James Scott, it was who said, “Ransomware is unique among cybercrime because, in order for the attack to be successful, it requires the victim to become a willing accomplice after the fact.”
On May 10, 2022, the President of Costa Rica, Rodrigo Chaves, declared a state of emergency on national cybersecurity after the country witnessed the devastating effect of Conti Ransomware. It was reported that the Conti gang demanded a ransom of $10m from Costa Rican government in exchange for not exposing the data stolen from the Ministry of Finance—the government declined. According to local reports, several sectors have remained without online services since the attacks started on April 18. The attack also impacted the country’s foreign trade severely by disrupting its customs and taxes platforms. President Chaves said the private sector was “in crisis” as they had to conduct business manually.
The attackers in this case utilised the tools that make us more productive in cyberspace to target vulnerable users with sophisticated ransomware, and the trend has been on the increase. According to Statista, ransomware attacks experienced by organisations annually have been increasing since 2018 and reached 68.5% in 2021. Also, SonicWall Cyber Threat Report confirmed that ransomware attacks increased by over 140% in the third quarter of 2021 and Forbes reported that 80% of organisations were hit by a ransomware attack in 2021.
Ransomware attack is network-based. This means that devices connected to the internet are susceptible to it through phishing emails as well as attacks on a shared hosting environment that can affect all the sites hosted on the server. Phishing email contains a link or an attachment on which an unsuspecting receiver clicks and has the malware installed on the system. After this, the malware begins to encrypt key files on the victim’s computer and other attached shared files. When ransomware attacks happen, they do two things to the victim’s computer: They either encrypt the data thereon or lock access to it and this gives rise to the two types of ransomware we know: encryptor and screen-locker.
Encryption ransomware encrypts data on the system, thereby making the content useless without the decryption key. Screen-locker, on the other hand, simply blocks access to the system with a ‘lock’ screen. In the former, the user has access to the system but not the data thereon, while in the latter, the user is denied access altogether to the system. However, in any case, the user is unable to access the data on the system.
Usually, the victim is notified of the ransomware attack on the lock-screen and is asked to pay a ransom, after payment and decryption access to the affected system or data may not be guaranteed. Ransomware attacks cost businesses trillions of dollars in ransoms or blackmail with the data breach, which can cause brand damage and incur litigations if exposed.
For instance, in 2016, hackers through ransomware seized control of critical computer systems of Presbyterian Medical Centre in Los Angeles. According to the New York Times, the hospital had to pay a ransom of $17,000 to have the systems released. A Bloomberg report confirms that Colonial Pipeline, which is one of the biggest pipeline operators in the USA that supplies roughly 45% of the East Coast fuel needs and also transports over 100m gallons of fuel across the country daily, had to pay a ransom of up to $5m following a ransomware attack on the company. It was estimated that ransomware attacks would cost businesses $6tn in 2021. Cybersecurity and Infrastructure Security Agency reported monetary losses in the US to ransomware attacks increased by 20% in the first half of 2021 compared to 2020.
Attackers who perpetrate illegality using ransomware attacks do not want to be detected. As a result, they have resorted to using means that obscure their heinous activity. They are the use of DLL side loading. This is an attempt to hide from detection by using DLLs and services that look like legitimate functions; and the use of web servers as targets. Through this, sites that are hosted on the server can be affected by the malware.
Ransomware attacks have indisputably been on the rise recently. Everyone, both individuals and organisations, is advised to be aware of ransomware attacks and guard against them. Moreover, the FBI has admonished that victims should not pay ransom following a ransomware attack, because paying the ransom encourages perpetrators to target more victims and offer incentives for others to get involved in the illegality. Instead, a response plan should be in place and professional help should be employed in order to eradicate the threat in the event of an attack and it should be reported to the appropriate authority for further investigation.
Adeoye Abodunrin is the Executive Director of Xpos Technologies