Cybercrime groups professionalize and profit soars

How much could a company pay to rescue its data?

The answer requires a complex analysis of corporate balance sheets, the compliance rules to which it is subject, the potential impact of an outage in services or information leakage, among other points.

It is this type of diagnosis that cybercriminal groups make when targeting their attacks, which helped hackers to have a millionaire jump in their ransomware revenue in 2021.

These attacks are a kind of digital kidnapping (“ransom”, in English, means ransom). It is a malicious program (or malware) that blocks access to data and computer systems. Criminals then charge a fee to be paid in cryptocurrency, usually bitcoin, to grant access.

The technique often includes other layers of extortion as well. For example, when accessing a company’s data, criminals can make a copy of the information and charge not to leak everything on the internet.

With money in their pockets, criminal groups specializing in these attacks even adopt a structure similar to that of a large corporation, with CEO, managers, employees – including vacation rights –, people specializing in recruitment, payment of salaries and the legal department.

Ransomware is on the rise. For more than three years they have led IBM Security’s annual survey as the most detected cyber threat – considering the edition released as early as 2022.

The rise in the amounts received is expressive. Data released on March 24 by Unit 42, the research division of cybersecurity company Palo Alto Networks, shows that the average amount actually paid to criminals in this type of scam increased 78%, to US$541,000 (about R$2 .6 million) in 2021 in the annual comparison. The average value of redemption requests jumped 144% to US$ 2.2 million (approximately R$ 10.5 million).

The figures, according to the survey, are record. Brazil appears in ninth position in terms of the number of companies impacted by ransomware.

A survey by the cybersecurity company Avast, carried out at the request of the sheetshows a 90% increase in ransomware blocked in Brazil in the first quarter of this year compared to last year.

These numbers, however, do not tell the whole story. Other companies in the sector consulted by the report did not report an increase in the gross volume of detections. Why, then, has this type of crime made the news lately and how have the values ​​involved grown so much?

Ransomware is targeted and gets more complex

experts heard by sheet point to maturation. Hackers exchanged shotgun fire for sniper rifles: if before they released attacks in a more diffuse way, like a “go that glue”, now they study and analyze more in depth to make accurate attacks – with this, they impact companies that offer a higher return for the risk taken.

“Groups are more discerning when making an attack and choosing targets”, says Flavio Silva, information security coordinator at Trend Micro Brasil, a company specialized in the sector.

Charge against targets better equipped to defend themselves, however, requires more sophistication. “In an analogy, one thing is someone planning to rob the bakery on the corner and another is the Central Bank. Then the potential return is evaluated: is it worth the risk of targeting the bakery on the corner?”, says Silva.

“What you don’t see anymore is big groups attacking small companies, they don’t waste time with that anymore”, says Fabio Assolini, from Kaspersky.

Part of the strategy involves attacking industries that are not traditionally targeted but that handle sensitive data such as HR, accounting and legal information. With privacy laws popping up around the world, leaks can lead to sanctions – such as fines – which can spur a ransom payment.

“These sectors have a less solid defense infrastructure, with less investment in security, than those normally targeted, such as finance”, points out Daniel Bortolazo, an engineer at Palo Alto Networks.

At the same time that these attacks are getting more complex, they are getting more accessible.

The move, at first contradictory, is known as Ransomware as a Service (“ransomware as a service”, or RaaS). In such cases, a person without much technical knowledge can rent infrastructure from large criminal groups to attack a company – in practice, a disgruntled employee can try to extort the workplace itself.

Gateways involve human error

A common tactic for targeting is to scan the internet for online services with known vulnerabilities.

This modality was much explored during the pandemic, with more people working from home office. This has widened the field of attack exploited by the scammers, with remote access systems – which allow a person outside the company’s building to access internal systems – hastily set up and, often, without due care for security.

“If someone detects an improperly configured service, they find servers that are easy to compromise and get in,” explains Daniel Barbosa, a researcher at Eset, a cybersecurity firm.

Once criminals have this access, they can continue trying to reach other data and systems within the same network, run viruses and copy data, for example.

The arrival method varies. In addition to this mapping of misconfigured services, an old acquaintance that never ceases to haunt the IT team is “phishing”. It is about sending fake messages, for example emails pretending to be a company, to try to trick the victim into passing some data or installing a virus.

According to IBM’s annual security report, this was the top gateway used by hackers in 2021.

To attack specific targets, criminals often use a variant of this scam known as ‘spear phishing’, in which case they study the victim very hard to make a more believable message rather than something generic.

Another possibility is to use the companies’ own employees to open the doors to an attack, the so-called “insiders”.

No time to protect yourself

Experts also warn of a rise in the exploitation of newly discovered, or even unknown, vulnerabilities by security experts.

These unknown flaws are extremely valuable in the cybercriminal world, and are sold in the most hidden alleys of the internet. They are called “zero-days” because, not knowing of their existence, security experts had zero days to fix the problem.

Even after being discovered, these flaws continue to be exploited until defense services are updated with the fixes.

One of the emblematic cases was WannaCry, in 2017. The ransomware attacked Windows systems taking advantage of a flaw that had already been fixed by Microsoft months before and found fertile ground on outdated machines.

Late last year, the discovery of a flaw, dubbed Log4Shell, scared the industry. The vulnerability had been exploited since 2013 and affected hundreds of millions of devices using software called Log4j.

It came to be classified as the biggest vulnerability of all time and is one of those that allow attackers to take control of the computer, executing programs remotely.

The worst, however, may be yet to come. Daniel Bortolazo, of Palo Alto Networks, warns of a common behavior: criminals gain access to the network, but they do not necessarily initiate the attack immediately. They wait, try to get higher levels of access, and the blow comes later. As a result, security officials find it more difficult to understand how the criminals got in.

“These seeds are planted, then they will be harvested through ransomware and other attacks,” says Bortolazo. “Log4Shell is just the door. Now, the person enters, opens the window, makes a tunnel, opens the chimney… If Log4Shell has already been fixed, these other entrances are still open.”

Should companies pay the ransom?

Historically, the recommendation of cybersecurity experts is that companies have good defenses and a good plan to react in case of an incident, and not pay ransoms to criminals to restore access.

“There are no guarantees of a return to normality”, says Flavio Silva, from Trend Micro. He also warns that, even with the payment and the return of the systems, hackers can continue with extortion attempts, for example, not to leak stolen data.

In practice, however, some victims have opted to make payments – so much so that the average amounts received by criminals have risen. Some even take out insurance to deal with these cases.

“The issue here is to feed back cybercrime,” says Silva. “If in all successful attacks nobody pays, why do they keep attacking? If nobody pays, they stop supporting the chain.”