International ransomware gangs are evolving their techniques. The next generation of hackers will target weaknesses in cryptocurrencies

In May 2023, the Dallas City Government fell victim to a significant ransomware attack, causing considerable disruption. Ransomware attacks derive their name from the hackers’ practice of encrypting critical data and then demanding a ransom for its decryption. The Dallas incident led to the suspension of hearings, trials, and jury duty, ultimately resulting in the closure of the Dallas Municipal Court Building. The repercussions extended to affect broader police activities, straining resources and impacting initiatives such as summer youth programs. The attackers also threatened to expose sensitive information, including personal data, court cases, prisoner identities, and government documents.

One might expect that an attack on a city government and its police force, causing substantial and prolonged disruption, would garner significant media attention. However, ransomware attacks have grown so commonplace that most pass by with little notice. An exception occurred in May and June 2023 when hackers exploited a vulnerability in the Moveit file transfer application, leading to data theft from numerous organizations worldwide. This attack made headlines, possibly due to the involvement of high-profile victims, reportedly including British Airways, the BBC, and the Boots pharmacy chain.

According to a recent survey, ransomware payments have nearly doubled over the past year, reaching $1.5 million (£1.2 million), with the wealthiest organizations being the most likely to acquiesce to attackers’ demands. British cybersecurity firm Sophos discovered that the average ransomware payment had risen from $812,000 in the previous year. UK organizations, in particular, reported an even higher average payment in 2023, at $2.1 million.

Meanwhile, in 2022, The National Cyber Security Centre (NCSC) issued new guidelines urging organizations to enhance their defenses amidst concerns of more state-sponsored cyberattacks linked to the conflict in Ukraine. This move followed a series of suspected Russian cyberattacks in Ukraine, which Moscow denied involvement in.

In reality, hardly a week goes by without cyberattacks affecting governments, educational institutions, healthcare facilities, businesses, and non-profit organizations worldwide. These attacks impose significant financial and societal costs, affecting entities of all sizes, from small businesses to major corporations, with devastating consequences for those involved.

Ransomware has now gained widespread recognition as a significant threat and challenge to modern society. Yet, a decade ago, it was merely a theoretical concept and a niche danger. Its rapid evolution into a potent force driving criminal activity and inflicting extensive damage should be a source of major concern. The ransomware “business model” has become increasingly sophisticated, marked by advances in malware attack vectors, negotiation strategies, and the structure of criminal enterprises.

It is anticipated that criminals will continue adapting their tactics, causing widespread harm for many years to come. This underscores the importance of studying the ransomware threat, preempting these strategies, and mitigating the long-term danger, precisely what our research team is committed to achieving.

Prediction of global ransomware damage costs – source: Cyber Security Ventures

For numerous years, our research has been dedicated to anticipating the evolving ransomware threat by exploring novel strategies that ransomware criminals might employ to extort victims. The objective is to provide advance warning and maintain a proactive stance while avoiding the disclosure of specific tactics that could be exploited by criminals. In our latest research, which has undergone peer review and will be published as part of the International Conference on Availability, Reliability, and Security (ARES), we have identified a new threat that capitalizes on vulnerabilities in cryptocurrencies.

What is ransomware? The term “ransomware” can carry slightly different connotations in different contexts. In 1996, Columbia University’s Adam Young and Mordechai “Moti” Yung described the fundamental structure of a ransomware attack as follows:

Criminals breach the victim’s cybersecurity defenses, often through tactics like phishing emails or utilizing an insider or rogue employee. Once the criminals have penetrated the victim’s defenses, they deploy ransomware, primarily designed to encrypt the victim’s files with a private key (which can be visualized as a lengthy string of characters) to render the victim’s files inaccessible. The third phase of the attack involves the criminal demanding a ransom in exchange for the private key.

The harsh reality is that many victims opt to pay the ransom, which can potentially reach millions of dollars.

Using this foundational characterization of ransomware, it is possible to discern different types of attacks. At one end of the spectrum, there are “low-level” attacks where files are not encrypted or criminals do not attempt to extract ransoms. However, at the opposite end, attackers exert considerable efforts to maximize disruption and ransom extraction.

The WannaCry ransomware attack in May 2017 serves as an example of the latter. Linked to the North Korean government, this attack made little effort to extract ransoms from victims but caused widespread disruption across the globe, including within the UK’s National Health Service (NHS). Some cybersecurity risk modeling organizations even estimated global economic losses in the billions.

Motive in such cases can be challenging to ascertain, but, in general, political intent or simple errors on the part of attackers may contribute to the lack of a coherent extortion strategy.

Our research concentrates on the latter extreme of ransomware attacks, in which criminals aim to coerce money from their victims. This does not exclude the possibility of a political motive. Indeed, there is evidence of connections between major ransomware groups and the Russian state. We can discern the degree of financial motivation behind ransomware attacks by observing factors such as the effort invested in negotiation, a willingness to facilitate ransom payment, and the presence of money laundering services. Investing in tools and services that facilitate ransom payment and its conversion into fiat currency signals the attackers’ financial motives.

The Impact of Ransomware Attacks As demonstrated by the attack on the Dallas City Government, ransomware attacks can inflict a wide range of diverse and severe financial and social consequences.

High-impact ransomware attacks, like the one targeting Colonial Oil in May 2021, which disrupted a major US fuel pipeline, pose a clear threat to the continuity of essential services.

In January 2023, a ransomware attack on the Royal Mail in the UK resulted in the suspension of international deliveries, taking over a month for service levels to return to normal. This attack had significant direct repercussions on the Royal Mail’s revenue and reputation, affecting the small businesses and individuals who rely on its services.

In May 2021, the Irish National Health Service (NHS) fell victim to a ransomware attack that disrupted every aspect of patient care, leading to widespread appointment cancellations. The Taoiseach Micheál Martin described it as “a shocking attack on a health service, but fundamentally on the patients and the Irish public.” Sensitive data was also reportedly leaked, and the financial impact of the attack could reach as high as 100 million euros. Yet, this figure does not encompass the health and psychological impact on patients and healthcare professionals affected by the disruption.

Ransomware attacks have extended their reach to various sectors, including education. In January 2023, for example, a school in Guildford, UK, fell victim to an attack in which the criminals threatened to release sensitive data, including safeguarding reports and information concerning vulnerable children. These attacks are often strategically timed to maximize disruption. For instance, in June 2023, a school in Dorchester, UK, experienced an attack that left the institution unable to use email or access critical services during the main exam period, which can significantly impact children’s well-being and academic performance.

These instances represent just a fraction of the broader landscape. Many attacks directly target businesses and charities that lack the size or prominence to attract widespread attention. The consequences of such attacks on small businesses can be severe, encompassing business disruption, damaged reputation, and the psychological toll of confronting the aftermath of an attack. As an illustration, a 2021 survey revealed that 34% of UK businesses affected by a ransomware attack eventually closed their doors. Even among those that continued operations, staff layoffs were often unavoidable.

The Genesis of Ransomware The roots of ransomware can be traced back to the AIDS or PC Cyborg Trojan virus in the 1980s. In this early instance, victims who inserted a floppy disk into their computers found their files encrypted, accompanied by a demand for payment. These disks were distributed to conference attendees and individuals interested in specific events, who believed they were completing surveys but instead unwittingly infected their systems with the trojan. The files on the affected computers were encrypted using a locally stored key on each target machine. In theory, victims could have restored access to their files by employing this key, although most PC users at the time were not well-versed in cryptographic techniques and may not have been aware of this option.

Subsequently, law enforcement traced the distribution of these floppy disks to Joseph Popp, an evolutionary biologist conducting AIDS research at Harvard. Popp was arrested and charged with multiple counts of blackmail. Some have credited him with being the pioneer of ransomware, although the exact motivations behind his actions remain unclear.

In the early stages of its evolution, ransomware exhibited fundamental weaknesses in its cryptographic systems. These vulnerabilities made it relatively easy for victims to uncover the critical information that criminals sought to conceal. It was only with the advent of the CryptoLocker attack in 2013 and 2014 that ransomware truly came into its own.

CryptoLocker marked the first instance of a technically sound ransomware attack that achieved mass distribution. Thousands of victims fell prey to ransomware that employed encryption incapable of being reverse-engineered. The attackers retained exclusive control over the private keys required for decryption, rendering victims unable to regain access to their files without them. Ransoms ranging from $300 to $600 were demanded, resulting in estimated criminal earnings of approximately $3 million. CryptoLocker was eventually dismantled in 2014 through a collaborative effort involving multiple international law enforcement agencies.

The CryptoLocker attack played a pivotal role in demonstrating the potential for criminals to reap substantial profits from ransomware. Following this success, there was an explosion of new ransomware variants and strategies underwent significant evolution.

Off-the-shelf ransomware and double extortion tactics emerged as noteworthy developments. Ransomware-as-a-service (RaaS) markets on the dark web allowed criminals to acquire and employ pre-made ransomware without necessitating advanced computing skills, with a portion of the earnings going to ransomware providers.

The dark web, often characterized as the “unregulated Wild West of the internet,” serves as a haven for criminal activities, offering an easily accessible platform for the exchange of illegal goods and services. With the assistance of anonymization technology and digital currencies, a thriving global black market exists there. In the first nine months of 2019 alone, an estimated $1 billion was spent in this underground economy, according to the European Union Agency for Law Enforcement.

RaaS lowered the barriers to entry for aspiring cybercriminals, both in terms of cost and technical skill. Under this model, malware development is handled by vendors, while the attackers themselves may possess limited skills. This approach also compartmentalizes risk, meaning that the arrest of one group of cybercriminals using ransomware does not threaten the entire supply chain, allowing other attacks to continue.

Ransomware tactics have shifted from mass phishing attacks, such as CryptoLocker, which targeted over 250,000 systems, to more targeted assaults. This has resulted in a heightened focus on organizations capable of paying substantial ransoms, including multinational corporations, legal firms, educational institutions, hospitals, healthcare providers, small businesses, and charitable organizations.

A more recent development in ransomware, exemplified by threats like Netwalker and REvil/Sodinokibi, is the emergence of double extortion. In these cases, criminals not only encrypt files but also exfiltrate data by copying them. This data can then be exploited by the threat actors, who have the potential to leak or publicly disclose sensitive and valuable information.

An illustrative case of this transformation unfolded in 2020 when Software AG, one of the largest software companies, fell victim to a double extortion ransomware attack known as Clop. Reports indicated that the attackers demanded an exceptionally high ransom of $20 million, which Software AG declined to pay. Consequently, the attackers proceeded to release the company’s confidential data on the dark web. This approach equips cybercriminals with dual leverage points: they can demand a ransom for the decryption key to unlock files, and they can demand payment to prevent the exposure of sensitive data.

Double extortion fundamentally alters the ransomware business model in intriguing ways. In a standard ransomware scenario, victims have a straightforward incentive to pay a ransom in exchange for access to the decryption key, especially if no other means of accessing their files exists. In this context, the victim must primarily trust that the cybercriminal will provide the decryption key and that it will effectively unlock their files.

However, with data exfiltration, the benefits of paying a ransom are less clear. Cybercriminals still possess the sensitive data and retain the capacity to publish it at their discretion. They may even seek subsequent ransoms to refrain from disclosing the files. To establish data exfiltration as a viable business strategy, cybercriminals must cultivate a credible reputation for “honoring” ransom payments. This dynamic has arguably contributed to the normalization of the ransomware ecosystem.

For instance, ransom negotiators operate as independent contractors and are sometimes mandated by cyber insurance agreements to provide expertise in managing ransomware-related crises. Upon instruction, they facilitate negotiated ransom payments. Within this ecosystem, certain ransomware criminal groups have developed a reputation for refraining from publishing data (or at least delaying publication) upon receiving a ransom.

In a broader context, the encryption, decryption, or exfiltration of files typically presents cybercriminals with complex and costly challenges. It is considerably simpler to claim that files have been encrypted or exfiltrated, demand a ransom, and then delete the files. However, if victims suspect that they will not receive the decryption key or encrypted data in return for payment, they are less inclined to comply with the ransom demand. Those who do pay a ransom and receive nothing in return may choose to disclose this fact. Such disclosures can impact the attacker’s “reputation” and the likelihood of future ransom payments. In essence, adhering to certain principles of fairness becomes advantageous in the realm of extortion and ransom attacks.

In less than a decade, we have witnessed a profound evolution of the ransomware threat, evolving from the relatively small-scale CryptoLocker to a multi-million-dollar industry involving organized criminal syndicates and sophisticated strategies. From 2020 onward, ransomware incidents and associated losses appear to have increased significantly. Ransomware has grown too substantial to be disregarded and now stands as a major concern for governments and law enforcement agencies.

Crypto extortion threats

Despite the devastating impact ransomware has had, this threat is bound to continue evolving as criminals develop new extortion techniques. As we’ve already mentioned, a central theme in our collective research over the past decade has been to anticipate likely strategies that criminals might employ, allowing us to stay ahead of the curve.

Our current research focuses on the next generation of ransomware, which we anticipate will include variants that target cryptocurrencies and their underlying “consensus mechanisms.”

A consensus mechanism refers to any method, often algorithmic, used to establish agreement, trust, and security within a decentralized computer network.

More specifically, cryptocurrencies are increasingly adopting a “proof-of-stake” consensus mechanism, where investors commit substantial sums of currency to validate crypto transactions. These stakes are potential targets for ransomware criminals.

Cryptocurrencies rely on decentralized blockchains, providing a transparent record of all currency transactions. Unlike conventional currency, these blockchains are maintained by a peer-to-peer network rather than a central authority. In principle, the blockchain records are immutable, verifiable, and securely distributed across the network, granting users full ownership and visibility of transaction data. These blockchain properties depend on a secure and tamper-resistant “consensus mechanism” wherein independent network nodes “approve” or “agree” on which transactions to add to the blockchain.

Until recently, cryptocurrencies like Bitcoin employed a “proof-of-work” consensus mechanism, which involved solving complex mathematical problems (the “work”) to authorize transactions. However, this approach became unsustainable in the long run due to redundant efforts and excessive energy consumption.

The emerging alternative is the “proof-of-stake” consensus mechanism, wherein transactions are validated by stakeholders who have staked a financial amount and receive rewards for validating transactions. This eliminates the need for energy-intensive work but involves large sums of staked money in transaction validation.

Our focus has turned to Ethereum, a decentralized cryptocurrency known for executing and verifying application code, or “smart contracts,” through a peer-to-peer network. Ethereum operates on the Ether (ETH) token, enabling users to transact via these smart contracts. In September 2022, Ethereum transitioned from a proof-of-work to a proof-of-stake network with “The Merge,” becoming one of the prominent proof-of-stake cryptocurrencies.

In Ethereum’s proof-of-stake consensus mechanism, “validators” approve transactions by staking a minimum of 32 ETH, currently valued at approximately $60,000. Validators can earn financial returns on their stake by operating within Ethereum’s rules. Presently, there are approximately 850,000 validators.

While much optimism surrounds the “stake” validation solution, it is crucial to acknowledge that hackers are undoubtedly exploring avenues to infiltrate this system. In our project, funded by the Ethereum Foundation, we’ve identified potential ways ransomware groups could exploit this new proof-of-stake mechanism for extortion.

Slashing

Our research revealed that attackers could exploit validators by leveraging a process known as “slashing.” While validators are rewarded for adhering to the rules, there are financial penalties in place for those who engage in malicious behavior. The primary purpose of these penalties is to safeguard the integrity of the decentralized blockchain.

There exist two forms of penalties, with slashing being the most severe. Slashing penalties are imposed for actions that should not occur accidentally and have the potential to compromise the blockchain’s security. Examples include proposing conflicting blocks for addition to the blockchain or attempting to alter historical data.

Slashing penalties carry substantial consequences, with validators facing the loss of a significant portion of their stake, equivalent to at least 1 ETH. In the most extreme cases, a validator may forfeit their entire stake, which amounts to 32 ETH. Additionally, a slashed validator is compelled to exit the system and can no longer function as a validator. In essence, being slashed results in substantial financial ramifications.

To execute actions within the network, validators are assigned unique signing keys, which serve as proof of their identity to the blockchain. Suppose a criminal were to gain access to a validator’s signing key. In that case, they could potentially blackmail the victim into paying a ransom.

The accompanying flow diagram illustrates the complexities involved in an extortion attack against proof-of-stake validators, such as those within the Ethereum network.

ransomware: A ‘smart contract’

The victim may be reluctant to pay the ransom unless there is a guarantee that the criminals will not take their money and fail to return/release the key. After all, what is to stop the criminals asking for another ransom?

One solution we have found – which harks back to the fact that ransomware has in fact become a kind of business operated by criminals who want prove they have an “honest” reputation – is a smart contract.

This automated contract can be written so that the process only works if both sides “honour” their side of the bargain. So, the victim could pay the ransom and be confident that this will resolve the direct extortion threat. This is possible through the Ethereum because all the steps required are publicly observable on the blockchain – the deposit, the sign to exit, the absence of slashing, and the return of the stake.

Functionally, these smart contracts are an escrow system in which money may be held until pre-agreed conditions are met. For instance, if the criminals force slashing before the validator has fully exited, then the contract will ensure that the ransom amount is returned to the victim. Such contracts are, however, open to abuse, and there’s no guarantee that an attacker-authored contract can be trusted. There is potential for the contract to be automated in a fully trusted way, but we have yet to observe such behaviour and systems emerge.

ransomware: The staking pools threat

This type of “pay and exit” strategy is an effective way for criminals to extort victims if they can obtain the validator signing keys.

So how much damage would a ransomware attack like this do to Ethereum? If a single validator is compromised then the slashing penalty – and so maximum ransom demand – would be in the region of 1ETH, which is around US$1,800 (about £1,400). To leverage larger amounts of money the criminals, therefore, need to target organisations or staking pools that are responsible for managing large numbers of validators.

Remember, that given the high entry costs for individual investors, most of the validating on Ethereum will be run under “staking pools” in which multiple investors can collectively stake money.

To put this in perspective, Lido is the largest staking pool in Ethereum with around 127,000 validators and 18% of the total stake; Coinbase is the second largest with 40,000 validators and 6% of the total stake. In total, there are 21 staking pools operating more than a 1,000 validators. Any one of these staking pools is responsible for tens of millions of dollars of stake and so viable ransom demands could also be in the millions of dollars.

Proof-of-stake consensus mechanisms are too young for us to know whether extortion of staking pools will become an active reality. But the general lesson of ransomware’s evolution is that the criminals tend to gravitate towards strategies that incentivise payment and increase their illicit gains.

The most straightforward way that investors and staking pool operators can mitigate the extortion threat we have identified is by protecting their signing keys. If the criminals cannot access the signing keys then there is no threat. If the criminals can only access some of the keys (for operators with multiple validators) then the threat may fail to be lucrative.

So staking pools need to take measures to secure signing keys. This would involve a range of actions including: partitioning validators so that a breach only impacts a small subset; step up cyber security to prevent intrusion, and robust internal processes to limit the insider threat of an employee divulging signing keys.

The staking pool market for cryptocurrencies like Ethereum is competitive. There are many staking pools, all offering relatively similar services, and competing on price to attract investors. These competitive forces, and the need to cut costs, may lead to relatively lax security measures. Some staking pools may, therefore, prove a relatively easy target for criminals.

Ultimately, this can only be solved with regulation, greater awareness and for investors in staking pools to demand high levels of security to protect their stake.

Unfortunately, the history of ransomware suggests that high profile attacks will need to be seen before the threat is taken seriously enough. It is interesting to contemplate the consequences of a significant breach of a staking pool. The reputation of the staking pool would presumably be badly affected and so the staking pool’s viability in a competitive market is questionable. An attack may also have implications for the reputation of the currency.

At the most serious, it could lead to a currency collapsing. When that happens – as it did with FTX in 2022 following another hacking attack, there are knock-on effects to the global economy.

ransomware: Here to stay

Ransomware will be a challenge for years, if not decades, to come.

One potential vision of the future is that ransomware just becomes part of normal economic life with organisations facing the constant threat of attack, with few consequences for the largely anonymous gangs of cyber criminals behind the scams.

To preempt such negative consequences we need greater awareness of the threat. Then investors can make more informed decisions over which staking pools and currencies to invest in. It also makes sense to have a market with many staking pools, rather than a market dominated by just a few large ones, as this could insulate the currency from possible attacks.

Beyond crypto, preemption involves investment in cyber security across a range of forms – from staff training and an organisational culture that supports reporting of incidents. It also involves investment in recovery options, such as effective back-ups, in-house expertise, insurance and tried and tested contingency plans.

Unfortunately, cyber security practices are not improving as one might hope in many organisations and this is leaving the door open for cyber criminals. Essentially, everyone needs to get better at hiding, and protecting, their digital keys and sensitive information if we are to stand a chance against the next generation of ransomware attackers.