The old days of “honest” ransomware gangs are long gone. In the past, ransomware groups pressured each other to honor file decryption promises after the ransom was paid. However, their motives were far from altruistic. They thought victims would be less willing to pay if word got out that their files would never be recovered. Today, the game has changed dramatically.

Now, the ransomware landscape is like the Wild West. Nearly anything goes, and even actors with limited technical skills can get into the action. In the end, though, threat groups may be shooting themselves in the foot. If attackers destroy your files, what’s the point in paying the ransom?

No More Ransomware Honor Code

Back in the days when ransomware was relatively new, there was a sort of code of honor among data thieves. They encouraged each other to be sure to decrypt victims’ files after collecting payment. In the past, extortionists worried that people might not pay if they thought they would not get their files back.

Fast forward to the present day, and what do we find? We have ransomware like Onyx that erases any file exceeding 2MB in size, resulting in their permanent loss. Only files smaller than this threshold are retrievable if the victim pays a ransom.

Initially, security experts believed that the overwriting of files was a deliberate attempt to target the largest files available. However, given the current understanding that the threshold is 2MB, it could be that the file overwriting is accidental. Whether it’s a deliberate act of malice or an unintended coding error, the outcome is the same: Onyx victims will never get their larger, important files back.

Ransomware Triple Extortion

Early ransomware threats were straightforward: attackers only threatened their victims with file encryption and exfiltration. Next, criminals began to also threaten to leak or sell data on the dark web or public internet. Experts dubbed this practice “double extortion.” But cyber criminals didn’t stop there. Now, there’s triple extortion, which includes:

  1. Data encryption and exfiltration
  2. The threat of data leak or sale
  3. Attacks aimed at victims’ partners or other pressure tactics.

A triple extortion attack takes on a new level of danger. The malicious actor may take various approaches to increase pressure on the victim. They may demand ransom from the victim’s clients or suppliers, including issuing data leak threats, launching a DDoS attack or even making intimidating phone calls. In a particularly noteworthy case, cyber criminals carried out a triple extortion ransomware attack by hijacking a company’s printers and print-bombing ransom notes until the victim paid up.

Read the Threat Intelligence Index Report

Wild Wild West of Ransomware

Today, ransomware has gone mainstream with Ransomware-as-a-Service (RaaS). And RaaS has been part of a larger Malware-as-a-Service (MaaS) trend. Like their SaaS counterparts, MaaS brands can have polished websites, monthly newsletters, new feature announcements and customizations. They even have their own video tutorials, white papers and Twitter accounts.

With ransomware offered as a service, nearly anybody can become a threat actor. Some packages are even available for free, which makes things even more unpredictable. In October, the Cryptonite ransomware emerged as a threat to Microsoft Windows systems. Threat actors wrote the malware in Python and distributed it as part of an accessible open-source toolkit. As a result, anybody could pick up and use Cryptonite for free.

Fortinet cybersecurity researchers conducted an analysis of Cryptonite and concluded that the ransomware is limited in functionality, offering only basic features. However, the researchers discovered something much worse. Even if a victim pays the ransom, Cryptonite does not provide any means of decrypting the encrypted files. Instead, it’s essentially wiper malware, similar to Onyx.

Is It Worth Paying the Ransom?

Sophos’ research shows that organizations that paid a ransom in 2021 got back only 61% of their data, down from 65% in 2020. Similarly, only 4% of those that paid got all of their data back in 2021, down from 8% in 2020.

The Sophos report also shows that 99% of organizations hit by ransomware in 2021 got some encrypted data back. Data backups are the top method used to restore data, used by 73% of organizations whose data was encrypted. Meanwhile, 46% reported that they paid the ransom to restore data. The study’s findings show that many organizations use multiple restoration approaches to maximize the speed and efficacy to restore their files.

The Federal Government advises organizations to not pay any ransom. Instead, companies should prepare themselves for malware attacks. For example, IT teams should maintain off-site, tested backups of critical data. Also, ongoing security training on how to spot phishing attempts should be part of a company’s employee cyber awareness strategy.

There’s also the No More Ransom initiative to combat the effects of ransomware. The scheme has successfully assisted over 1.5 million victims in decrypting their machines without succumbing to ransom demands. At the initiative’s sixth anniversary, over 10 million people downloaded the decryption tools.

In 2016, Europol, the Dutch National Police (Politie), and private cybersecurity and IT companies launched No More Ransom. Over time, the initiative has grown and now offers 136 free decryption tools for 165 ransomware variants, including notorious strains like GandCrab, REvil and Maze.

No More Ransom has amassed over 188 partners from the public and private sectors, law enforcement, academia and other sectors. The initiative continues to develop new decryption tools, and with its portal available in 37 languages, it continuously aids ransomware victims worldwide.

Stop Ransomware

To prevent falling victim to ransomware attacks, there are certain actions that everyone can take. Data backup is more important than ever. With the new ransomware variants that destroy files, a backup is the only way to get your files back.

Additionally, keeping security software and operating systems up to date with the latest security patches is crucial. Employing multifactor authentication also helps prevent account hacking and abuse, which ransomware attacks often utilize.

For more information, security professionals can also check out CISA for in-depth guidance on how to stop ransomware.

More from Data Protection

Heads Up CEO! Cyber Risk Influences Company Credit Ratings

4 min read - More than ever, cybersecurity strategy is a core part of business strategy. For example, a company’s cyber risk can directly impact its credit rating. Credit rating agencies continuously strive to gain a better understanding of the risks that companies face. Today, those agencies increasingly incorporate cybersecurity into their credit assessments. This allows agencies to evaluate a company’s capacity to repay borrowed funds by factoring in the risk of cyberattacks. Getting Hacked Impacts Credit Scoring As per the Wall Street Journal…

4 min read

IBM Security Guardium Ranked as a Leader in the Data Security Platforms Market

3 min read - KuppingerCole named IBM Security Guardium as an overall leader in their Leadership Compass on Data Security Platforms. IBM was ranked as a leader in all three major categories: Product, Innovation, and Market. With this in mind, let’s examine how KuppingerCole measures today’s solutions and why it’s important for you to have a data security platform that you trust. The Transformation of the Data Security Industry As digital transformation continues to expand, the impact it has had on enterprises is very apparent when…

3 min read

SaaS vs. On-Prem Data Security: Which is Right for You?

2 min read - As businesses increasingly rely on digital data storage and communication, the need for effective data security solutions has become apparent. These solutions can help prevent unauthorized access to sensitive data, detect and respond to security threats and ensure compliance with relevant regulations and standards. However, not all data security solutions are created equal. Are you choosing the right solution for your organization? That answer depends on various factors, such as your industry, size and specific security needs. SaaS vs. On-Premises…

2 min read

Understanding the Backdoor Debate in Cybersecurity

3 min read - The debate over whether backdoor encryption should be implemented to aid law enforcement has been contentious for years. On one side of the fence, the proponents of backdoors argue that they could provide valuable intelligence and help law enforcement investigate criminals or prevent terrorist attacks. On the other side, opponents contend they would weaken overall security and create opportunities for malicious actors to exploit. So which side of the argument is correct? As with most debates, the answer isn't so…

3 min read