ANSSI and the BSI present the fourth edition of the "common situational picture"
In this fourth edition of the Franco-German Common Situational Picture (CSP), the focus lies on the cybercriminal use of ransomware, and especially on the developments observed by ANSSI and BSI regarding the use of ransomware for maximal effect and extortion since 2019.
In recent years, ransomware, the encryption of data and subsequent extortion, has become one of the major threats for our modern, interconnected life. In contrast to other cyber-threats, ransomware usually has an immediate effect on the availability of services that are provided or enabled by the affected information technology (IT). Depending on the services, ransomware cannot only threaten the means of existence of a whole organisation, but in fact also an individual’s life. Ransomware is therefore of high importance to both the French National Cybersecurity Agency (ANSSI) as well as the German Federal Office for Information Security (BSI). Ransomware is commonly associated with cybercrime, because it is primarily used for financial gains. The use of ransomware by states or state level actors is of course possible, but has been observed to a much lesser extent. At the beginning, ransomware was widely used against individual users with relatively low ransom demands. Over time, particularly in recent years, ransomware became a major threat to networks of large organisations in so-called Big Game Hunting (BGH) attacks. BGH commonly refers to a ransomware attack that affects a significant part of an organisation’s network. Therefore, the attackers preferably target organisations with reasonable financial solvency in order to maximise their ransom yields. Furthermore, extortion operations are often prepared in advance, in some cases even months before the actual deployment of the ransomware itself. Since the end of 2019, the extortion attempts in BGH attacks have been amplified by the combination of encryption with other malicious methods. This so-called double extortion model was observed across different ransomware strains and cybercriminal groups. In those cases, the attackers additionally exfiltrated possibly sensitive data of the targeted organisations before starting the encryption in order to threaten the victims with either the public release of the stolen data or the auction/sale of them to undisclosed interested third parties.