Ransomware: 2022 Status Update
Tahiry Rabehaja, Risk Frontiers
About six months ago, we published a briefing note on the origin and evolution of ransomware, and improvements in its distribution logistics, implementation techniques and payment systems. We also noted that the change in business model ― Ransomware as a Service or RaaS ― is one of the major recent shifts in this threat landscape because it scales the threat actors themselves through commoditised ransomware toolkits.
In this article, we put recent important ransomware events in a broader context. We look at notable global wins against ransomware gangs, the increasing trend of ransomware linked data breaches in Australia and the recent outcome of legal fights over the “war exclusion” clause.
Notable global events: Bust of REvil affiliates
Since the series of high-profile attacks in 2021, international efforts have increased pressure on ransomware operators and affiliates and disrupted some of their activities. In November 2021, the operation GoldDust, involving law enforcement agencies from 17 countries (including Australia), led to the arrest of multiple REvil affiliates, seizure of properties and cash and the recovery of decryption tools. REvil is a notorious ransomware gang responsible for many devastating attacks since 2019. Experts have attributed the Kaseya and JBS attacks to the REvil gang and their affiliates. They also have a close relationship with DarkSide, which is responsible for the Colonial Pipeline attacks and prompted a stern response from the US. Then, in January 2022, another bust made headlines when, at the request of the US, The Russian Federal Security Service (FSB) arrested 14 REvil ransomware members and seized more than AUD$7 million in cash and cryptocurrency and 20 luxury cars,.
These international efforts have significantly increased the cost and risk associated with conducting ransomware operations. However, if ransom payments from digital extorsions remain profitable, ransomware creators, operators and affiliates will continue to exploit people, and find technological vulnerabilities to abuse and buy access to compromised systems. This means that organisations, businesses and individuals must continue to proactively protect their digital assets and resources and be ready to respond to potential breaches. A good example of how ransomware gangs adapt is the speed with which the Conti ransomware operators tried to exploit the Log4J2 vulnerability to expand their pool of victims. Even though the Log4J2 vulnerability was registered on the CVE database on 26.11.2021, a partial patch only came out on 10 December 2021 and the Conti operators started to actively scan for vulnerable systems on 13 October 2021, (see Figure 2). It took them about three days from the NVD disclosure and various public media releases to start exploiting the vulnerability aggressively. Many security-advisory notes from software vendors regarding how the Log4J2 vulnerability affects them were published during the same week, with up to seven days of lag.
Australian landscape through the lens of Notifiable Data Breach statistics
Australia’s Notifiable Data Breach (NDB) statistics give an interesting glimpse of the ransomware threats to Australian businesses and organisations. The NDB applies to a broad range of entities and amends the Privacy Act 1988. It requires these entities to notify the Office of the Australian Information Commissioner (OAIC) and impacted individuals about data breaches that are likely to cause serious harm. This scheme came into effect in February 2018 and has since matured in data collection and reporting. Figure 2 shows a summary of notifications recorded through the NDB scheme since it came into force.
The continuous white line illustrates the number of notifications received by the OAIC, which is relatively stable at just under 500 notifications per semester. The dashed white line captures notifications that are caused by a cyber incident (phishing, hacking, malware, ransomware etc) and excludes human errors and accidental breaches due to misconfigurations. The graph shows notifications from cyber incidents are also stable, at around 200 per semester.
In contrast, the continuous yellow line shows the percentage of cyber incidents-related breach notifications that were caused by ransomware attacks. There is a drastic increase in ransomware related to data breaches from 2020 to 2021. By July 2021, about a quarter of data breaches (just under 50 notifications) caused by cyber incidents were due to ransomware attacks. This means that an increasing number of ransomware attacks are also linked to data extrafiltration, which are categorised as data breaches. This may have been exacerbated by the increase in popularity of a daunting extortion technique where the ransomware operator threatens to make the exrafiltrated data public unless the ransom payment is paid within the deadline. This technique adds pressure to the victim to pay up because a data breach usually implies a potentially expensive incident response, including some legal ramifications and negative impacts on brands.
This graph shows that, in Australia, ransomware attacks are still on the rise, even though the number of data breach notifications has remained stationary over the past few years. Therefore, Australian businesses and organisations need to take this threat even more seriously.
This rise of successful ransomware attacks on Australian businesses also led to the launch of a new Ransomware Payment Bill. The Bill was introduced to the Federal Parliament on 21 June 2021 to enforce the obligation to report ransom payments to the Australian Cyber Security Centre (ACSC). It defines what a successful ransomware attack is and applies to all Information Technology resources physically located on Australian soil. This includes cloud services owned or operated by foreign businesses but hosted in any data centre within the Australian borders. The Bill also defines the organisations and businesses that fall into its scope: namely, all Commonwealth and state or territory agencies and large corporations with revenues above $10 million. The Bill specifies the details of a successful ransomware attack that must be reported to the ACSC, which includes details about the attackers, the method of payment, the amount of ransom paid and any known indicators of compromise. The Bill is currently before the Senate and, although it doesn’t make ransom payments illegal, it tries to arm the ACSC with as much information as possible about these payments to improve mitigations strategies and share actionable intelligence to Australian businesses and organisations. However, the ACSC itself advises victims to never pay a ransom and provides a guide (and potentially some assistance) on how to respond to a ransomware attack.
Ransomware, cyber insurance and war exclusion
In our previous publications, we have noted the importance of having a good incident response plan and indicated that insurance usually goes a long way to improve the response side of any cyber security strategy. However, a recurring topic in the effectiveness of insurance policies (either standalone or silent) pertains to the “war exclusion” clause. The definition of when a cyber-attack constitutes an Act of War is currently very murky, and relies on attribution ―the identification of the perpetrators of an attack. However, attribution is a difficult task as it requires deep technical forensics as well as educated political guesses and takes time to establish. An example is the 2019 cyber-attack on the Australian Parliament network, which is suspected to have been carried out by China, although no formal attribution was ever made by the Australian Government. Our earlier briefing note covers this attack in more detail. The difficulty in attribution and, by extension, the definition of an Act of War, remains an important discussion point for cyber insurance. The “war exclusion” clause is continuously tested in court. In January 2022, Merck & Co. won a case against its insurer ―Ace American Insurance Co.― for a payout of US$1.4 billion regarding the impact of NotPetya on its computer system and operations in 2017.
NotPetya is, confusingly, a variant of the Petya ransomware which was first identified in 2016. Rather than encrypting each individual file on a computer, the Petya ransomware encrypts the Master File Table (MFT), which makes it impossible to access any file without decrypting that part of the disk. Intuitively, all files on a computer remain intact but the indices, which the Windows operating system uses to make sense of these files, are scrambled. Petya’s distribution mechanism is through more traditional means such as email attachments or shared files (Dropbox, Google Drive etc). In contrast, NotPetya operates similarly to Petya at a conceptual level, but they have different implementations. That is, it doesn’t bother with the files and goes directly to encrypting the MFT.
NotPetya is distributed as a worm ―a malware that can replicate itself through a computer system network, including the Internet. It uses the same spread technique as WannaCry by exploiting the Windows’ Server Message Block (SMB) vulnerability using the EternalBlue exploit. Moreover, most security experts agree that NotPetya is a cyber weapon disguised as ransomware, as there is no way to reverse the damage done to the MFT, making it impossible or very expensive to recover the lost files. At the peak of the NotPetya outbreak, thousands of computers were infected and considerable damages were inflicted on many businesses around the globe. The impacted businesses included Merck ―a giant US multinational pharmaceutical― and Mondelez ―another US multinational specialising in confectionery― which both had “comprehensive” insurance covers.
The destructive nature of NotPetya has prompted many insurance companies to classify the ransomware outbreak as an “Act of War”. However, Merck sustained considerable material losses including interruption to its business and on August 2018 it filed a civil lawsuit against its insurer for a loss of 1.4 billion which Ace American refused to pay on the grounds of the “war exclusion” clause. However, the New Jersey Superior Court ruled that this exclusion does not apply, as Merck’s “reasonable understanding of the exclusion involved the use of armed force, and all of the caselaw on the war exclusion supports this interpretation”. Interestingly, attribution didn’t play a large role in this case, even though many experts and nations, including Australia, attributed the NotPetya attack to Russia.
As Merck cashes out on its payout, a similar case, pitching Mondelez International Inc. against Zurich American Insurance Co., is still ongoing. This also means that the blurred line between cyber-attacks and the “Act of War” principle will continue to be tested, and insurers may need to refine that clause to suit the specific nature of cyber risks.
Many security experts agree that the coordinated international efforts over the past year are indeed having positive effects in deterring ransomware operations by organised criminals. However, some are still sceptical of the timings of the gang busts. In the long term, ransomware operators and affiliates may go back to quietly extorting ransoms from their victims, under the radar of global headlines. Either way, the deterrence strategies produced by national and international efforts are very important to thwart ransomware activities. No one, not even the most knowledgeable cyber security expert, knows with any degree of certainty what this threat landscape has in store for us for the next few years.
 Note that Risk Frontiers observed attempts to exploit this vulnerability as early as 11.12.2021 through the examination of its external web servers’ logs.
 Compare this to the NotPetya attack in 2017 which the Australian Government formally attributed to Russia.
 A history of the “war exclusion” clause and discussion regarding it’s application to cyber attacks can be found in this paper by Chopra: https://moritzlaw.osu.edu/sites/default/files/2021-06/11.Chopra.pdf