Rise in ransom payments may fuel more dangerous attacks

Giving into ransom demands may not only lead to more ransomware attacks, but also more sophisticated ones, according to new research by Coveware.

In a report published Monday, the security vendor said average and median ransom payments were up in the first quarter this year, and some ransomware groups appear to have used their profits to acquire more efficient ways to infiltrate organizations. For attack vectors in the first quarter, Coveware noted a decline in phishing emails and a rise in exploited software vulnerabilities; the most commonly used vulnerabilities, according to the report, were known flaws in VPN products from Fortinet and Pulse Secure.

Overall, the average ransom payment increased 43% to $220,298 from $154,108 in the fourth quarter of 2020. The median payment in Q1 increased more than 50%, up to $78,398. According to the report, the average and median were pulled higher by a small number of threat actor groups including operators behind Sodinokobi, Conti V2 and Lockbit. But Clop ransomware, most specifically, was extremely active during Q1 and impacted large victims with very high ransom demands.

Coveware said paying those demands creates a false sense of security, unintended consequences and future liabilities.

"Over hundreds of cases, we have yet to encounter an example where paying a cybercriminal to suppress stolen data helped the victim mitigate liability or avoid business / brand damage," the report said.

Coveware CEO Bill Siegel told SearchSecurity that in less than 10% of cases where the victims paid a ransom, Coveware later discovered the data was not destroyed. Siegel said that in some cases the intent was malicious, for example, making a second demand for payment, and in other cases it was sloppy administrative mistakes that lead to the release of data by the threat actors.

"It demonstrates that the cyber criminals may use this data for other extortion purposes further down the line, or at a minimum were sloppy custodians for the data after it was stolen," he said in an email to SearchSecurity.

Ransomware gangs increased those threats to release stolen data from 70% in Q4 to 77% in Q1. According to the report, most ransomware attacks that involve Data exfiltration have two main goals: exfiltrate corporate data from the most convenient file server and escalate privileges and deploy ransomware on as many endpoints as possible. The threat of stolen data is largely used as additional leverage against victims, and Coveware said the practice is now the norm among ransomware gangs. However, in many cases the data that's stolen isn't necessarily confidential or sensitive information.

"This means that despite the threats, threat actors rarely take the time to steal data that any other criminals or interested parties would want to purchase. The stolen data is just proof that the attack occurred and sometimes creates legal obligations for the victim," the report said.

Operators behind Clop ransomware are known to follow through with their threats of stolen data to pressure victims if they do not pay. One example occurred last year when a double extortion attack against Software AG resulted in leaked confidential data.

Data theft was the goal in the Accellion File Transfer Appliance (FTA) breach as well.

Coveware observed that operators behind the Clop ransomware variant took a different approach in their Q1 use of Accellion's FTA product. According to the report, beginning in late December and continuing through much of Q1, Clop exploited two zero-day vulnerabilities that allowed for remote code execution (RCE) within unpatched Accellion FTA instances.

The Accellion data breach was first disclosed in December of last year, and while the target of the attack was a 20-year-old product, nearing end of life, it appeared many organizations still used it. Several enterprises have disclosed breaches and attributed the attacks to the FTA product.

Coveware refers to the FTA attacks as a highly sophisticated and targeted exploitation of a single software appliance, used only by a handful of enterprises. Additionally, the report states that the Clop group may have purchased the exploit used in the initial stages of the attack in order to gain exclusive use. Siegel said there is a connection between the increase in ransoms and victims paying and ransomware groups' ability to hire more "specialists" who sell access to specific networks, which is achieved through exploited vulnerabilities.

"This is an economy that runs on the money. The more money the economy generates, the faster it will expand," Siegel said.

However, the behavior Clop exhibited in the Accellion attacks is different than other instances Coveware observed. According to the report, it stands in stark contrast to how most unauthorized network access is brokered through the cyber extortion supply chain to any wiling purchaser post-exploitation. In this case, Coveware said the Accellion exploit did not allow for the deployment of ransomware across the victims' environment, "so data theft from the appliance was the sole target of Clop's campaign from the outset." Additionally, it appears that Clop chose an unlikely target.

"Unlike most exploits used by ransomware threat actors, unpatched Accellion FTA instances are rare (likely less than 100 total), especially when compared to vulnerable RDP instances which number hundreds of thousands globally. Clop's confidence that such a small number of targets would yield a positive financial return must have been high and, unfortunately, they were correct," the report said.

Siegel said the use of zero-day vulnerabilities for attacks is an edge case -- for now.

"Zero days are expensive, and a threat actor would need to have accurate forecasting of what they may earn from an attack/subsequent extortion attempt to invest that kind of money in a zero day," he said. "Especially when there are so many cheaper methods."

However, he said, the Clop attacks demonstrate how mature the cyber extortion economy has become. And as ransomware payments rise, as they did in Q1, it could become a trend and finance a ransomware groups' ability to expand into more dangerous tactics.