Skip to main content
banner image
venafi logo

Ransomware Evolves: Encrypting Out, Bug Bounty In [July 2022]

Ransomware Evolves: Encrypting Out, Bug Bounty In [July 2022]

ransomware-july-2022
June 30, 2022 | Brooke Crothers

As ransomware continues to evolve, volume surged in the first quarter of 2022 compared to the same period in 2021. Ransomware detections rose 80% and have already reached three times the level during the same time last year, according to a report from WatchGuard.  

“Our analysts hypothesize that this rise has to do with the increased activities coming from the LAPSUS$ ransomware group during Q1,” the report said.

Get Fast, Easy, and Secure Enterprise-Grade Code Signing With Venafi!
Ransomware as a business

Ransomware attacks have proven to be enormously profitable for criminal organizations with victims paying more than $600 million in 2021, according to Chainalysis.

This is funding a rapid evolution of the criminal ransomware industry as seen most saliently in emergence of the Ransomware-as-a-Service (RaaS) business model, where affiliates pay for ransomware developed by operators to launch attacks.

“In Q1 2022 [there was] a significant increase in ransomware detections of 2,365. To put that in perspective, the total number of ransomware detections for all of 2021 was 1,313.”

--Internet Security Report - Q1 2022, WatchGuard

A RaaS kit often includes 24/7 support, bundled offers, user reviews, forums “and other features identical to those offered by legitimate SaaS providers,” according to CrowdStrike.

“The price of RaaS kits ranges from $40 per month to several thousand dollars – trivial amounts, considering that the average ransom demand in 2021 was $6 million. A threat actor doesn’t need every attack to be successful in order to become rich,” CrowdStrike says.

Ransomware group turns to bug bounty

LockBit, one of the most active RaaS operators, has added a bug bounty program as it revamps its operation, according to reports. As part of “LockBit 3.0” – replete with the slogan "Make Ransomware Great Again!" – the group said it was inviting “all security researchers and ethical and unethical hackers on the planet” to participate in its bug bounty program, which allegedly offers rewards ranging from $1,000 to $1 million.

The group is seeking website bugs, locker bugs, vulnerabilities in TOX Messenger and the TOR network. LockBit is also seeking doxing targets, with an alleged $1 million bounty reserved for doxing the name of the “affiliate program boss.”

“Ransomware is no longer a game between average malware developers, but an illicit RaaS industry that gives jobs to hundreds of cybercriminals worldwide with various specializations,” Ivan Pisarev, Head of Dynamic Malware Analysis Team at Group-IB’s Threat Intelligence department, said in a statement.

Ransomware sans encryption

While classic ransomware – where data is encrypted and a ransom is demanded to unlock the data – is still the most popular form of extortion, a trend in pure extortion is on the rise, according to a joint Cybersecurity Advisory from the FBI, Cybersecurity and Infrastructure Security Agency (CISA), and the Department of the Treasury.

The advisory (PDF) cites the Karakurt data extortion group, which does not encrypt compromised computers but rather steals data and then threatens to auction it off or release it to the public if payment isn’t received.

Ransom demands have ranged from $25,000 to $13,000,000 in Bitcoin, with payment deadlines typically set to expire within a week of first contact with the victim, the advisory said.

“The instructions include a link to a TOR URL with an access code. Visiting the URL and inputting the access code open a chat application over which victims can negotiate with Karakurt actors to have their data deleted,” according to the advisory.

Karakurt victims have reported extensive harassment campaigns that target employees, business partners, and clients, encouraging them to negotiate to prevent the release of victim data. These communications typically include samples of stolen data such as personally identifiable information (PII), which might include employment records, health records, and financial business records, the advisory said.

'Multi-faceted extortion'

More evidence of the evolution of ransomware is multi-faceted extortion, which is “a fancy way of saying data theft paired with extortion," Mandiant Intelligence VP Sandra Joyce told The Register.

This extortion scheme includes discounted ransoms in order to encourage the victim to pay sooner, “with the demanded payment getting larger the longer it takes to cough up the cash,” The Register said.

Other crime groups offer "sliding-scale payment systems" where “you pay for what you get,” Mandiant’s Joyce said.

Mitigating the ransomware threat via code signing certificates

A separate report from Titanium said that while over 70% of organizations have prevention, detection, and backup solutions, nearly 40% have been the victims of ransomware attacks in the last year, proving that existing solutions are not effective.

“There is no single way to tackle ransomware. It’s going to happen,” said Eddie Glenn, Senior Product Marketing Manager at Venafi.

“An easy thing that a company can do is to require all macros to be signed with a company-security-policy-approved code signing certificate that has been issued to an individual. This way the person receiving the macro can be assured that the macro originated with the trusted employee and not a malicious external third party,” Glenn said.

“Adopting more modern security practices, like code signing macros or a Zero Trust security model, can address these threats with minimal hit on efficiency,” according to Glenn.

“Machine identities—like code signing certificates and API keys—are the targets of today and the future. Just one more reason why machine identity management is the most important cybersecurity trend of the decade,” said Kevin Bocek, VP, Ecosystem & Threat Intelligence at Venafi.

Related Posts

 

Like this blog? We think you will love this.
twitter-api-key-bot-army
Featured Blog

Researchers Find 3,200 Apps Exposing Twitter API Keys, Cite ‘BOT Army’ Threat

Key Findings:

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies
eBook

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Brooke Crothers
Brooke Crothers
Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more