Introduction: My Story
In my journey through cybersecurity, I've seen firsthand how attackers can live off the land after stealing credentials, spearphish unsuspecting employees and spoof enterprise MFA. I’ve also witnessed the impact of ransomware attacks and the destruction and frustration that people experience during a breach. These breaches often involve a reporting of attackers residing in networks, siphoning off intellectual property, or cryptomining. It's a dangerous game, and one that has evolved significantly over time.
A (not too) recent and increasingly alarming trend is “big game hunting,” which is gaining momentum. Last weekend, a friend mentioned they’d heard about “game hunting” in cybersecurity, which led to a (somewhat) lengthy term correction from yours truly and a long-winded discussion of big game hunting.
This conversation inspired this week’s post, a review and discussion of Big Game Hunting: The Evolution of a Ransomware Strategy and Emergent Ransomware Market.
What is Big Game Hunting?
"Big game hunting" in the context of ransomware refers to a targeted strategy where cybercriminals focus on large, high-value organizations. Unlike more indiscriminate attacks, big game hunting involves sophisticated, long-term planning and execution, often involving multiple threat actor groups working together. This strategy aims to extract larger ransom payments by targeting organizations that can afford to pay hefty sums to resume operations or avoid public scrutiny.
Ransomware as a Service
Ransomware as a service (RaaS) is a recent trend where cybercriminals lease their ransomware tools to other criminals, creating a decentralized network of threat actors. RaaS has lowered the barrier to entry for cybercrime, allowing even low-skilled attackers to launch sophisticated ransomware campaigns. Here are two examples:
Ryuk Ransomware: In a high-profile attack, Ryuk ransomware targeted a major manufacturing firm, leading to widespread disruption. Attackers gained access through phishing emails, moved laterally within the network, and encrypted critical systems, demanding a hefty ransom for decryption keys.
SamSam Ransomware: SamSam ransomware struck several healthcare institutions by exploiting known vulnerabilities in unpatched systems. Attackers carefully selected targets, ensuring maximum impact and ransom potential. The attack forced hospitals to divert patients and delay treatments, highlighting the severe consequences of big game hunting strategies.
What's Changed Recently?
Big game hunting tactics have evolved notably in the past couple of years, with several key trends emerging:
Double Extortion: Cybercriminals not only encrypt data but also exfiltrate it, threatening to release sensitive information if the ransom is not paid. Groups like CL0P have been particularly active in this method, extracting private information before deploying malware.
Increased Use of Legitimate Tools: There's been a rise in the use of legitimate remote monitoring and management (RMM) tools by cybercriminals to evade detection. CrowdStrike reported a 312% increase in the usage of these tools in 2023, making it harder for traditional security measures to detect malicious activity.
Law Enforcement Takedowns and Adaptation: Despite successful law enforcement actions against major ransomware groups, new groups quickly emerge. For instance, the FBI's takedown of the Hive ransomware network was significant, but groups like BlackCat re-emerged soon after.
Targeting SMBs: Small and medium businesses (SMBs) have become more frequent targets due to their typically weaker security postures. In 2023, 66% of small business owners reported experiencing a cyberattack. More on this in a future post.
Supply Chain Attacks: Cybercriminals increasingly target third-party vendors and suppliers to gain access to larger organizations. The MOVEit file transfer software vulnerability exploited by the CL0P ransomware group is a notable example of this tactic.
Show me the Money: An Economic Review of Ransomware
Over the past four years, ransomware has become a highly profitable enterprise for cybercriminals, for your ease of use (and this blog’s word count), I’ve tabularized them and plotted them for you below:
I decided to consider the Compound Annual Growth Rate (CAGR) of “Ransomware Revenue” to understand it as a market, and see if (as a former Econ major) there’d be an indicator of the market growth potential for ransomware.
Don’t know what CAGR is? All good! Simply put, a CAGR is useful for assessing the health of a market, and its growth potential. It’s used in a variety of situations to assess the viability of entrants into a new market (startups love to pitch a CAGR when coming into a market).
For prospective entrants into the ransomware market, it’s CAGR from 2020 to 2023 is 43.79%.
A CAGR of approximately 44% is exceptionally high and indicates rapid growth. Such high growth rates are often seen in emerging markets and high-tech industries. Some examples include:
The cryptocurrency market, driven by increasing adoption and institutional investments, has exhibited CAGRs well above 40%.
The artificial intelligence (AI) market, with advancements in machine learning and significant investments (more on AI in cyber in a future post)
The Electric vehicles (EV) market, fueled by government incentives and technological advancements in battery technology, have shown substantial growth.
Relating this back to ransomware, this is especially alarming. With growth numbers like this we can expect existing incumbents like RaaS operators to continue to invest resources into their ransomware efforts. We can, sadly, expect new entrants to the RaaS market. I’d be willing to bet that newer, more innovative RaaS organizations will spring up and join the resurgent ransomware hype cycle.
Ironically enough, markets like AI enable ransomware actors to use technologies that we would hope to use for good, for ill. Phishing emails can be crafted and exploit code can be written exponentially faster (and better) than before. If you’re in security you hear about “AI-based threats” a lot. It can trigger eye rolls or trepidation depending on your perspective. In this case, the numbers don’t lie, looking at this (quick) market analysis of Ransomware’s revenue growth, I was staggered.
Takeaways
Big game hunting has reshaped the ransomware landscape, leading to higher ransom payments and more sophisticated attack methods.
The financial impact in 2023 was substantial, with ransomware payments exceeding $1 billion.
Ransomware’s revenue growth curve is astonishingly high, with a CAGR of 44%
We can expect to see more effort from existing organizations and new entrants to the ransomware as a service/big game hunting ecosystem.
So What Can We Do About This?
I wish we could wave a magic wand to fix this emergent threat, but we can’t. Ransomware actors will continue to innovate, as will cybersecurity solution providers that seek to combat them. Not everyone has the resources to buy “best in class,” so why not take advantage of what is free to use?
This is not a comprehensive list, but here are three, free resources we can use to address the risks of Big Game Hunting to some extent immediately, today.
Implement Network Segmentation: Divide your network into segments to limit lateral movement by attackers. This practice can help contain breaches and prevent attackers from accessing critical systems. Check out this free guide on network segmentation: https://www.sans.org/white-papers/36327/
Regularly Audit User Privileges: Ensure that users have the minimum level of access necessary to perform their roles. Regular audits can identify and revoke unnecessary privileges, reducing potential entry points for attackers. Here’s a free resource on auditing user privileges: https://www.cisecurity.org/controls/audit-log-management/
Conduct Regular Security Awareness Training: Educate employees about phishing and social engineering tactics. Awareness training costs nothing but can drastically reduce the likelihood of successful attacks. Use this free training material: https://www.us-cert.gov/ncas/tips/ST04-014
Stay secure and stay curious, my friends!
Damien