- This event has passed.
Report on the Monday Morning Meeting Titled: The Ransomware Resurgence and Other Trends in Cybersecurity
September 25, 2023
Dr. Cherian Samuel, Research Fellow, Manohar Parrikar Institute for Defence Studies and Analyses, made a presentation on “The Ransonware Resurgence and Other Trends in Cyber security” at the Monday Morning Meeting held on 25 September 2023. The Session was moderated by Mr. Rohit Kumar Sharma, Research Analyst, MP-IDSA. Scholars of the Institute were in attendance.
Executive Summary.
The presentation started with opening remarks by Mr. Sharma. He defined ransomware as a type of malware attack that leads to the victim losing access to data/ device unless they paid a ransom to have their data decrypted.
He cited that there had been a 53% increase in ransomware attacks in India compared to the previous year. They were mainly targeting the critical infrastructures, especially the healthcare sectors. All these attacks were carried out by well-trained professionals, mainly targeting financial institutions, trading centres, and other pivotal infrastructures. All these kinds of activities usually create a dilemma for victims’ organisations about whether they should go for recovery and pay the ransom, and whether there is any guarantee of getting back the data even after paying the ransom. The third and most crucial point is whether insurance coverage should be included for paying ransom? For example, in the US, companies use first-party liability and insurance coverage to pay ransom amounts. Saying all this, the moderator invited Dr. Cherian for his presentation.
Detailed Report
Dr. Cherian began his presentation by also citing a definition. He described ransomware as “a type of cyber-attack where malicious software encrypts a victim’s data and demands payment, usually in cryptocurrency, from the victim to decrypt the data or restore access to their system.” Further, he spoke about a few techniques by which these external players are gaining access to high-level merchandised firms through phishing emails, remote desktop protocol, credential abuse, exploitable software vulnerabilities, URLs, third-party apps, compromised websites and drive-by downloading. And what their motives are, and so forth. Following this, he delved deep into the role of the nation-state actors, for example, the Russian ransomware gangs, their network allies, and the role of North Korea. He also talked about Ransomware-as-a-service (RaaS) as a business model for criminal enterprises that allows anyone to sign up and use tools for conducting ransomware attacks. Like other as-a-service models, such as software-as-a-service (SaaS) or platform-as-a-service (PaaS), RaaS customers rent ransomware services rather than owning them as in a traditional software distribution model. Ransomware locks up a victim’s system or files, usually via encryption. The victim can only regain access to their data once they pay a ransom to the parties behind the ransomware attack. Ransomware has become a significant industry in the criminal underworld, worth billions of dollars annually. While many imagine that the people behind cyber-attacks like ransomware are highly skilled programmers, many attackers do not write their code and may not even know how to do so. Cybercriminals with coding skills often sell or rent out the exploits they develop instead of using them. Ransomware is just one area of the cyber-crime industry with an “as-a-service” model. Attackers can also rent DDoS tools, subscribe to lists of stolen credentials, hire botnets, or rent banking trojans, among other services. Given below is a flow chart showing how RAAS works.
Apart from this, he also discussed triple extortion. As its name says, the triple extortion ransomware adds another layer to the attack. An extension of the double extortion attack, using most of its tactics, this time, the malicious actor will choose an extra pressure point to get his victim to pay. In addition to data encryption (the first layer) and the threat of leaking essential data (the second layer), the cybercriminal can add another tactic of his choosing (the third layer). The most common tactics are going after the victim’s clients, partners, affiliates, patients, associates, suppliers, etc., with ransom demands so their data will not be leaked, launching an additional Distributed Denial of Service Attack (DDoS) over the target, or making phone calls to persuade them.
He elaborated that to counter these criminal activities, a virtual meeting was held in Washington DC on 13 and 14 October 2021 to pinpoint an effective way to counter these malicious activities. The meeting was led by the United States and paved the way for the creation of the International Counter Ransomware Initiative (CRI) which seeks to enhance international cooperation to combat the growth of ransonware. Five working groups were created; a group looking at Resilience led by Lithuania and India, Disruption led by Australia, Illicit Finance led by the UK and Singapore, and Partnership by Germany.
The second CRI was held in Washington DC from 31 October to 1 November 2022. At the second ICRI Summit, members re-affirmed their joint commitment to building collective resilience to ransomware, cooperating to disrupt ransomware and pursue the actors responsible, countering illicit finance that underpins the ransomware attacks, and continuing to cooperate internationally across all elements of the ransomware threat. The third ICRI summit will be on 31 October 2023, in which 47 countries will participate.
Finally, he raised the issue of why ransomware was not getting the attention it deserved in India. He inferred that there were other bigger cyber threats, including that from UPI fraud. Data about the Cybercrime Distribution Trend in India showed that UPI fraud cases are accelerating.
Discussion
The participants raised very vibrant and diversified queries, especially regarding aspects of using ransomware against other nations. Its possibilities and implications were discussed. Along with this, how ransomware attacks are affecting the sovereignty of countries was also discussed. Mr. Saurav Raj Pant, a Visiting Fellow from Nepal, raised a question regarding the digital literacy of India, and Dr. Cherian Samuel gave a very pin-pointed answer. He said that, when it comes to digital literacy, it is more or less individual. There needs to be a specific literacy for that. General awareness is sadly still lacking, which is why a lot of attacks are taking place. Though the actors are so sophisticated they can very well manipulate fear which is more or less interrelated to the psychological aspects of the victims. All the call centre scams are part of it, their modus operandi changes from time to time. Therefore, even if we all are informed there can be a high chance of being scammed. Overall the discussion was highly informative.
Report prepared by Ms. Gayathri Pramod Panamoottil, Intern, West Asia Centre, MP-IDSA.