notification identifying members of the hacking group behind the Clop ransomware.<\/p>\n Spreading a week after this news, Clop published a new batch of data<\/a>, allegedly obtained from two new victims.\u00a0<\/p>\n As it turned out, the searches targeted not group members but operators of a cryptocurrency exchange through which Bitcoins flowed; Binance helped identify<\/a> them. The hackers, it would seem, remain at large.<\/p>\n According to researchers Intel471<\/a>, among RaaS-operating groups are Doppel Paymer, Egregor\/Maze, Netwalker, REvil, Ryuk and others.<\/p>\n The threat from ransomware activity grows also due to changing victim focus \u2014 hackers increasingly target companies and organisations rather than individuals.\u00a0<\/p>\n \u00abRansomware attacks in recent years have become a real threat to any organisation, including social facilities and industrial enterprises. Often the groups attacking business seek access to the maximum number of corporate networks and then study what company it is\u00bb, said Dmitry Galov, cybersecurity expert at Kaspersky Lab.<\/p>\n<\/blockquote>\n Hackers increasingly adopt the tactic of double extortion. They not only encrypt data or devices but also exfiltrate personal or commercial information they threaten to publish if the ransom isn\u2019t paid. <\/p>\n Many affected organisations choose to pay. As the media reports citing Proofpoint research, 52% of ransomware victims paid the ransom.<\/p>\n Experts do not recommend paying, as ‘there is no guarantee criminals will fulfil their promises to decrypt after payment’, ForkLog told ESET:\u00a0<\/p>\n \u00abMoreover, statistics show that more than half of those who paid end up re-victimised within a year\u00bb.<\/p>\n<\/blockquote>\n This is confirmed<\/a> by Cybereason. A survey of 1,263 cybersecurity professionals found that 80% of those who paid the ransom were hit again.<\/p>\n The U.S. authorities are urging<\/a> not to pay; some even advocate<\/a> banning such payouts.\u00a0<\/p>\n ? If you were the victim of a #ransomware<\/a> attack, paying the ransom doesn\u2019t guarantee you\u2019ll get a decryption key or your data back from cybercriminals. Eliminate the need to pay \u2013 back up your data and patch your computer often! https:\/\/t.co\/BuYmxnWdyK<\/a> #Cybersecurity<\/a> pic.twitter.com\/VdwqP8cymn<\/a><\/p>\n \u2014 US-CERT (@USCERT_gov) July 1, 2021<\/a><\/p><\/blockquote>\n \n
What are ransomware programs?<\/strong><\/h2>\n
\n
New Horizons<\/strong><\/h2>\n
Causes of the ransomware pandemic<\/strong><\/h2>\n
\n
\n
\n
\n
\n
![\"\u00ab\u041f\u0430\u043d\u0434\u0435\u043c\u0438\u044f](\"https:\/\/lh4.googleusercontent.com\/6yw7_JHIXvXZQpkx23qUKeprHRZIfnwAJmUrXM9RQwREjpWIcg94g8cOWWbazfc8UJD6s9gsoWuWBmx_mLWeLs3Xyr9Cugq6SdCD0610f7BNlwf_KbAFFmnuJlF4D4WtNPxZIrtb\")
![\"\u00ab\u041f\u0430\u043d\u0434\u0435\u043c\u0438\u044f](\"https:\/\/lh5.googleusercontent.com\/FpVeU14RHmekTos7HcDqxB4yBg19qZfKksoJrHuVnz7J9pHAeg3R9PKx24lkh6wosTNqWESta-KoubcEvmtZ7s3m1aT5bG_lPbfCG3QYqzbfAGi7h-mFtXtbjPmADu8-HKDyZZcz\")
![\"\u00ab\u041f\u0430\u043d\u0434\u0435\u043c\u0438\u044f](\"https:\/\/lh6.googleusercontent.com\/zk38cqPfQftmdC9owCVNa3lYeCpjqMCOm-A0TIi2TqTlL5Hck3xZFQ9-9YRkaowRXCd8AQmwzVcLD-6LXNunJcOhmSYYZqeoEl8wi3qJ3mmwqgw1st8ja4knTGAWB_O9ZRTyPDat\")
![\"\u00ab\u041f\u0430\u043d\u0434\u0435\u043c\u0438\u044f](\"https:\/\/lh6.googleusercontent.com\/QEwd3CiQv-WL0i5Rb1focvU7jPbvMYwJyJFp0kYjX_IBYpGYSPYnWyDdavj_zjynQheRX6Vz-alHZqdrztprdsx7pRZRW1LXPSTFqxks5HtoYAGCzkAk21WWQp9H8VETlrr2YnN8\")
![\"\u00ab\u041f\u0430\u043d\u0434\u0435\u043c\u0438\u044f](\"https:\/\/lh3.googleusercontent.com\/bTVn_Mv2AGi4vrnfRNzcuzn_savJxZpCZ855vp_TWDbdgZ3h629yhIGVHpeH9FnkPMWJvilPl57t1qdaxkNYCU-iOHuVU-j_EwgvIlrrbgnfitoh5ROtxS-rI-7OTt8fw46XoYJf\")