Do goodwill ransomware gangs really exist?
Over the past few years, ransomware has been wreaking havoc across the world and it continues to be a prevalent threat for almost every industry. Ransomware attacks can lead to severe consequences for organizations and businesses such as financial losses, brand and reputation damage, employee layoffs or business closures.
In most ransomware attacks, ransomware operators encrypt data on a victim’s network and hold it hostage in exchange for a ransom, which may vary from hundreds to millions of dollars. If a company refuses to pay, hackers can leak or destroy files or sell access to the compromised network to third parties. However, ransomware operators sometimes resort to rather unconventional methods to get their victims to pay.
For example, in May 2016, a ransomware variant with a “philanthropic” twist was discovered that promised to donate the ransom to a children’s charity.
Another Robin Hood-like ransomware strain called “GoodWill” uses a more different approach compelling victims into performing good deeds instead of paying thousands of dollars for the decryption key. Like any other ransomware, GoodWill encrypts data on the compromised system, but rather than demand a ransom in cryptocurrency it forces the victim to help the less fortunate by donating clothes/blankets to the homeless, feeding poor children, and providing financial assistance to anyone who requires urgent medical attention (and share proof of this on social media).
On first glance, the GoodWill ransomware operators’ unusual approach may seem like a noble endeavor but demanding that people perform acts of kindness in order to restore their encrypted files is still an invasion of privacy, blackmail and manipulation.
In the past, some ransomware gangs tried to improve their image by using a “Robin Hood” approach. In 2020, DarkSide, a now-defunct ransomware group behind multiple high-profile attacks, including the 2021 Colonial Pipeline hack, donated part of the ransom demands that it had previously extorted from its victims to two charity organizations.
But despite the intent behind such seemingly “altruistic” efforts, the primary purpose of ransomware remains the same: to extort money from victims by blocking access to their own data.
As ransomware-as-a-service (RaaS) market is flourishing, ransomware actors are constantly evolving their tactics and attack methodology to maximize the impact of a successful attack. According to a recent survey, 83% of successful ransomware attacks now include threats of double and triple extortion to ransom demands.
Double extortion is a tactic where cybercriminals not only steal an organization’s data but also threaten to publish it if the ransom is not paid. Under triple extortion, threat actors demand payment from those who may be impacted by the
leaking of the compromised organization’s data. Triple extortion can also include additional attacks carried out against the original target if the company doesn’t comply.
The survey found that of companies hit with ransomware 38% experienced attacks threatening to extort customers with stolen customer data, 35% of attacks threatened to expose data on the dark web, and 32% threatened to inform customers that data was stolen.
In addition, 16% of the organizations that refused to pay the ransom had their data exposed on the dark web, and 18% of victims who paid the ransom still had their data leaked. Of those organizations that paid ransomware operators, 35% were not able to retrieve their data.
Worse, given the division of labor and collaboration between different gangs on the global cybercrime market, the gang behind the ransomware attack is usually not the only one with access to the stolen data. Thus, by accepting a payment from the victim, they have no factual means to guarantee that their accomplices won’t suddenly leak the data for fun or for profit.
Furthermore, a majority (72%) of organizations surveyed admitted that ransomware attacks are evolving faster than the security controls needed to protect against them. It is predicted that ransomware will cost its victims over $265 billion annually by 2031, with a new attack hitting consumers or businesses every 2 seconds.
With each year, ransomware attacks become more and more sophisticated. Ransomware can hit any individual or industry, and no business or organization is off-limits. According to some reports, the number of ransomware attacks increased by 100% in 2021 alone. Furthermore, globally, the average cost of a ransomware breach hit a record $4.62 million (and this figure didn’t even include the ransom payment).
A threat as profitable as ransomware isn’t going away anytime soon, not least thanks to the influx of ransomware-as-a-service programs that require no extensive knowledge about breaking into computer networks but allow to make a fast buck.
Hacking campaigns, such as ransomware, can be easily deployed via ransomware-as-a-service now widely offered by professional cyber gangs to beginners. Concomitant proliferation of cryptocurrencies makes such crimes technically uninvestigable, while law enforcement agencies and joint task forces are already overburdened with nation-state attacks and transnational targeted attacks aimed to steal intellectual property from the largest Western companies.
Therefore, organizations must implement proactive protection rules to minimize the risk of this threat. These involve developing a backup and recovery plan; keeping the operating system and software up-to-date with the latest patches; maintaining up-to-date anti-virus solutions; scanning all software downloaded from the internet prior to executing; using caution when opening emails; ensuring control over the connection of external devices, blocking unused ports on protected hosts to prevent unauthorized access; as well as educating organization’s employees on safety issues.
