This week saw the release of a number of reports showing that payments to ransomware gangs fell in 2022. Our Incident response team offers some insight as to why that might be happening.
This week’s observation from our Incident Response Team
Payments to ransomware actors dropped in 2022 compared to the higher profits seen in 2020 and 2021. This is due to a number of factors; firstly, the increase in remote working seen during the Covid-19 Pandemic exposed organisations to more frequent attacks. This was combined with the economic disruption of 2021-22 causing an increase in the demand for profit, and an increase in potential threat actors. It now appears that this demand has dropped slightly, potentially caused by organisations security postures catching up to the threat faced and making ransomware attacks more complex and less profitable.
In 2022, Economic sanctions imposed by the West in response to the war in Ukraine meant that payments to Ransomware actors based in the Russian Federation could not legally be made.
Cyber security and risk management experts have rightly continued to push for a ‘no-pay’ approach to Ransomware, and the reduction in profits may be a sign that organisations are beginning to adopt this approach. If this trend continues, Ransomware will become less profitable as time goes on, which will benefit all organisations worldwide.
Vulnerabilities
Citrix has recently disclosed two critical security vulnerabilities, CVE-2022-27510 and CVE-2022-27518 (CVSS scores: 9.8), in its Application Delivery Controller (ADC) and Gateway endpoints. Thousands of endpoints are at risk and patching these vulnerabilities is strongly advised.
The first vulnerability, CVE-2022-27510, allows for unauthorized access to Gateway user capabilities through an authentication bypass. The second, CVE-2022-27518, is a remote code execution bug that could lead to takeover of affected systems. Citrix addressed these vulnerabilities on November 8 and December 13, 2022 respectively.
Here’s a roundup of the cyber security incidents that have made headlines this week.
Arnold Clark threatened by hackers after cyber attack
The fallout from a cyber attack over the Christmas period on the Arnold Clark car dealership continues after it was revealed that customers had their national insurance numbers, passports and addresses leaked on the dark web.
An international hacking group known as Play is now threatening to release a large amount of customer data onto the dark web unless a multi-million-pound ransom is paid in cryptocurrency. The group has already leaked 15 gigabytes of data and intends to upload an additional 467 gigabytes. This incident follows a similar attack on another car retail company, Pendragon, which refused to pay a $60 million ransom demand three months ago.
The leaking of sensitive data to put pressure on a victim is now a common tactic utilised by ransomware gangs. The Play group first appeared on security experts radars last year after a series of attacks on government websites in Latin America in 2022.
Increasing number of Ransomware victims refusing to pay according to new reports
Two studies indicate that ransomware is not as profitable as it once was. Chainalysis, a blockchain analysis firm, reports in a blog post that payments to attackers fell from $766 million in 2021 to $457 million in 2022. They also note that their data does not provide a comprehensive study of ransomware and that payments are down from their peak during the pandemic. Another study also shows a decline in profits for ransomware attackers and a decrease in the percentage of victims who pay.
One of the key reasons why the number of companies refusing to cough up a ransom was due to Conti, a prominent ransomware strain, being linked with coordination with the Kremlin and Russia's Federal Security Service (FSB). This revelation provided additional reason, in the form of government sanctions, for victims to not pay a ransom.
Cyber-attack on Riot Games delays video game patch rollout
On Tuesday, Riot Games revealed that the source code for two of its biggest video games, League of Legends and Team Fight Tactics had been stolen and that it would not be paying the ransom demanded by the hackers for its return. This is just the latest data breach to occur at large game companies and it means that both games may be more susceptible to cheating in the upcoming months as patch roll outs are delayed.
Riot Games has yet to provide additional details, but stated that the company would release a comprehensive retrospective on the breach at a later time, including the methodologies employed by the hackers.
North Korean Hacking groups responsible for $100 million crypto currency hack
The FBI has confirmed that the North Korean state-sponsored hacking groups, Lazarus and APT38, were responsible for stealing $100 million worth of Ethereum from Harmony Horizon, a cross-chain bridge for Ethereum.
The breach, which occurred in June 2022, enabled the hackers to take control of a MultiSigWallet contract and transfer large amounts of tokens to their own addresses. According to the FBI, these hacking groups steal and launder virtual currency to fund the country's ballistic missile and weapons of mass destruction programs.
If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation.