In most ransomware attacks, ransomware operators encrypt data on a victim’s network and hold it hostage in exchange for a ransom payment, which may vary from hundreds to millions of dollars. If a company refuses to pay, hackers can leak or destroy files or sell access to the compromised network to third parties. However, some ransomware operators resort to rather unconventional methods to get their victims to pay.
For example, in May 2016, a ransomware variant called CryptMix was discovered; but with a philanthropic twist. The attackers promised to donate the ransom to a children’s charity.
GoodWill: Noble or Not?
Another Robin Hood-style ransomware strain called GoodWill attempts to compel victims to perform good deeds instead of paying for the decryption key. Like any other ransomware, GoodWill encrypts data on the compromised system, but rather than demand a ransom in cryptocurrency it forces the victim to help the less fortunate by donating clothes and blankets to the homeless, feeding poor children and providing financial assistance to anyone who requires urgent medical attention and share proof of this on social media.
At first glance, the GoodWill ransomware operators’ unusual approach may seem like a noble twist on a malicious endeavor, but demanding that people perform acts of kindness to restore their encrypted files is still an invasion of privacy, blackmail and manipulation.
A Robin Hood Approach
In the past, some ransomware gangs tried to improve their image by using a ‘Robin Hood’ approach. In 2020, DarkSide, a now-defunct ransomware group responsible for multiple high-profile attacks, donated part of the ransom demands that it had previously extorted from its victims to two charity organizations. Despite these seemingly altruistic efforts, the primary purpose of ransomware remains the same: To extort money from victims by blocking access to their own data.
As the ransomware-as-a-service (RaaS) market is flourishes, ransomware actors are constantly evolving their tactics and attack methodology to maximize the impact of a successful attack. According to a recent survey, 83% of successful ransomware attacks now include threats of double and triple extortion in addition to the initial ransom demands.
Double extortion is a tactic wherein cybercriminals not only steal an organization’s data but also threaten to publish it if the ransom is not paid. Under triple extortion, threat actors demand additional payment from those who may be impacted by the leaking of the compromised organization’s data. Triple extortion can also include additional attacks carried out against the original target if the company doesn’t comply.
The survey found that, of companies hit with ransomware, 38% experienced attacks threatening to extort customers with stolen customer data, 35% of attacks threatened to expose data on the dark web and 32% threatened to inform customers that data was stolen.
In addition, 16% of the organizations that refused to pay the ransom had their data exposed on the dark web, and 18% of victims who paid the ransom still had their data leaked. Of those organizations that paid ransomware operators, 35% were not able to retrieve their data.
Worse, given the division of labor and collaboration between different gangs in the global cybercrime market, the gang behind the ransomware attack is usually not the only one with access to the stolen data. Thus, by accepting a payment from the victim, they have no factual means to guarantee that their accomplices won’t suddenly leak the data for fun or for profit.
Furthermore, a majority (72%) of organizations surveyed admitted that ransomware attacks are evolving faster than the security controls needed to protect against them. It is predicted that ransomware will cost its victims over $265 billion annually by 2031, with a new attack hitting consumers or businesses every two seconds.
No Business is Off-Limits
Ransomware attacks become more and more sophisticated every year. Ransomware can hit any individual or industry, and no business or organization is off-limits. According to some reports, the number of ransomware attacks increased by 100% in 2021 alone. Furthermore, globally, the average cost of a ransomware breach hit a record $4.62 million (and this figure didn’t even include the ransom payment).
A threat as profitable as ransomware isn’t going away anytime soon, not least thanks to the influx of ransomware-as-a-service programs that don’t require extensive knowledge to break into computer networks.
Hacking campaigns, such as ransomware, can be easily deployed via ransomware-as-a-service now widely offered by professional cybergangs to beginners. The concomitant proliferation of cryptocurrencies makes such crimes technically uninvestigable, while law enforcement agencies and joint task forces are already overburdened with nation-state attacks and transnational targeted attacks aimed to steal intellectual property from Western companies.
Therefore, organizations must implement proactive protection rules to minimize the risk of this threat, regardless of whether or not the proceeds end up with a charitable organization or support a cause. These involve developing a backup and recovery plan, keeping operating systems and software up-to-date with the latest patches, maintaining up-to-date antivirus solutions, scanning all software downloaded from the internet prior to execution, using caution when opening emails, ensuring control over the connection of external devices, blocking unused ports on protected hosts to prevent unauthorized access and educating the organization’s employees on safety issues.