- Home >
- Services >
- Access to Knowledge >
- Trend Monitor >
- Domain of Application >
- Trend snippet: Ransomware as a solid revenue model and how to break the chain
Trends in Security Information
The HSD Trendmonitor is designed to provide access to relevant content on various subjects in the safety and security domain, to identify relevant developments and to connect knowledge and organisations. The safety and security domain encompasses a vast number of subjects. Four relevant taxonomies (type of threat or opportunity, victim, source of threat and domain of application) have been constructed in order to visualize all of these subjects. The taxonomies and related category descriptions have been carefully composed according to other taxonomies, European and international standards and our own expertise.
In order to identify safety and security related trends, relevant reports and HSD news articles are continuously scanned, analysed and classified by hand according to the four taxonomies. This results in a wide array of observations, which we call ‘Trend Snippets’. Multiple Trend Snippets combined can provide insights into safety and security trends. The size of the circles shows the relative weight of the topic, the filters can be used to further select the most relevant content for you. If you have an addition, question or remark, drop us a line at info@securitydelta.nl.
visible on larger screens only
Please expand your browser window.
Or enjoy this interactive application on your desktop or laptop.
Ransomware as a solid revenue model and how to break the chain
Ransomware kill chain
A ransomware attack is not an isolated event, but is often part of a wider process in which several steps can be distinguished:
- It starts with obtaining access to a network, access that may later be re-sold.
- Then consolidation of the position within the network takes place, and additional malware is installed.
- After that, the choice can be made to siphon-off valuable, sensitive information. For example, to offer it for sale on the underground cybercriminal market, or as a means of extorting the victim through (the threat of ) publication.
- The deployment of ransomware is often the part of the attack that has the greatest impact.
- The final step consists of any final financial settlement of the extortion: the negotiations between the perpetrator and the victim, the payment by the victim if necessary, the transfer of the ransom paid, and the laundering by the perpetrator.
Diversification and specialisation can also be seen here. Each step in this ransomware kill chain has specialists who either offer this as a service or cooperate with other specialists to carry out highly effective combined attacks.
Ransomware-as-a-Service: a plague for SMEs
The majority of ransomware attacks are characterised as RaaS. Ransomware developers found this to be a way to spread their malware on a large scale without running any risks themselves. RaaS offers the customers of this product the opportunity to apply ransomware to networks or systems even without significant programming skills.
The victims of these mostly indiscriminate attacks are generally small to medium-sized enterprises and increasingly public institutions such as local authorities. These are victims with generally low to limited digital resilience, where relatively little time and effort needs to be invested by the attacker. In April 2020, Help Net Security estimated, following a survey of more than 500 executives within international SMEs, that 46% of SMEs had, at some time, been victims of ransomware.
Big Game Hunting: customisation for maximum yield
These are targeted attacks on large organisations, whereby customised attacks are carried out in order to achieve maximum financial gain. It is mainly autonomous groups - often Eastern European - that (are able to) carry out such attacks. Ransomware is often 'just' a part of a process with several combined attack techniques.
In this process, different groups, each with their own specialisation, often work together, which significantly increases the threat. Investigations reveal that such cooperation is becoming increasingly complex. An attack on a network can therefore involve different actors, who take on different roles, whereby the distinction between perpetrating acts and providing services becomes significantly blurred. Also, actors can choose different malware families in different circumstances, in a plug-and-play manner. This makes its detection, but also its mitigation, particularly complex.
Ransomware and national security
Ransomware attacks pose a risk to national security when it comes to the continuity of critical processes, the leaking and/or publication of confidential or sensitive information and impairment of the integrity of cyberspace; elements that are mentioned in the Integrated Risk Analysis for National Security and the Threat Assessment for State Actors. This is especially true of the threat posed by thorough, combined attacks in the Big Game Hunting category. National security is at stake when the target of such an attack is part of the critical national infrastructure (including the central government and all identified critical processes) and the attack disrupts the continuity of critical processes
The combination of ransomware with the publication or resale of sensitive information stolen during the attack is also becoming increasingly common in the Netherlands. The attack on the Netherlands Organisation for Scientific Research (NWO) in early 2021, where internal documents were published on a leak site set up especially for this purpose, also shows that this could affect the position of the Netherlands as an innovation country.
Ransomware attacks on local government authorities, such as the attack on the municipality of Hof van Twente in December 2020, are a deliberate attack on the integrity of the government's cyberspace. This may affect the continuity of government services and public trust in them.
Breaking the ransomware kill chain
The ransomware kill chain underlines the fact that a ransomware attack is not an isolated event but is often part of a wider process. Cybercriminals make a clear cost-benefit analysis of their victims at every stage of this process. This is why the Police and the NCSC advise victims of ransomware attacks not to pay, as ransom payments maintain a revenue model for criminals. Viewing ransomware not only as a technical problem, but also as the economic side of a cybercriminal attack, makes room for a more holistic approach to the problem. Each stage of the ransomware kill chain offers opportunities to intervene, both offensively and defensively. Offensively by fighting the main perpetrators and service providers internationally, such as taking down the Emotet botnet and tracking down the criminals responsible. Or by enabling victims to decrypt their files for free, as is possible with NoMoreRansom. Defensively by boosting resilience for all phases of the kill chain and thus limiting the attackers' opportunity to strike. This is sometimes possible with simple steps, such as applying two-factor authentication.
The most promising solution therefore lies in structurally increasing the costs for the criminals in relation to the benefits of ransomware. This is only possible if the Police, the NCSC and the Public Prosecution Service, together with public and private partners and (potential) victims, take a stand by proactively working together and by sharing information and insights in a targeted manner.