Do goodwill ransomware gangs really exist?

Over the past few years, ransomware has been wreaking havoc across the world and it continues to be a prevalent threat for almost every industry. Ransomware attacks can lead to severe consequences for organizations and businesses such as financial losses, brand and reputation damage, employee layoffs or business closures.

In most ransomware attacks, ransomware operators encrypt data on a victim’s network and hold it hostage in exchange for a ransom, which may vary from hundreds to millions of dollars. If a company refuses to pay, hackers can leak or destroy files or sell access to the compromised network to third parties. However, ransomware operators sometimes resort to rather unconventional methods to get their victims to pay.

For example, in May 2016, a ransomware variant with a “philanthropic” twist was discovered that promised to donate the ransom to a children’s charity.

Another Robin Hood-like ransomware strain called “GoodWill” uses a more different approach compelling victims into performing good deeds instead of paying thousands of dollars for the decryption key. Like any other ransomware, GoodWill encrypts data on the compromised system, but rather than demand a ransom in cryptocurrency it forces the victim to help the less fortunate by donating clothes/blankets to the homeless, feeding poor children, and providing financial assistance to anyone who requires urgent medical attention (and share proof of this on social media).

On first glance, the GoodWill ransomware operators’ unusual approach may seem like a noble endeavor but demanding that people perform acts of kindness in order to restore their encrypted files is still an invasion of privacy, blackmail and manipulation.

In the past, some ransomware gangs tried to improve their image by using a “Robin Hood” approach. In 2020, DarkSide, a now-defunct ransomware group behind multiple high-profile attacks, including the 2021 Colonial Pipeline hack, donated part of the ransom demands that it had previously extorted from its victims to two charity organizations.

But despite the intent behind such seemingly “altruistic” efforts, the primary purpose of ransomware remains the same: to extort money from victims by blocking access to their own data.

As ransomware-as-a-service (RaaS) market is flourishing, ransomware actors are constantly evolving their tactics and attack methodology to maximize the impact of a successful attack. According to a recent survey, 83% of successful ransomware attacks now include threats of double and triple extortion to ransom demands.

Double extortion is a tactic where cybercriminals not only steal an organization’s data but also threaten to publish it if the ransom is not paid. Under triple extortion, threat actors demand payment from those who may be impacted by the

leaking of the compromised organization’s data. Triple extortion can also include additional attacks carried out against the original target if the company doesn’t comply.

The survey found that of companies hit with ransomware 38% experienced attacks threatening to extort customers with stolen customer data, 35% of attacks threatened to expose data on the dark web, and 32% threatened to inform customers that data was stolen.

In addition, 16% of the organizations that refused to pay the ransom had their data exposed on the dark web, and 18% of victims who paid the ransom still had their data leaked. Of those organizations that paid ransomware operators, 35% were not able to retrieve their data.

Worse, given the division of labor and collaboration between different gangs on the global cybercrime market, the gang behind the ransomware attack is usually not the only one with access to the stolen data. Thus, by accepting a payment from the victim, they have no factual means to guarantee that their accomplices won’t suddenly leak the data for fun or for profit.

Furthermore, a majority (72%) of organizations surveyed admitted that ransomware attacks are evolving faster than the security controls needed to protect against them. It is predicted that ransomware will cost its victims over $265 billion annually by 2031, with a new attack hitting consumers or businesses every 2 seconds.

With each year, ransomware attacks become more and more sophisticated. Ransomware can hit any individual or industry, and no business or organization is off-limits. According to some reports, the number of ransomware attacks increased by 100% in 2021 alone. Furthermore, globally, the average cost of a ransomware breach hit a record $4.62 million (and this figure didn’t even include the ransom payment).

A threat as profitable as ransomware isn’t going away anytime soon, not least thanks to the influx of ransomware-as-a-service programs that require no extensive knowledge about breaking into computer networks but allow to make a fast buck.

Hacking campaigns, such as ransomware, can be easily deployed via ransomware-as-a-service now widely offered by professional cyber gangs to beginners. Concomitant proliferation of cryptocurrencies makes such crimes technically uninvestigable, while law enforcement agencies and joint task forces are already overburdened with nation-state attacks and transnational targeted attacks aimed to steal intellectual property from the largest Western companies.

Therefore, organizations must implement proactive protection rules to minimize the risk of this threat. These involve developing a backup and recovery plan; keeping the operating system and software up-to-date with the latest patches; maintaining up-to-date anti-virus solutions; scanning all software downloaded from the internet prior to executing; using caution when opening emails; ensuring control over the connection of external devices, blocking unused ports on protected hosts to prevent unauthorized access; as well as educating organization’s employees on safety issues.

Ekaterina Khrustaleva

Ekaterina Khrustaleva, Chief Operating Officer, ImmuniWeb

Ekaterina Khrustaleva holds a Bachelor degree in Accounting and Finance. She accomplished executive programs in cybersecurity at Harvard University, on blockchain at Oxford University and organizational leadership at IMD in Lausanne and started her career in private banking, where she was inspired by the emerging cybersecurity market.

Ekaterina started her cybersecurity career in 2010 as a sales executive. In 2013, after several promotions for performance and highly creative sales tactics, Ekaterina became Chief Operating Officer of a leading penetration testing company High-Tech Bridge in Geneva.

Today, Ekaterina manages ImmuniWeb’s global sales operations. Speaking five languages, she is also in charge of global partnerships and strategic alliances at ImmuniWeb. Ekaterina is a member of several private clubs gathering the most successful business leaders, executives and entrepreneurs. She is also a member of ISACA and a Certified Data Privacy Solutions Engineer (CDPSE).

Rise of the machines.

Ahsan Zafeer • 26th November 2022

Ahsan Zafeer covers topics related to tech and digital marketing and tweets @AhsanZafeer. Here he explains people’s fears as to why machines are taking over their jobs.