Next Generation Of Ransomware Gangs Are Targeting Global Cryptocurrencies

Devastating though ransomware has become, the threat will inevitably evolve further, as criminals develop new techniques for extortion.

In May 2023, the Dallas City Government was hugely disrupted by a ransomware attack. Ransomware attacks are so-called because the hackers behind them encrypt vital data and demand a ransom in order to get the information decrypted.

The attack in Dallas put a halt to hearings, trials and jury duty, and the eventual closure of the Dallas Municipal Court Building. It also had an indirect effect on wider police activities, with stretched resources affecting the ability to deliver, for example, summer youth programmes. The criminals threatened to publish sensitive data, including personal information, court cases, prisoner identities and government documents.

One might imagine an attack on a city government and police force causing widespread and lengthy disruption would be headline news. But ransomware attacks are now so common and routine that most pass with barely a ripple of attention. One notable exception happened in May and June 2023 when hackers exploited a vulnerability in the Moveit file transfer app which led to data theft from hundreds of organisations around the world. That attack grabbed headlines, perhaps because of the high profile victims, reported to include British Airways, the BBC and the chemist chain Boots.

What is ransomware?

Ransomware can mean subtly different things in different contexts. In 1996, Adam Young and Mordechai “Moti” Yung at Columbia University described the basic form of a ransomware attack as follows:

Criminals breach the cybersecurity defences of the victim (either through tactics like phishing emails or using an insider/rogue employee). Once the criminals have breached the victim’s defences they deploy the ransomware. The main function of which is to encrypt the victim’s files with a private key (which can be thought of as a long string of characters) to lock the victim out of their files. The third stage of an attack now begins with the criminal demanding a ransom for the private key.

The simple reality is that many victims pay the ransom, with ransoms potentially into the millions of dollars.

Using this basic characterisation of ransomware it is possible to distinguish different types of attack. At one extreme we there are the “low level” attacks where files are not encrypted or criminals do not attempt to extract ransoms. But at the other extreme attackers make considerable efforts to maximise disruption and extract a ransom.

The WannaCry ransomware attack in May 2017 is such an example. The attack, linked to the North Korean government, made no real attempt to extract ransoms from victims. Nevertheless, it led to widespread disruption across the world, including to the UK’s NHS, with some cybersecurity risk-modelling organisations even saying the global economic losses going into the billions.

It is difficult to discern motive in this case, but, generally speaking, political intent, or simple error on the part of the attackers may contribute to the lack of coherent value-extraction through extortion.

Our research focuses on the second extreme of ransomware attacks in which criminals look to coerce money from their victims. This does not preclude a political motive. Indeed, there is evidence of links between major ransomware groups and the Russian state. We can distinguish the degree to which ransomware attacks are motivated by financial gain by observing the effort invested in negotiation, a willingness to support or facilitate payment of the ransom, and the presence of money laundering services. By investing in tools and services which facilitate payment of the ransom, and its conversion to fiat currency, the attackers signal their financial motives.

The impact of attacks

As the attack on the Dallas City Government shows, the financial and social impacts of ransomware attacks can be diverse and severe.

High-impact ransomware attacks, such as the one which targeted Colonial Oil in May 2021 and took a major US fuel pipeline offline, are obviously dangerous to the continuity of vital services.

In January 2023, there was a ransomware attack on the Royal Mail in the UK that led to the suspension of international deliveries. It took over a month for service levels to get back to normal. This attack would have had a significant direct impact on the Royal Mail’s revenue and reputation. But, perhaps more importantly, it impacted all the small businesses and people who rely on it.

In May 2021, the Irish NHS was hit by a ransomware attack. This affected every aspect of patient care with widespread cancellation of appointments. The Taoiseach Micheál Martin said: “It’s a shocking attack on a health service, but fundamentally on the patients and the Irish public.” Sensitive data was also reportedly leaked. The financial impact of the attack could be as high as 100 million euros. This, however, does not account for the health and psychological impact on patients and medics affected by the disruption.

As well as health services, education has also been a prime target. For instance, in January 2023 a school in Guilford, UK, suffered an attack with the criminals threatening to publish sensitive data including safeguarding reports and information about vulnerable children.

Attacks are also timed to maximise disruption. For instance, an attack in June 2023 on a school in Dorchester, UK, left the school unable to use email or access services during the main exam period. This can have a profound impact on children’s wellbeing and educational achievement.

These examples are by no means exhaustive. Many attacks, for instance, directly target businesses and charities that are too small to attract attention. The impact on a small business, in terms of business disruption, lost reputation and the psychological cost of facing the consequences of an attack can be devastating. As an example, a survey in 2021 found that 34% of UK businesses that suffered a ransomware attack subsequently closed down. And, many of the businesses that continued operation still had to lay off staff.