Ransomware boom comes from gangs that operate like cloud-software unicorns — ‘a truly incredible business model’

While those organizations have grabbed headlines, they’re not alone. Roughly 1,000 organizations are being hit by ransomware attacks each week, Check Point Software Technologies Ltd. CHKP, -0.05% recently reported, having more than doubled from the same time last year.

Essentially, ransomware is software that threatens to encrypt data or make a victim’s computer network useless unless a ransom is paid. The tactic has been adopted by criminal enterprises taking advantage of our increasingly connected world, known as “enablers” or “ransomware-as-a-service” (RaaS) providers, which have adopted the software-as-a-service, or SaaS, model common among cloud-software providers.

RaaS provider “REvil” was behind the JBS incident, and one called “DarkSide” was identified with the Colonial incident, according to the FBI. RaaS providers supply criminals with the software needed to attack and lock up networks for as little as a few dollars along with a cut of any ransom the perpetrators receive, suggesting a business model capable of ridiculously expansive profit margins because the ransoms demanded have skyrocketed in just the past few years.

Unit 42, the global threat intelligence team at Palo Alto Networks Inc. PANW, +2.39%, said the average ransom paid by organizations nearly tripled to about $312,000 in 2020, up from $115,000 in 2019. Late Wednesday, JBS disclosed that it had paid $11 million ransom in bitcoin BTCUSD, +0.71% to avoid further disruption to their plants. In the Colonial attack, the pipeline operator reportedly paid hackers $4.4 million in ransom, but the Justice Department said Monday it has been able to claw back about $2.3 million of that.

“It’s becoming a booming, lucrative business,” Sandra Joyce, head of global intelligence at FireEye Inc. FEYE, +6.21%, told MarketWatch. “And it is not going away.”

“When I say it is a business, it is a truly incredible business model,” Joyce said. “You have ransomware operators, crew affiliates, they supply these affiliates with all the tools and support that they need to go after victims.”

Now, the continuing trend by cybercriminals appears to be blurring right past seeking a ransom to unlock data and heading straight into extortion with threats to leak intellectual property or corporate secrets online or to the media, Joyce said.

“The future of this could be straight to extortion,” Joyce said. “It’s a real crisis at this point.”

One recent example of the developing approach to ransomware is what Check Point has termed a “triple extortion” attack, the likes of which it says targeted Apple Inc. AAPL, -0.71% business partner Quanta Computer, a Taiwan-based laptop designer, back in April. Hackers, using the REvil service, originally demanded a $50 million ransom from Quanta, Check Point said.

“Since the company refused to communicate with the threat actors, the threat actors went on to extorting Apple directly, demanding that Apple purchase back blueprints of their products found on Quanta Computer’s network,” Check Point said. “Approximately a week later, REvil peculiarly removed Apple’s drawings from their official data leak website.”

Apple declined to comment to MarketWatch regarding the incident.

George Kurtz, CrowdStrike Holdings Inc. CRWD, +6.21% co-founder and chief executive, told MarketWatch in an interview that one of his biggest concerns in cybersecurity is how quickly criminals are learning to flout protections.

“The pace of innovation in terms of these attacks continues to ramp up,” Kurtz said. “Just ransomware-as-a-service, just how organized they are, the new techniques they come out with, it’s very rapid.”

“It’s working, and they’re getting paid,” Kurtz said. “Big payments are being made at very little risk to the actors.”

On the whole, healthcare, utilities and insurance are the industries most often hit, according to Check Point, while Unit 42 said in a recent report that it found cybercriminals tend to favor overworked networks, “often to the point that it overwhelms DevOps and Security teams.”

“For example, the number of security incidents in the retail, manufacturing, and government [categories] rose by 402%, 230%, and 205%, respectively,” the Unit 42 report said. “This trend is not surprising as these industries were among those facing pressures to adapt and scale in the face of the pandemic — retailers for basic necessities, manufacturing and government for COVID-19 supplies and aid.”

These cybercriminals are putting organizations in an impossible situation, FireEye’s Joyce said. Hospitals have to decide whether to pay up or cease treating patients, and companies have to decide whether to pay or have their corporate secrets released, all the while cognizant that paying up further finances and incentivizes these groups, she said.

“This is very organized, and there’s an entire business model in place so not only is the software platform very user-friendly and sophisticated, they interview their potential candidates, in one case they had to speak fluent Russian to pass,” FireEye’s Joyce said.

That would support findings from cybersecurity firm Check Point that called attention to the REvil “working rules” that were posted to underground forums. Potential REvil clients were told that it is “forbidden” to target organizations in the Commonwealth of Independent States and Ukraine, comprising much of the former Soviet Union.

“It’s open season on U.S. businesses and the West,” FireEye’s Joyce said. “The chatter places limits on Russian targets.” While a few years ago most ransomware demands in the six figures would be considered “unbelievable,” demands for seven- and eight-figure sums have become much more commonplace, she said.

Both FireEye’s Joyce and CrowdStrike’s Kurtz told MarketWatch that the only real solution to the growing problem is through policy making, and getting nations where cybercriminals are based to hold them accountable for their crimes.

Last week, President Joseph Biden called ransomware attack a “rising national-security concern” and has said that he will raise the issue of cyberattacks with Russian President Vladimir Putin at a meeting later this month, according to the White House. Reuters reported that the Justice Department is raising ransomware investigations to the same level as those for terrorism. A request to the Justice Department for comment on the action has yet to be returned.

Across the board, such cybersecurity companies as CrowdStrike, Palo Alto Networks, FireEye and Zscaler Inc. ZS, +4.08% have reported surging revenue over the past year as the COVID-19 pandemic broadened the threat landscape out to work-from-home situations and vulnerable industries became low-hanging fruit for cybercriminals.

That, however, has had an uneven effect on stocks in the sector as it seems that both sales of cybersecurity services and high-profile attacks are surging in tandem. Over the past 12 months, the ETFMG Prime Cyber Security ETF HACK, +1.35% has risen 35%, while the S&P 500 index SPX, +0.54% has advanced 33%.