Arsgera - Fotolia

Sophos: Ransomware 'heavyweights' demand sky-high payments

Sophos principal research scientist Chet Wisniewski explains the presence of 'weight classes' in ransomware and offers his thoughts on its future.

Top ransomware groups are getting more sophisticated and gaining new evasion techniques. They're also asking for way more money.

The "Sophos 2021 Threat Report," released today, found that ransomware "heavyweights" -- those that attack large enterprise networks -- are primarily responsible for a near-threefold increase in ransomware payments during the past year.

According to recent data by Coveware included in the report, the average ransom payout increased from $84,116 in Q4 2019 to $233,817.30 in Q3 2020. However, the report said that "Coveware believes the averages can be skewed by just one or two very large ransom attacks." Sophos offered an example of such a large attack in the report.

"It's hard to believe that just two years ago, Sophos analysts marveled at the $6 million haul brought in by the operators of the ransomware known as SamSam," the report read. "In an attack Sophos responded to in 2020, the ransomware operators opened their negotiations at a dollar amount of more than twice what the SamSam gang earned in 32 months of operation."

Why ransomware payments are increasing

According to Sophos, two reasons for this extreme increase in ransom payments are the use of data extortion in ransomware (which began in earnest last year) and ransomware operators understanding how expensive downtime can be.

Chet Wisniewski, principal research scientist at SophosChet Wisniewski

Chet Wisniewski, a principal research scientist at Sophos, told SearchSecurity that even though ransomware payments are increasing across the spectrum, the most increase has indeed been on the heavyweight side.

"You take an operator like Ryuk or Maze, who is allegedly retired now but whatever, you take an operator like that who is regularly demanding between $1 million and $20 million, and you average that with Dharma, who may be averaging $10,000," he said. "Some of that shift is the low-end operators going from $5,000 and $10,000 to $10,000 and $20,000, bringing the bottom end up, but also a disproportionate number of the big operators going to larger and larger ransoms that are dragging that average up."

As for the lower end of the ransomware spectrum, "demands have been increasing, but [Coveware CTO Alex] Holdtman says they're nowhere near the big fish. There are a lot of small businesses and individuals that get hit, but for them the ransom demands have remained relatively flat," the report read. In addition to the heavyweight class of ransomware operator, Sophos also identifies "welterweights" that hit SMBs as well as local government and public safety, and "featherweights" that target individual computers and users.

Wisniewski said the existence of weight classes in ransomware has happened naturally, though "there's always been a bit of this in the community."

"If we go back seven or eight years, everything was about exploit kits, and at that time the exploit kit authors recognized that fresher exploits obviously had gotten more victims than older exploits," he said. "And so they started selling the kit at different prices to different threat actors, and it was like, 'You can get our basic exploit kit for $9.99, but if you want to pay a $3,000-a-month subscription, we'll give you the premium version that has fresh exploits in it. There's always been kind of a tiered approach to some of the cybercrime underground. It's just really taken full hold in the ransomware scene, I would say, in the last 18 to 24 months."

Ransomware operators are also gaining new evasion techniques.

"Over the past half year, Sophos analysts observed that ransomware adversaries have settled on a common (and slowly growing) tool set they use to exfiltrate data from a victim's network," the report read. "This tool set of well known, legitimate utilities anyone might have won't be detected by endpoint security products."

What's ahead in ransomware

When asked about the future of ransomware, Wisniewski said that he feels better equipped than he did near the beginning of the year, because trends outlined in the report were new back then. "Everything seems to be settling in now," he said.

"I think we're going to continue to see the stratification of layers like this where we've got a few different layers of threat actors or weight classes or whatever you want to call them. I think that is likely to be maintained going forward," he said.

He added that there are two areas of change that concern him in ransomware. First, he said, nation-states are beginning to adopt the same tools and tactics as ransomware operators, "making attribution really difficult."

I think we're going to continue to see the stratification of layers like this where we've got a few different layers of threat actors or weight classes.
Chet WisniewskiPrincipal research scientist, Sophos

"We've seen quite a few APT attacks recently where they, whether they are the Chinese or Iranians, are using the same living-off-the-land tools, the same PowerShell scripts, the same exploits to do privilege escalation that Maze was using," Wisniewski said. "And so you're in a threat response and you're trying to figure out what you're dealing with. It looks like it's going to be a ransomware attack and it turns out it's actually APT attackers, and attributing is getting increasingly difficult. It's getting hard to differentiate between criminals and nation-states, which doesn't hurt the criminals but certainly benefits the nation-states."

The other potential trend is outsourcing, Wisniewski said, giving the example of SamSam. When the group was active in 2018, it would "scan the internet for their own victims" and gain a foothold on victim systems.

"There's getting to be a marketplace now for what I heard another vendor call 'initial access brokers,' and I kind of like that terminology. This idea has existed for a long time, but it's really taking off in the ransomware space where, if I'm Ryuk, I'm not going to bother figuring out how to break into a victim and scan for their unpatched VPN vulnerability or their open RDP server," he said. "I'm just going to buy you from TrickBot. I'm going to let TrickBot worry about how to get on your computer. I'm just going to farm it out to another vendor."

The ransomware operator would then reach out to groups like Buer Loader, BazarLoader and TrickBot, who already have a foothold in various types of organizations and will sell that access to the operator based on inventory and need. He said this trend has been taking off for the last couple of months and "it appears that most of the ransomware operators are now buying their victims from other commodity malware operators."

Dig Deeper on Threats and vulnerabilities

Enterprise Desktop
  • Understanding how GPOs and Intune interact

    Group Policy and Microsoft Intune are both mature device management technologies with enterprise use cases. IT should know how to...

  • Comparing MSI vs. MSIX

    While MSI was the preferred method for distributing enterprise applications for decades, the MSIX format promises to improve upon...

  • How to install MSIX and msixbundle

    IT admins should know that one of the simplest ways to deploy Windows applications across a fleet of managed desktops is with an ...

Cloud Computing