Sites of Shame and the Countdown: How cybercriminals put pressure on victims.
More and more often, people who go on their usual daily tasks - to school, hospital or pharmacy-are faced with non-working computer systems. Criminal groups from different parts of the world are often behind these incidents, blocking systems and demanding a ransom for restoring access or returning stolen data.
The ransomware epidemic shows no signs of slowing down in 2024, despite the efforts of law enforcement agencies, and experts fear that it may soon move into a more violent phase. "We're definitely losing the fight against cryptographers right now," says Recorded Future threat analyst Allan Liska.
Ransomware can become the defining cybercrime of the last decade, attacking a wide range of victims, including hospitals, schools, and governments. Attackers encrypt critical data, stopping the victim's work, and then extort money by threatening to disclose confidential information. These attacks have serious consequences. In 2021, Colonial Pipeline fell victim to a ransomware attack that forced it to suspend fuel supplies and forced US President Joe Biden to take emergency measures to meet demand. However, ransomware attacks occur every day around the world - last week they hit hospitals in the UK. Many of them don't even make the headlines.
"There is a problem with transparency – most organizations do not disclose or report such incidents," said Emsisoft threat analyst Brett Callow. According to him, this makes it difficult to assess the growth dynamics of ransomware attacks. Researchers have to rely on data from government agencies that have been attacked, or the perpetrators themselves.
Apparently, the problem will not only not disappear, but will also worsen in 2024. According to the Mandiant report , hackers are increasingly resorting to publishing stolen data on so-called "shame sites". In 2023, the number of publications on such resources increased by 75% compared to 2022. These sites use catchy tactics, such as counting down to when victims ' sensitive data will be made public if they don't pay up.
"Their tactics are getting more violent," Callow says.
For example, hackers began directly threatening victims with intimidating phone calls or emails. In 2023, the Fred Hutchinson Cancer Center in Seattle was hit by a ransomware attack that sent emails to cancer patients threatening to disclose their personal information if they refused to pay.
"My concern is that this could turn into real violence very soon," Callow said. "If we are talking about millions of dollars, they can harm the head of the company that refuses to pay, or members of his family."
Although no cases of violence have been reported as a result of ransomware attacks, hacker groups are already using such threats in their tactics. "During the negotiations that were leaked online, they hinted at such actions, stating: "We know where your CEO lives," Liska says.
Speaking of criminals insensitive approach to life and death, researchers estimate that between 2016 and 2021, ransomware attacks led to the deaths of 42 to 67 Medicare patients due to delays in providing vital care.
Analysts are also concerned about the links between groups specializing in ransomware attacks and "The Comm", an informal international network of criminals who offer services for illegal actions online, in addition to traditional cybercrimes, such as spoofing a SIM card. Comm members advertise their willingness to use physical force, damage property, and post videos allegedly depicting acts of ill-treatment
Recently, law enforcement agencies have made some progress in curbing the activities of groups engaged in ransomware attacks. For example, in February, the international operation "Cronos" eliminated the well-known hacker group LockBit, confiscating their websites and offering victims free decryption of data.
Part of the difficulty in reducing the volume of ransomware attacks is that ransomware gangs-which operate almost like startups, sometimes offering a subscription service and round — the — clock support for their software, while attracting participants to conduct attacks-are often based in countries that are not available for expulsion. This has prompted Western law enforcement agencies to use intimidation tactics and psychological games of the gangs themselves against them.
For example, Operation Kronos used a shame site-style countdown timer to reveal the identity of LockBit's alleged boss, 31-year-old citizen Dmitry Khoroshchev . He was also charged with 26 counts brought forward by US prosecutors, and sanctions were imposed. Although his arrest in the host country is unlikely, revealing his identity could undermine his credibility and make him a target.
"There will be people willing to use force to bring him across the border to a country where he can be extradited." Accomplices may also worry about the possibility of his arrest if he voluntarily leaves his country of residence.
Another barrier to controlling ransomware is the hydra - like nature of the participants. After the neutralization of LockBit, analysts noticed that almost immediately 10 new sites appeared that distribute cryptographers. "This is an unprecedented number in a month," says Liska.
But law enforcement officers adapt to this as well. In May, an international operation called "Endgame" announced that it had succeeded in interrupting the work of several groups distributing malware known as"droppers". Droppers are an important part of the cybercrime ecosystem, as they allow hackers to deliver ransomware or other malicious code without being noticed. Operation Endgame led to the arrest of four people in Armenia and Ukraine, the closure of more than 100 servers and the seizure of thousands of domains. Endgame used psychological tactics similar to Operation Kronos, such as counting down to text-based videos encouraging criminals to "think about the next step."
Despite the scale of the problem, Liska and Callow remain optimistic. Callow believes that a ban on paying ransoms to hackers would be the most effective solution. Liska is less confident about the prospects for a ban, but notes that the actions of law enforcement agencies can lead to real results over time.
"We often talk about the mole game when it comes to ransomware groups — you destroy one, another one appears," Liska says. "But I think [law enforcement] operations are gradually narrowing the field. Eventually, I hope there will be fewer and fewer of them."
More and more often, people who go on their usual daily tasks - to school, hospital or pharmacy-are faced with non-working computer systems. Criminal groups from different parts of the world are often behind these incidents, blocking systems and demanding a ransom for restoring access or returning stolen data.
The ransomware epidemic shows no signs of slowing down in 2024, despite the efforts of law enforcement agencies, and experts fear that it may soon move into a more violent phase. "We're definitely losing the fight against cryptographers right now," says Recorded Future threat analyst Allan Liska.
Ransomware can become the defining cybercrime of the last decade, attacking a wide range of victims, including hospitals, schools, and governments. Attackers encrypt critical data, stopping the victim's work, and then extort money by threatening to disclose confidential information. These attacks have serious consequences. In 2021, Colonial Pipeline fell victim to a ransomware attack that forced it to suspend fuel supplies and forced US President Joe Biden to take emergency measures to meet demand. However, ransomware attacks occur every day around the world - last week they hit hospitals in the UK. Many of them don't even make the headlines.
"There is a problem with transparency – most organizations do not disclose or report such incidents," said Emsisoft threat analyst Brett Callow. According to him, this makes it difficult to assess the growth dynamics of ransomware attacks. Researchers have to rely on data from government agencies that have been attacked, or the perpetrators themselves.
Apparently, the problem will not only not disappear, but will also worsen in 2024. According to the Mandiant report , hackers are increasingly resorting to publishing stolen data on so-called "shame sites". In 2023, the number of publications on such resources increased by 75% compared to 2022. These sites use catchy tactics, such as counting down to when victims ' sensitive data will be made public if they don't pay up.
"Their tactics are getting more violent," Callow says.
For example, hackers began directly threatening victims with intimidating phone calls or emails. In 2023, the Fred Hutchinson Cancer Center in Seattle was hit by a ransomware attack that sent emails to cancer patients threatening to disclose their personal information if they refused to pay.
"My concern is that this could turn into real violence very soon," Callow said. "If we are talking about millions of dollars, they can harm the head of the company that refuses to pay, or members of his family."
Although no cases of violence have been reported as a result of ransomware attacks, hacker groups are already using such threats in their tactics. "During the negotiations that were leaked online, they hinted at such actions, stating: "We know where your CEO lives," Liska says.
Speaking of criminals insensitive approach to life and death, researchers estimate that between 2016 and 2021, ransomware attacks led to the deaths of 42 to 67 Medicare patients due to delays in providing vital care.
Analysts are also concerned about the links between groups specializing in ransomware attacks and "The Comm", an informal international network of criminals who offer services for illegal actions online, in addition to traditional cybercrimes, such as spoofing a SIM card. Comm members advertise their willingness to use physical force, damage property, and post videos allegedly depicting acts of ill-treatment
Recently, law enforcement agencies have made some progress in curbing the activities of groups engaged in ransomware attacks. For example, in February, the international operation "Cronos" eliminated the well-known hacker group LockBit, confiscating their websites and offering victims free decryption of data.
Part of the difficulty in reducing the volume of ransomware attacks is that ransomware gangs-which operate almost like startups, sometimes offering a subscription service and round — the — clock support for their software, while attracting participants to conduct attacks-are often based in countries that are not available for expulsion. This has prompted Western law enforcement agencies to use intimidation tactics and psychological games of the gangs themselves against them.
For example, Operation Kronos used a shame site-style countdown timer to reveal the identity of LockBit's alleged boss, 31-year-old citizen Dmitry Khoroshchev . He was also charged with 26 counts brought forward by US prosecutors, and sanctions were imposed. Although his arrest in the host country is unlikely, revealing his identity could undermine his credibility and make him a target.
"There will be people willing to use force to bring him across the border to a country where he can be extradited." Accomplices may also worry about the possibility of his arrest if he voluntarily leaves his country of residence.
Another barrier to controlling ransomware is the hydra - like nature of the participants. After the neutralization of LockBit, analysts noticed that almost immediately 10 new sites appeared that distribute cryptographers. "This is an unprecedented number in a month," says Liska.
But law enforcement officers adapt to this as well. In May, an international operation called "Endgame" announced that it had succeeded in interrupting the work of several groups distributing malware known as"droppers". Droppers are an important part of the cybercrime ecosystem, as they allow hackers to deliver ransomware or other malicious code without being noticed. Operation Endgame led to the arrest of four people in Armenia and Ukraine, the closure of more than 100 servers and the seizure of thousands of domains. Endgame used psychological tactics similar to Operation Kronos, such as counting down to text-based videos encouraging criminals to "think about the next step."
Despite the scale of the problem, Liska and Callow remain optimistic. Callow believes that a ban on paying ransoms to hackers would be the most effective solution. Liska is less confident about the prospects for a ban, but notes that the actions of law enforcement agencies can lead to real results over time.
"We often talk about the mole game when it comes to ransomware groups — you destroy one, another one appears," Liska says. "But I think [law enforcement] operations are gradually narrowing the field. Eventually, I hope there will be fewer and fewer of them."
