Today, people around the world will head to school, doctor’s appointments, and pharmacies, only to be told, “Sorry, our computer systems are down.” The frequent culprit is a cybercrime gang operating on the other side of the world, demanding payment for system access or the safe return of stolen data.
The ransomware epidemic shows no signs of slowing down in 2024—despite increasing police crackdowns—and experts worry that it could soon enter a more violent phase.
“We’re definitely not winning the fight against ransomware right now,” Allan Liska, a threat intelligence analyst at Recorded Future, tells WIRED.
Ransomware may be the defining cybercrime of the past decade, with criminals targeting a wide range of victims including hospitals, schools, and governments. The attackers encrypt critical data, bringing the victim’s operation to a grinding halt, and then extort them with the threat of releasing sensitive information. These attacks have had serious consequences. In 2021, the Colonial Pipeline Company was targeted by ransomware, forcing the company to pause fuel delivery and spurring US president Joe Biden to implement emergency measures to meet demand. But ransomware attacks are a daily event around the world—last week, ransomware hit hospitals in the UK—and many of them don’t make headlines.
“There is a visibility problem into incidents; most organizations don't disclose or report them,” says Brett Callow, a threat analyst at Emsisoft. He adds that this makes it “hard to ascertain which way they are trending” on a month-by-month basis.
Researchers are forced to rely on information from public institutions that disclose attacks, or even criminals themselves. But “criminals are lying bastards,” says Liska.
By all indications, the problem is not going away and may even be accelerating in 2024. According to a recent report by security firm Mandiant, a Google subsidiary, 2023 was a record-breaking year for ransomware. Reporting indicates that victims paid more than $1 billion to gangs—and those are just the payments that we know about.
A major trend identified in the report was more frequent posts by gangs to so-called “shame sites,” where attackers leak data as part of an extortion attempt. There was a 75 percent jump in posts to data leak sites in 2023 compared to 2022, according to Mandiant. These sites employ flashy tactics like countdowns to when the sensitive data of victims will be made public if they don’t pay. This illustrates how ransomware gangs are ramping up the severity of their intimidation tactics, experts told WIRED.
“Generally speaking, their tactics are becoming progressively more brutal,” Callow says.
For example, hackers have also begun to directly threaten victims with intimidating phone calls or emails. In 2023, the Fred Hutchinson Cancer Center in Seattle was struck by a ransomware attack, and cancer patients were individually sent emails threatening to release their personal information if they did not pay.
“My concern is that this will spill over into real-world violence very soon,” says Callow. “When there are millions to be had, they might do something bad to an executive of a company that was refusing to pay, or a member of their family.”
While there hasn’t yet been a reported instance of violence resulting from a ransomware attack, gangs have used the threat as a tactic. “We’ve seen in negotiations that have been leaked that they’ve hinted that they might do something like that, saying, ‘We know where your CEO lives,’” Liska says.
Speaking of criminals’ callous approach to life and death, it’s worth noting that researchers estimate that, between 2016 and 2021, ransomware attacks have killed between 42 and 67 Medicare patients due to targeting hospitals and delaying life-saving treatments.
Liska notes that ransomware gangs don’t operate in a vacuum. Their membership overlaps with entities like “the Comm,” a loose global network of criminals who organize online and offer violence-as-a-service in addition to more traditional cybercrime like SIM swapping. Comm members advertise their willingness to beat people, shoot at homes, and post grisly videos purporting to depict acts of torture. Last year, 404 Media reported that Comm members are working directly with ransomware groups like AlphV, a notorious entity that assisted with a high-profile hack of MGM Casinos before the FBI disrupted its operations by developing a decryption tool and seizing several websites—only to return months later with an attack on Change Healthcare that disrupted medical services around the US.
“It makes me very concerned,” Liska says of the link between ransomware gangs and violent cybercriminals.
Law enforcement has seen some recent success in disrupting, if not completely eradicating, ransomware groups. In February, an international collaboration dubbed Operation Cronos disrupted the prolific LockBit ransomware operation by seizing its websites and offering free decryption to victims. Officials also arrested two alleged affiliates of the group who were based in Ukraine and Poland.
It’s been difficult to make a dent in the volume of ransomware attacks in part because ransomware gangs—which work almost like startups, sometimes offering a subscription service and 24/7 support for their software while they recruit affiliates that carry out attacks—are frequently based in Russia. This has prompted Western law enforcement to turn gangs’ own intimidation tactics and psychological games against them.
For example, Operation Cronos used a countdown timer in the style of a ransomware shame site to reveal the identity of LockBit’s alleged boss, 31-year-old Russian national Dmitry Khoroshev. He was also charged in a 26-count indictment by US prosecutors, and sanctioned. Since Khoroshev is apparently in Russia, he’s unlikely to be arrested unless he leaves the country. But revealing his identity can still have the effect of further disrupting his ransomware operation by eroding affiliates’ trust in him and putting a target on his back.
“There are a lot of people who will be interested in trying to get their hands on some of his money,” says Callow. “There will be people who would be willing to bash him on the head and drag him across the border to a country from which he can be extradited.” Affiliates may also be concerned about the possibility of his arrest if he voluntarily leaves Russia.
“Law enforcement is adapting to let them know that they are vulnerable,” Liska says.
Another obstacle to reining in ransomware is the Hydra-esque nature of affiliates. After the LockBit disruption, analysts saw 10 new ransomware sites pop up almost immediately. “That is more than we’ve seen in a 30-day period at any point,” says Liska.
Law enforcement is adapting to this reality, too. In May, an international collaboration called Operation Endgame announced that it had successfully disrupted multiple operations distributing malware “droppers.” Droppers are an important part of the cybercrime ecosystem as they allow hackers to deliver ransomware or other malicious code undetected. Operation Endgame resulted in four arrests in Armenia and Ukraine, took down more than 100 servers, and seized thousands of domains. Endgame employed psychological tactics similar to Operation Cronos, like a countdown to flashy videos containing Russian text and encouraging criminals to “think about (y)our next move.”
While the scale of the ransomware problem may seem difficult to get a handle on, both Liska and Callow say it’s not impossible. Callow says that a ban on payment to ransomware gangs would make the biggest difference. Liska was less enthusiastic about the prospects of a payment ban but suggested that law enforcement’s continuing actions could eventually make a real dent.
“We talk about whack-a-mole a lot when it comes to ransomware groups—you knock one down and another pops up,” says Liska. “But I think what these [law enforcement] operations are doing is they’re making the board smaller. So yes, you knock one down, and another one pops up. But you wind up with, hopefully, fewer and fewer of them popping up.”
