Today, people around the world will head to school, doctor’s appointments, and pharmacies, only to be told, “Sorry, our computer systems are down.” The frequent culprit is a cybercrime gang operating on the other side of the world, demanding payment for system access or the safe return of stolen data.
The ransomware epidemic shows no signs of slowing down in 2024—despite increasing police crackdowns—and experts worry that it could soon enter a more violent phase.
“We’re definitely not winning the fight against ransomsource/vectorfailure right now,” Allan Liska, a threat intelligence analyst at Recorded Future, tells WIRED.
Ransomware has become a significant cyber threat over the last decade, impacting various sectors such as healthcare, education, and government entities. The method involves the encryption of essential data, crippling the functionality of the victim’s operations, followed by demands for payment under the threat of public data exposure. The repercussions of these attacks have been profound. One notable incident in 2021 involved the Colonial Pipeline Company, which experienced a ransomware attack that halted its fuel distribution, leading to President Joe Biden’s authorization of urgent measures to address fuel shortages. Despite the publicized nature of some incidents, ransomware attacks occur frequently and globally, often without gaining widespread media attention. Last week, the healthcare sector in the UK fell victim to such an attack, emphasizing the relentless nature of this cybercrime.
According to Brett Callow, a threat analyst at Emsisoft, there’s a significant lack of public reporting on these incidents, which obscures the real trend and volume of attacks. The limited data often forces researchers to base their findings on the few cases that are publicly shared or on information divulged by the perpetrators themselves. However, as Liska notes, trusting criminals’ disclosures is problematic as their statements are generally unreliable.
Current trends suggest that ransomware is not only persisting but possibly intensifying. Mandiant, a security analysis firm and part of Google, documented an unprecedented spike in ransomware activities in 2023. Reports reveal that victims have cumulatively paid over one billion dollars in ransoms, and these figures only represent the cases that have been identified and recorded.
A significant trend highlighted in the recent report is the increased activity on “shame sites”. These sites are utilized by cybercriminals for data leaks as part of an extortion scheme. In 2023, there was a notable 75 percent increase in the frequency of posts on these sites compared to the previous year, as stated by Mandiant. Such sites often feature dramatic elements like countdown timers to the publication of private data unless a ransom is paid, highlighting the escalation in intimidatory tactics by ransomware groups, according to experts who spoke to WIRED.;
“Generally, their tactics are becoming increasingly severe,” mentioned Callow.
Additionally, these cybercriminals have started directly threatening their victims via phone calls or emails. In an incident in 2023, the Fred Hutchinson Cancer Center in Seattle suffered a ransomware attack where cancer patients were targeted with emails that blackmailed them to pay up or risk having their personal data exposed.
“I am worried that this could quickly escalate to violence in the real world,” Callow expressed. “With so much money at stake, they could potentially harm an executive or a family member of someone from a non-compliant company.”
By Matt Burgess
By Sachi Mulkey
By David Robson
By Joseph Cox
While no direct violence from a ransomware attack has been reported, there is evidence of intimidation tactics where ransomware gangs have threatened to harm individuals, suggesting threats such as, “We know where your CEO lives,” according to Liska.
It’s crucial to recognize how these criminal activities can have life-threatening consequences. According to research, between 2016 and 2021, ransomware attacks on hospitals are estimated to have resulted in the deaths of 42 to 67 Medicare patients by delaying necessary treatments.
Liska highlights that ransomware gangs often have connections with broader criminal networks, such as “the Comm,” a global consortium of criminals who engage in violence-as-a-service. These groups are not only involved in digital crimes like SIM swapping but also in physical acts of violence. Reports from 404 Media last year indicated that Comm members are coordinating directly with ransomware gangs such as AlphV, which was previously involved in a major hack at MGM Casinos. Despite efforts by the FBI to disrupt its activities, AlphV resumed operations and launched a significant attack on Change Healthcare, causing widespread disruption to medical services.
Liska expresses significant concern about the association of ransomware gangs with violent cybercrimes, emphasizing the real-world risks posed by these alliances.
Recent efforts by law enforcement have led to significant disruptions in the operations of ransomware groups. In February, an operation known as Operation Cronos made headway against the notorious LockBit ransomware group by taking down its websites and offering free decryption tools to victims. Additionally, authorities successfully arrested two alleged affiliates from Ukraine and Poland.
Despite these efforts, reducing the overall volume of ransomware attacks has been challenging. Ransomware gangs often operate similarly to tech startups, offering subscription services and around-the-clock support for their malicious software. They also recruit affiliates to conduct the attacks and are frequently based in Russia, complicating efforts by Western law enforcement agencies which have started to employ the gangs’ own methods of intimidation and psychological warfare against them.
In one notable instance, Operation Cronos employed a countdown timer similar to those used on ransomware extortion websites to uncover the identity of the alleged leader of LockBit, Dmitry Khoroshev, a 31-year-old from Russia. Khoroshev was also indicted by U.S. prosecutors on multiple counts and received sanctions. Given his presence in Russia, his arrest is unlikely unless he ventures abroad. Nevertheless, publicizing his identity serves to destabilize his operation by diminishing trust among his affiliates and making him a marked man.
“There are many who are interested in tapping into his wealth,” mentions Callow. “There are those who would likely attack him physically and move him across the border to a jurisdiction that allows extradition.” The possibility of his voluntary departure from Russia leading to arrest also looms over his affiliates, heightening their anxiety.
By Matt Burgess
By Sachi Mulkey
By Joseph Cox
“Law enforcement is adapting to let them know that they are vulnerable,” Liska says.
Another obstacle to reining in ransomware is the Hydra-esque nature of affiliates. After the LockBit disruption, analysts saw 10 new ransomware sites pop up almost immediately. “That is more than we’ve seen in a 30-day period at any point,” says Liska.
Law enforcement is adapting to this reality, too. In May, an international collaboration called Operation Endgame announced that it had successfully disrupted multiple operations distributing malware “droppers.” Droppers are an important part of the cybercrime ecosystem as they allow hackers to deliver ransomware or other malicious code undetected. Operation Endgame resulted in four arrests in Armenia and Ukraine, took down more than 100 servers, and seized thousands of domains. Endgame employed psychological tactics similar to Operation Cronos, like a countdown to flashy videos containing Russian text and encouraging criminals to “think about (y)our next move.”
While the scale of the ransomware problem may seem difficult to get a handle on, both Liska and Callow say it’s not impossible. Callow says that a ban on payment to ransomware gangs would make the biggest difference. Liska was less enthusiastic about the prospects of a payment ban but suggested that law enforcement’s continuing actions could eventually make a real dent.
“We talk about whack-a-mole a lot when it comes to ransomware groups—you knock one down and another pops up,” says Liska. “But I think what these [law enforcement] operations are doing is they’re making the board smaller. So yes, you knock one down, and another one pops up. But you wind up with, hopefully, fewer and fewer of them popping up.”