Recently, Ciaran Martin, the former head of the UK’s National Cyber Security Centre (NCSC) reportedly said the rise of ransomware during the pandemic is close to getting out of control. Perhaps he was thinking of a recent revelation by another NCSC employee who explained how a large organisation paid a whopping £6.5 million to attackers in order to recover its files following a ransomware attack.

After coughing up rather than identify and address the source of infection the organisation assumed there would be no more trouble. Just under two weeks later it was hit by the same attacker, exploiting the same vulnerability and had to pay the same ransom. Such is the deadly nature of ransomware and the ruthlessness of the attackers.

Inside the underground

Ransomware fuels a huge underground industry that has established business models, successful operational processes and even affiliates partners. There are four categories of main ‘players’ in this underground economy.
  • The first people in the ransomware food chain are hackers who identify system vulnerabilities that can be exploited and those who attack databases and make off with ID credentials such as email addresses.
  • These are followed by those who buy this information from hacker forums and dark web websites where the information is typically put up for sale.
  • The next in line are hackers who exploit the information to execute the attacks.
  • The final link are the escrow dealers who will often negotiate with the victims. They set the price on the ransom demand and payments are usually made in Bitcoins into crypto wallets owned either by these dealers or by other escrow ‘partners.’
Ransomware for hire

Within this model is ransomware-as-a-service (RaaS) in which attackers actually hire the ransomware for specific attacks. The use of this RaaS model has ebbed and flowed in recent years but has made a significant comeback during the pandemic.
  • From just 300 RaaS attacks identified last year, hundreds of millions of dollars were extracted in ransoms. The true figure is likely to be much higher given that many organisations won’t voluntarily advertise their losses.
Good news for home computer users?

If there is any good news among this it’s that ransomware tactics have swung away from consumers. Several years ago the attack model was based on mass-volume consumer attacks, with low-returns. Today the model has flipped to low-volume attacks on businesses, with high-returns.

But this doesn’t mean consumers are off the hook. Many ‘inexperienced’ hackers use RaaS because of its simplicity and consumers represent a low hanging fruit.
  • Most home computer users don’t have sophisticated cyber security knowledge and certainly not the same resources as large companies, which is something ransomware attackers exploit.
  • Victims can lose their data, the loss of the device and also have to pay the ransom.
The good news is that ransomware attacks can be defended against by adopting a few simple measures. Look out for phishing mails. These can be from organisations you might know but weren’t expecting anything such as a delivery company saying you have a parcel to be collected.
  • Phishing mails can usually be identified by a message that has a sense of urgency, or a message that attempts to exploit expectations, fear and anxiety. For instance, Covid-themed phishing mails were extremely popular last year, while in the past few months phishing mails themed around vaccinations have come to the fore.
  • Also watch out for mails that claim to be from the tax office, or a bank or credit card company saying you owe money or that your account has been exploited.
  • In all cases don’t download any attachments and if you do click on a link and it takes you through to a webpage that requests personal financial information, delete the email.
The golden rule is if doubt call the company in question by phone and confirm whether they have sent you a mail.

Also back up your data regularly and keep a copy of these backups remotely, that is in a cloud back up service or with a standalone storage device that you only connect to when you want to back up.

Make sure you are using good antimalware protection like BullGuard Internet Security. It includes Dynamic Machine Learning which identifies new types of ransomware and nullifies attacks often before they can launch.