The 2017 WannaCry incident put ransomware in the public spotlight, even though the threat has existed for decades. WannaCry affected more than 230,000 computers across 150 countries, resulting in an estimated US$4 billion in losses — all within a single week.

A stream of new ransomware variants has sprung up in the years since then. Some are built on top of old ransomware “families”, while others are programmed anew. They were also given hacker-like names, such as Ryuk, Defray777, NetWalker and Hitler.

Developed in 2016, Hitler is one of the older antagonists in the scene. Upon infection, a lock screen image of Adolf Hitler giving a Nazi Salute is displayed. Instead of Bitcoins, it requests €25 worth of mobile phone gift cards.

Contrary to its claims, Hitler does not encrypt the infected computer’s files. When the timer hits zero, the screen flashes the infamous blue screen of death, and data from key folders will be removed upon reboot.

Other ransomware variants are not so forgiving. Dharma is one of the oldest ransomware families being deployed today, first identified publicly in 2016. Its source code is currently up for sale in hacking forums for as little as US$2,000, opening up the malware for customisation, which results in more successful and damaging infections.

While most variants attack systems through standard email phishing tactics, DoppelPaymer does so through fake software updates instead. Once downloaded and executed, secondary malware and tools are then installed in the infected system, such as Process Hacker, which terminates many of the computer’s security services and processes.

None of these variants is as notorious, however, as REvil, short for “ransomware evil”. The ransomware group earned the reputation for exfiltrating massive data sets and demanding multimillion-dollar ransoms. Early in July, it was identified as the party responsible for the attack on JBS Foods, the US’s largest beef producer. 

According to the latest report from Unit 42 of Palo Alto Networks, the criminals behind REvil were found to be working with another group known as GandCrab. The GandCrab ransomware is perhaps the most widespread ransomware variant, making up almost half of the variants collected from Unit42’s telemetry. If you were to get hit by an attack, chances are that it involves GandCrab.

REvil is also one of the most prominent providers of ransomware-as-a-service (RaaS). It has built an entire ecosystem — providing adaptable encryptors and decryptors, services for negotiation communications, and even a leak site for publishing stolen data. It takes a percentage of the ransom as its fees.

“REvil and its affiliates pulled in an average payment of US$2.25 million during the first six months of 2021 in the cases that we observed,” the report states.

“When victims fail to meet deadlines for making payments via Bitcoin, the attackers often double the demand. Eventually, they post stolen data on the leak site if the victim does not pay up or enter into negotiations.”

Every expert whom Digital Edge has spoken to agrees on one fact — ransomware is prevalent because it has a lucrative business model that can generate a massive amount of money for ransomware operators.

Like all business models, several other subpractices have stemmed from standard ransomware attacks. Their existence serves the sole purpose of making ransomware attacks much deadlier, easier to spread and harder to deal with.

• Double extortion

Once attacked, victims generally pay ransomware operators a hefty sum to decrypt the locked files. However, this does not stop ransomware operators from storing a copy of these sensitive files for themselves and leaking them out to the public.

This could result in a practice known as double extortion, where the operators coerce the victim to pay an additional ransom not to have the data leaked. There are currently at least 16 ransomware variants that adopt such a practice, according to “The Ransomware Threat Report 2021” by Palo Alto Networks.

“This is one of the easiest ways for ransomware hackers to make money, and we foresee more variants following this trend,” says Lim Suk Hua, country manager of Palo Alto Networks Malaysia.

“In cybersecurity, what we are trying to ultimately protect is the data itself. Besides the financial strain of paying double the ransom, it is also the fact that the data itself will be exposed if it is not being paid for. If a data breach is exposed, the impact it brings to the organisation will be even worse.”

Such dangerous tactics have already reached Malaysian shores. There has been one identified case of a Malaysian organisation falling victim to double extortion. Palo Alto Networks’ threat intelligence team, Unit 42, frequently monitors the dark web, and has found leaked information that can be attributed to a Malaysian organisation. There could be more victims that have yet to be uncovered. 

• Ransomware-as-a-service 

“Looking to extort millions of dollars but lack the technical know-how to do so? Syndicates are now offering to lease out ransomware variants for a measly subscription fee! Visit this onion link on the dark web today to get the best prices and discounts!”

Such advertisements are not uncommon within forums on the dark web. A business in the criminal underworld is still a business nonetheless. They have taken a page or two out of the subscription playbook of successful companies such as Spotify and Netflix, resulting in a practice known as ransomware-as-a-service (RaaS). No longer do criminals need an undergraduate degree in computer science to launch an attack.

An RaaS kit may even include 24-hour support, bundled offers, user reviews and forum discussions, not dissimilar to any other e-commerce product. According to US-based cybersecurity firm CrowdStrike, the RaaS market is highly competitive, with operators running marketing campaigns, being active on Twitter and frequently releasing videos and whitepapers.

They have identified several types of RaaS revenue models. Customers can opt for a monthly subscription for a flat fee, a one-time licence fee — sharing the profits from the spoils of extortion — or a combination of these methods.

“It is really easy to get into [the ransomware business], to the extent that they are open-sourcing the code as well,” says David Rajoo, head of systems engineering at Palo Alto Networks Malaysia.

“They are taking older versions or variants of ransomware, tweaking it and releasing it publicly. They are not reinventing the wheel, so to speak, and it is becoming a lot easier for them to do so.”

• Fraudulent middlemen

US-based ransomware negotiator Kurtis Minder advises organisations not to search on the internet for help once hit with a ransomware attack. Doing so will likely lead them to another scammer instead.

“Some organisations were scammed by companies claiming to be able to decrypt the files using third-party software. This is a very unlikely capability, as those companies often just negotiate the ransom amount, pay for the decryptors from the ransomware actors and mark up the ransom. Do not fall for this,” Minder tells Digital Edge.

He adds that there have been cases in which outside firms were able to decrypt some of the less sophisticated ransomware. However, such cases are few and far between. If organisations insist on employing outside help to decrypt the files, he recommends proceeding with extreme caution.

LE Global Services Sdn Bhd CEO Fong Choong Fook also warns organisations against paying for online services claiming to be able to decrypt files affected by ransomware. He has yet to identify any such services operating from Malaysia, but many of them can be found online.

“A big shoutout to everyone: please do not ever engage these kinds of snake oil salesmen because there is no such thing as decryption-as-a-service,” he stresses. “This is because, every time the ransomware conducts encryption, the keys are updated and changed. There is no fixed key that is able to decrypt all files.”

Protecting oneself against ransomware attacks may seem impossible, considering the mushrooming ransomware variants and tactics used by hackers. There are still several measures, however, that organisations can take to significantly reduce the level of risk involved.

For companies with more resources, LE Global Services Sdn Bhd CEO Fong Choong Fook recommends setting up layers of virtualisation. Virtualisation is the process of creating a simulated computer environment, separated from the physical environment.

An easy way to illustrate this is to imagine running a Windows operating system from within another Windows operating system. Whatever happens within the inner environment, such as a ransomware attack, is less likely to affect the operations of the outer environment. Virtualisation also allows organisations to consolidate hundreds of distinct physical computer servers, treating them as a single (or several) extremely powerful supercomputer.

“The biggest problem with physical servers is that we need to reboot the operating system and install the software one by one, which takes time. Financial institutions have more than 100 servers, all of which could be infected. But we are able to restore hundreds of servers in less than a few days, thanks to virtualisation,” Fong adds.

For organisations that fall victim to ransomware attacks, Fong also recommends visiting the site nomoreransom.org. The No More Ransom project is an initiative by Kaspersky, McAfee, Europol and the Netherlands police, to help victims of ransomware retrieve encrypted data without having to pay criminals.

Users need only to use the Crypto Sheriff tool on the site to identify the ransomware variant affecting the device. The site will then sift through a repository of keys and applications, searching for one that can decrypt the locked data. Unfortunately, there is no universal decryption tool that can address all types of ransomware and, chances are, it is impossible to come up with one.

“How we can understand what the ransomware is doing is through reverse engineering. We obtain a sample, tear it apart and study its behaviour step by step. Through the process, we can understand what type of signal it is sending, and we intercept and study them,” says Fong.

“This is how we are able to find out how the hackers generated the keys and how they had encrypted the data. By breaking down the process, we can come up with solutions for it. That is what the No More Ransom Project is about.”

David Rajoo, head of systems engineering at Palo Alto Networks Malaysia, also explains that preparation is key in handling a ransomware attack.

Listing the considerations that need to be addressed beforehand, Rajoo says: “Who is your official spokesperson for the incident? Is the company affected, from a regulatory perspective? What sort of data is actually exposed out there? Who are the technical experts that they need to engage?

“There are a lot of moving parts, all the way from senior management to legal to human resources and even, potentially, law enforcement. These table exercises — building muscle memory around when these incidents do eventually happen — are important. 

We also need this level of awareness at the board level. A good step in the direction we are seeing is companies mandating that the board of directors have someone with actual cyber experience, and not just from a financial or business background.”

For most organisations, Sunil Mahale, general manager of Commvault Southeast Asia, Hong Kong, Taiwan and Korea, recommends a three-step approach of setting up a solid line of defence, coming up with a readiness plan, and securing the network perimeter.

By lines of defence, Mahale means companies need to have several copies of the enterprise data air-gapped and stored in a location isolated from the company’s main network. A readiness plan involves pre-determining the standard operating procedures before organisations are hit with an attack. 

Finally, the organisations can employ network security solutions to provide an additional layer of security to inhibit hackers from accessing the network in the first place.

“Small and medium enterprises need a lot more help and to be a lot more adjusted during this time more than ever before, because they may not have all the resources or tools in place to help them,” he adds.

“But the No 1 thing they have to do is to protect and manage their data. If they do not even have a copy of the data anywhere else, how can they recover? Companies like us are able to help with policies and processes, but data protection is a must. That is non-negotiable.”