The ransoms demanded were reportedly $US10m from Medibank and $US1m from Optus. The estimated cost to the hacked organisations for not paying the ransoms could be $140m each.

Ransomware is designed to block access to an IT system until a sum of money is paid. It also allows cybercriminals to download a victim’s data, block access to it or destroy it unless a ransom is paid. Ransomware attacks are most effective when backup systems are compromised as well.

Encryption ransomware is still the most common type of ransomware, requiring the victim to obtain a decryption key from the hacker. Many ransomware groups engage in “double extortion”, requiring payment for a digital decryption key and a commitment to destroy stolen data.

Payment to regain access and safeguard data is made in cryptocurrency, making it difficult to trace the perpetrators, who are usually in eastern Europe. Despite some claims that cybercriminals are not to be trusted, it is unusual for a ransomware group not to keep its side of the agreement once paid. Failure to do so would undermine the ransomware business model and incur the wrath of other cybercriminal groups.

Cyber-attack methodology is constantly changing. Ransomware groups now make prolific use of cross-platform capabilities. They aim to compromise as many systems as possible with the same malware. Conti, one of the most active ransomware groups, has developed a variant that is distributed through affiliates and targets Linux operating systems.

During late 2021, use of Rust and Golang (cross-platform programming languages) became more widespread. BlackCat, a self-proclaimed “next-generation” malware gang that has attacked more than 60 organisations since December 2021, wrote its malware in Rust. DeadBolt, a group infamous for its successful attacks, wrote its malware in Golang.

During 2022, major ransomware groups also adopted regular “rebranding” and “amoeba-ing” to confuse Western security intelligence and law enforcement. Some groups developed and implemented software toolkits that resembled legitimate software.

Lockbit stands out as an example of a ransomware group’s evolution. Lockbit has continually updated its attack capabilities while upgrading its own protective security infrastructure. At the same time, it developed StealBIT, a custom ransomware tool that enables data exfiltration at the highest speeds ever achieved.

Often a successful ransomware group’s malware is available to other international cybercriminal groups through a shared-profit leasing arrangement.

DarkSide is another successful cybercrime group and type of ransomware. The creators are most likely based in Russia, but unlike some other cybercriminal groups, DarkSide is not known to be state-sponsored or controlled by Russian intelligence. DarkSide seems to be one of the many hack-for-profit ransomware groups that have thrived in Russia with at least the implicit sanction of the Russian authorities as long as they attack only foreign targets.

To obtain million-dollar plus ransoms, organised cybercriminal groups usually target large organisations or rich vulnerable individuals, such as Donald Trump. (In 2020, Russian group REvil demanded $US42m for large quantities of “dirty laundry” on Trump and later claimed to have been paid a substantial sum.)

A successful ransomware attack is the culmination of a detailed search for vulnerabilities in an organisation’s IT network. Having employees working from home outside firewalls during Covid-19 has undoubtedly made organisations more vulnerable. Once inside a network, cybercriminals may examine an organisation’s operating systems for weeks before copying key data, encrypting access and issuing a ransom demand. Some cybercriminals review an organisation’s financial situation to establish an affordable ransom amount.

A common ransomware tactic against organisations that delay payment is to increase the ransom price to persuade the victim to pay up quickly. This also puts pressure on remediation attempts. Another tactic is to start to dribble-release stolen data.

The FBI and Australian Cyber Security Centre maintain that ransomware victims should not pay cybercriminals, but not doing so can be costly and result in protracted disruption as encrypted systems may need to be rebuilt from scratch. There is also the risk of protracted legal action by compromised clients.

It’s probable that most targeted businesses pay up without reporting ransomware attacks to avoid business disruption and loss of reputation. While non-payment of ransoms may be viable for organisations in the public sector, non-payment may not be an affordable option for companies that could face financial ruin if they don’t pay up – and quickly.

Russia’s Kaspersky Lab advises organisations to keep software updated; focus defence strategy on detecting lateral movements and data exfiltration to the internet; enable ransomware protection for all endpoints; install advanced threat protection and endpoint detection and response solutions, and; provide the organisation’s cybersecurity team with the latest threat intelligence and continually upgrade its skills.

The reality is few CEOs invest as much on their organisation’s cyber-defences as cybercriminal groups invest on developing new attack methodologies.

Clive Williams is a visiting fellow at the ANU’s Strategic and Defence Studies Centre. He worked in signals intelligence and communications security and was formerly Director of Security Intelligence in Defence.

More Coverage

The dawning of the age of cyber insecurity

James Gerrard

Team Australia needed for cyber fight

Eric Johnston

Deny cyber hackers a return

Editorial

Cyber danger is only one click away for everybody

Editorial