Singapore, Australia and India top the 2021 list of most-attacked countries in APAC, as willingness of victims to meet ransom demands fuels explosive growth in the ransomware economy.

With increasing sophistication behind RansomOps attacks, ransomware syndicates are reaping record profits, making it open season on public and private sector organizations of all sizes.

Cybereason recently published a new report titled RansomOps: Inside Complex Ransomware Operations and the Ransomware Economy, which examined how ransomware attacks have evolved from a cottage industry less than 10 years ago into a multi-billion dollar mega industry today.

While ransomware attackers initially relied on “spray-and-pray” tactics to target mostly individuals where ransom demands were relatively small, starting in 2020-2021 – with the emergence of RansomOps that are complex and akin to the stealthy operations conducted by nation-state threat actors – ransomware attacks have become harder to defend against for most organizations.

As a result, emboldened threat actors have driven up their ransom demands as more and more organizations choose to pay. 

“A shift by the ransomware gangs from widespread to targeted attacks against organizations that have the ability to pay multi-million-dollar ransom demands has fueled the rise in attacks in 2021,” said Lior Div, CEO and Co-Founder, Cybereason.

Lim Shih Hsien, Head of Technology Masterplanning, CISO & CSO, Certis Group, added: “As long as data is the ‘new oil’, ransomware will be prevalent. The concept is thus not new, just that ‘business models’ around ransomware will continue to innovate, just like legitimate technology startups. There will be sharing of code, vulnerabilities, targets, services, and talent will move around to seek better prospects.”

“Apart from financial gain, the adversary exploits sensitive data and uses it as a levy,” said Dato’ Ts Dr Haji Amirudin Abdul Wahab, CEO of CyberSecurity Malaysia. “If the ransom is not fulfilled within the given time, confidential data are exposed and compromised.”

Top targets in Asia Pacific

According to the new report, Singapore topped the Asia Pacific list of most-attacked countries in 2021, followed by Australia and India – taking 8th, 9th and 10th places on the worldwide list respectively.

“No two RansomOps attacks garnered more publicity last year than those on Colonial Pipeline and JBS Foods. Unfortunately, we can expect to see a continued increase in attacks in 2022, with ransom demands increasing and critical infrastructure operators, hospitals and banks having targets on their backs,” said Div.

YueZhong Bao, CISO, Lazada Group, added: “Ransomware is increasingly becoming a key threat for eCommerce and its supply chain. Attackers have evolved the ransomware to target systems with multi-extortion capabilities, enabling them to disrupt normal business operations. This can severely impact businesses’ ability to service millions of customers. It is a serious threat that needs to be tackled immediately and with key metrics defined and effective countermeasures implemented to deter, disrupt and defeat these malicious attacks.”

INFOGRAPHICS: Ransomware gold rush
Key facts and figures from Cybereason’s RansomOps: Inside Complex Ransomware Operations and the Ransomware Economy report.

Components of RansomOps

The report also detailed the four components of RansomOps:

  • Initial Access Brokers (IABs): Infiltrate target networks, establish persistence and move laterally to compromise as much of the network as possible, then sell access to other threat actors
  • Ransomware-as-a-Service (RaaS) Providers: Supply the actual ransomware code, the payment mechanisms, handle negotiations with the target and provide other “customer service” resources to both the attackers and the victims
  • Ransomware Affiliates: Contract with the RaaS provider, select the targeted organizations and then carry out the actual ransomware attack
  • Cryptocurrency Exchanges: Launder the extorted proceeds

Dato’ Ts Dr Haji Amirudin advised: “Beware of ransomware and follow best practice security policies to prevent and mitigate the threat.”

To pay or not to pay

A previous Cybereason report titled Ransomware: The True Cost to Business revealed that 80% of organizations that paid a ransom were hit a second time, many times by the same threat actors. Instead of paying, organizations should focus on early detection and prevention strategies to end ransomware attacks at the earliest stages before critical systems and data are put in jeopardy.

According to Cybereason, there are good reasons for not paying, including:

  • No guarantees of retrieving data: Paying the ransom doesn’t mean that you will regain access to your encrypted data. The decryption utilities provided by those responsible for the attack sometimes simply don’t work properly. In the case of Colonial Pipeline in 2021, the company paid a US$4.4 million ransom, received faulty decryption keys from the DarkSide Group and had to activate their backups to restore systems.
  • Legal implications: Organizations could end of paying steep fines from the U.S. government for paying ransomware actors that sponsor terrorism. In addition, supply chain ransomware attacks that impact an organization’s customers or partners would result in lawsuits from the impacted organizations.
  • Incentivizing ransomware attacks: Organizations who pay ransomware attackers send the message that the attacks work and it continues to fuel more attacks and higher ransom demands. Like Cybereason, the FBI advises that organizations refrain from paying ransoms because it simply emboldens malicious actors by telling them that extortion works.