Threat Awareness: The Spectre of Ransomware
This is an Insight article, written by a selected partner as part of GDR's co-published content. Read more on Insight
Twenty-first-century businesses rely on data to run their operations; data is their lifeblood and any interference can be deadly – a risk identified by criminals.
The task of defending information technology (IT) networks, therefore, is all about the data moving across them; inactive data is a risk or potential threat at worst. The challenge when data is moving is knowing what it is doing.
Ideally a company would want to know what happens to every piece of data in transit on its network and set rules about its use. However, this is a potentially technically challenging solution and an inflexible method requiring significant amounts of data storage.
Furthermore, such a system would present serious problems for the move to home working popularised by the covid-19 pandemic because it would mean that each device would need to authenticate via insecure, public networks to access a corporate network. The virtual private network (VPN) method that most companies currently use to achieve this is designed for flexibility, which means that it is open to all internet protocol addresses, apart from those that are blacklisted.
The freedom this gives to employees reflects the risks to data from a potential attacker. Data can be stolen, it can be put out of reach or it can be destroyed. This means each organisation must decide several security issues, such as the perceived value of data, the capability of tracking its movement and the balance that can be struck between the employees’ freedom and the threats to that data.
There are a number of cybercrime threats to data, ranging from data breaches that focus on the theft of passwords, usernames and financial information to threats to networks, such as distributed denial of service attacks (DDoS), which attempt to overload a network or computer (in most cases, a web server hosting a website) with automated junk traffic to make it unavailable for its intended users for a certain period.
The most reported form of attack is ransomware, which has refined most cybercrime techniques and has become the most effective method of making money using modern developments in technology. Ransomware relies on an attacker gaining access to a company network, encrypting the data on it and denying the company access to either data or devices unless a ransom is paid.
Although not a new threat – in the 1990s there were several cases of disgruntled employees encrypting data and demanding ransoms for access – the advent of cryptocurrencies and the internet have generated a huge increase in the activity. In the 20th century, the ransom had to be picked up either in cash or by bank transfer, which left the extortioner very vulnerable to arrest. That risk no longer exists.
As a result, the sheer scale of the attacks is forcing businesses to factor a response to a ransomware attack into their business models, which could expose a business to legal issues over whether to pay.
What is even more problematic is that, often, even if a ransom is paid, a company may not regain access to all its data.
Another factor is that the payment of a ransom not only confirms to the criminals that their crime pays, it also has reputational issues: first, regarding the business’s cybersecurity and second, regarding the future integrity of the business’s data.
A final factor is the legality of payment as cybercriminals are often either sanctioned or operating from sanctioned states.
This issue received stark emphasis in November 2021 from the US Department of Treasury’s Office of Foreign Asset Control (OFAC), which updated the Sanction List with a number of cryptocurrency wallets specifically concerning individuals associated with cybercrime, who were the alleged perpetrators of ransomware attacks. The update also included for the second time a crypto exchange known as Chatex, which is suspected of facilitating financial transactions for hackers.
The regulatory landscape has also changed. The US Federal Deposit Insurance Corporation, a US regulator of the financial industry, announced on 18 November 2021 that banking organisations will be required, from 1 April 2022, to report computer security incidents within 36 hours. The new regulations, which other industry sectors are likely to adopt, mean that organisations will find it more difficult to hide an incident.
The Ransomware Disclosure Act proposed by Senators Elizabeth Warren and Deborah Ross is likely to make payment even more problematic. The Act, if passed, will require companies that are the victims of ransomware attacks to report ransom payment information to the Department of Homeland Security, which will provide the US government with critical data on cybercrime activity. It may also have the effect of reducing a company’s or its insurer’s willingness to pay, knowing that they may face government scrutiny when they disclose the payment, which is likely to include how payment was made, how much was paid and to whom. Similar legislation is being proposed in other parts of the world, such as Australia.
So, perhaps a business’s first step in developing a response should be to seek legal advice regarding a ransomware insurance policy.
Ransomware is big business
Although no exact figures exist for the annual criminal proceeds of ransomware, the activities of law enforcement in arresting gang members and recovering stolen funds do give an indication of the scale of the activity. This policing activity has led to seizures of millions of dollars in cash and expensive assets, as well as the freezing of criminal cryptocurrency accounts.
To gain an insight into the scale of the issue, in one notable event on 14 January 2022, Russian Federal Security Service (FSB) agents arrested 14 members of one of the most notorious ransomware gangs – Sodinokibi (aka REvil) – and confiscated US$6.6 million worth of cash assets, 20 luxury cars and a parcel of cryptocurrency wallets used to run its affiliate business.
Before the Russian raid, law enforcement agencies had already arrested seven affiliates of the gang, and even recovered US$6.1 million from another affiliate still at large.
In a business model often used in computer crime, the Sodinokibi gang runs ransomware-as-a-service (RaaS) affiliate operations, and takes a cut of 30 to 40 per cent from ransom payouts made to their affiliates around the world.
According to the US Department of Justice, in November 2021, the Sodinokibi ransomware operation collected more than US$200 million in ransom payouts and encrypted no fewer than 175,000 computers.
The impact of ransomware on global business and its data has been severe. This trend has been reflected in media headlines, most notably the 2021 attack on the US company Colonial Pipeline. This incident resulted in petrol shortages because of panic buying of fuel and a US$4.4 million ransom demand.
An idea of the scale of the problem can be gauged from analysis carried out by the European Union’s cybersecurity agency ENISA, which in 2019 put the cost of ransomware payouts at €10 billion, and the US Financial Crimes Enforcement Network, which, in the first part of 2021, estimated bitcoin payments it associated with ransomware to be in the region of US$5.2 billion.
These figures also mask one other often overlooked factor, which is that the success of ransomware is only possible because of the criticality of data to run modern businesses. Lose access to your data and you lose your business.
The psychological pressure ransomware generates for critical data
Ransomware generates huge psychological pressure because organisations are conscious of potential reputational damage, service outages and legal and financial penalties, to which is added the obvious knowledge of losing control of core data. It is a mark of the importance of critical data that the ransomware trend has reached such levels as its specific purpose is to take advantage of how dependent businesses are on their computer networks.
In November 2019, the Maze ransomware gang started a trend called doxing (taking valuable or sensitive data from victims’ systems before encrypting it). The gang then threatens to either publicly release the data or sell it to other malicious actors unless they are paid an additional fee on top of the ransom – a type of double extortion.
To increase the pressure still further on their victims, some ransomware operators take the step of directly contacting business partners or customers of victim organisations that have not paid a ransom demand. They will imply that sensitive data has been accessed in the attack and suggest that the business partners or customers also put pressure on the victim organisation to pay the ransom, or even demand payment directly from the business partners or customers.
What is also particularly interesting about the crime trend is the acute awareness that criminals have developed regarding the value and use of information in the internet age.
In a final brazen twist, they have begun to offer insider information to short the stock of publicly traded companies in tandem with a public announcement of a ransomware attack. The DarkSide ransomware gang used this technique in April 2021 when it released a notice on its dark web portal offering information about companies listed on NASDAQ and other stock exchanges that had fallen victim to the gang. The group’s ruse was that the combination of bad publicity, a dip in stock prices and the sale of insider information might put pressure on some companies to pay the ransom.
Gangs have homed in on market pressure in the wake of Verizon’s 2017 acquisition of Yahoo. Following news of two data breaches, Verizon reduced its original offer for Yahoo by US$350 million, which was noted by the cyber gangs. This was a development the US Federal Bureau of Investigation (FBI) highlighted in November 2021 when it released a private industry notification warning that ransomware actors now coordinate their attacks with current mergers and acquisitions to maximise extortion bids.
Acutely conscious of the value of the data it is denying to the company, the gangs’ modus operandi is usually to keep ratcheting up the pressure with a range of other attacks. Furthermore, if victims refuse to pay, ransomware gangs will often threaten multiple follow-up disruptions. These range from DDoS attacks on victims’ websites to personal threats against company executives using data found on their devices.
Sometimes, the criminals advertise their presence on a network using shock tactics such as print bombing, in which multiple printers on a network are commanded to print a ransom note – threatening management’s ability to control internal and external communication about an incident. Some gangs have also taken to cold calling executives using data on companies’ databases to further increase the sense of being under siege.
In a 2020 attack, the Ragnar Locker ransomware gang even used funds from a US man’s hacked Facebook account to run a Facebook Ads campaign against Campari, in a bid to coerce it to pay for a ransomware attack. The campaign failed when Facebook detected the advertisements and quickly capped the campaign spend at US$35.
Preamble to a ransomware attack and other threats to data
A corporate ransomware attack is typically preceded by a two-stage preparation process that begins with initial access and is followed by reconnaissance, possibly accompanied by the theft of data.
Typically, ransomware operators rely on access brokers who specialise in gaining initial access to a network. To gain entry, these attackers probe networks for insecure system configurations, especially in remote access software tools such as remote desktop protocol (RDP, a tool that allows a device to be accessed via a network), or look for vulnerable software to exploit. Other lines of attack involve spearphishing (i.e., targeting individuals with an email they are likely to reply to because it appears to come from someone they trust) or bulk phishing emails. Both types of email contain malicious attachments or links that aim to trick unwary recipients into unwittingly giving up their credentials or allowing malware to be downloaded and installed.
For these access brokers, often hired via the dark net, the coronavirus pandemic was a godsend because of the number of office employees forced to work from home who suddenly became dependent on remote access tools. As a result, RDP became an essential requirement for people working from home. It works both ways, also enabling support staff to remotely manage employees’ machines.
Unfortunately, RDP can be a significant risk, and to expose it to the internet – especially at scale – is a decision that should not be taken without some thought.
Although gaining access from the internet to devices running RDP may require more effort than ransomware delivered via other channels, such as email, RDP does offer attackers significant benefits, such as misuse of legitimate access, the potential to evade protections and the ability to compromise multiple systems, or whole networks within a single organisation, especially if attackers successfully elevate their privileges to ‘admin’ or compromise an administrator’s machine. Since RDP is a legitimate service – unlike malware – attacks via RDP can also fly under the radar of many detection methods, meaning fewer records and less threat awareness.
Full-on search for vulnerabilities
The quest for vulnerable companies by access brokers is relentless. Once one avenue has been exhausted, they switch to another, taking advantage of unpatched vulnerabilities in legitimate system software both to gain initial access and, once inside, to extend access to additional connected systems. It is a process like that used in the animal world by predators on herds – they search for weaknesses and the target is pursued because of its weakness. It is only afterwards, once identified, that it is examined for its potential exploitation value.
Another method of attack used as part of this pattern of victim identification is the use of ‘zero days’. A vulnerability is a mistake in the coding of some software of which a cyber criminal can take advantage to conduct an attack. A zero-day vulnerability occurs when there is no yet a patch in place to mitigate it, there being ‘zero days’ since a patch has been made available to the public. Discovering zero-day vulnerabilities can be an expensive process that generally involves well-funded and sophisticated threat actors such as advanced persistent threat (APT) groups and nation state-sponsored actors.
In one example in March 2021, a spate of attacks occurred when Microsoft rushed out emergency updates to address a chain of four ‘zero-day’ flaws – subsequently named ProxyLogon – that affected versions of Microsoft Exchange, a server software used by organisations to deliver email via Outlook.
The speed and scale of the attack on Exchange servers around the world by more than 10 APT groups was striking. Companies that were too slow to patch or had not protected their systems sufficiently saw threat actors accessing their Exchange servers and attempting to steal email, download data and compromise machines with stealth malware to obtain long-term access to their networks.
When coupled with ransomware, the automated exploitation of a vulnerability can become devastating. One of the best examples of this was WannaCry ransomware, one of whose victims was the United Kingdom National Health Service in 2017. That attack came about because of the misuse of a high-severity vulnerability in Microsoft’s Server Message Block (SMB) protocol, which is used for file and printer sharing in large company networks. Despite patches having been available for two months before the WannaCry outbreak on 12 May 2017, attackers still found and encrypted more than 200,000 vulnerable machines.
That ransomware gangs do their homework is obvious as is their attention to detail, aware that some companies have managed to avoid paying them by backing up their data. It is therefore not surprising that the network-attached storage (NAS) devices commonly used to share files and make backups have also attracted their attention. This was confirmed in 2021, when the NAS appliance maker QNAP alerted its customers that a ransomware called eCh0raix was attacking its NAS devices, most successfully with those with weak passwords.
In January 2022, the DeadBolt group kicked off a ransomware campaign targeting internet-connected QNAP NAS devices. The attackers claimed to be exploiting a zero-day vulnerability that they would disclose to QNAP in return for US$1.85 million.
If such a device is connected to the internet and vulnerable, the best advice is to disconnect it right away. Considering that NAS devices are commonly used to store backups that can help organisations recover from a ransomware attack, this can be a particularly damaging type of attack.
As mentioned earlier, many criminals still use email attachments to deliver the malign code that installs ransomware. The attachments will either deliver downloaders that install malware on the email recipient’s machine or establish a foothold on a machine within an organisation’s network.
Email is one of the primary routes for botnets (such as Trickbot, Qbot and Dridex), one of the blights of the internet. Botnets are software programs that link a huge number of infected computers to form a usually automated ‘robot network’ – hence ‘botnet’, one of the core criminal internet entities. They are available for hire on a metered basis (often for as little as 15 minutes) to take down websites and online computer systems by sending a stream of automated requests for information that overloads the computers and forces them to crash. They provide the essential delivery mechanism for junk email campaigns, the DDoS attacks discussed earlier, and for ransomware.
The criminals scan the internet looking for vulnerable computers to infest while simultaneously sending out junk email to catch the unwary. Once installed, the software harvests and sends data about the victims’ machines to the attackers’ server. The attackers then take control of the machine and link it with others they have infected to form a botnet, a network of computers that can be used in large-scale attacks, such as malicious email campaigns, DDoS attacks on websites and ransomware. For the owner of the computer, the only sign of the infection may be that it begins to run slowly.
Botnets such as Trickbot commonly attach Microsoft Office documents tainted with malicious code in email campaigns for initial intrusion that can later lead to ransomware as the final payload. In these cases, the botnet operators usually act as initial access brokers who sell or rent their access to compromised networks to the ransomware operators. It is because of this that there are often direct links between botnet and ransomware software.
Criminals have also managed to pollute the legitimate software supply chain. People commonly acquire software by downloading it from websites and then, over the lifetime of using that software, receiving updates directly from the update servers of the software company. These servers routinely push updates that include bug fixes, security patches and new features.
In 2017, for example, it was found that an accounting software suite named M.E.Doc was being used by criminals to push the DiskCoder.C (aka NotPetya) malware as part of its cyberwar against Ukraine, where M.E.Doc is widely used. The attackers penetrated the software company’s update servers and added their own code to legitimate application update files. When users of the accounting software clicked to install program updates, they were also installing a malware backdoor, opening the way for what became the most devastating cyberattack in history.
Kaseya VSA became another target of a supply-chain attack in July 2021. Kaseya is an IT management software provider whose main clients are managed service providers (MSPs). Its VSA product delivers automated software patching, remote monitoring and other capabilities so that MSPs can manage their customers’ IT infrastructure.
The attackers compromised scores of MSPs using VSA and sent a fake update to the MSPs’ customers that contained Sodinokibi ransomware.
Definitive proof that crime gangs were attempting to suborn employees to obtain access to their employers’ networks came in July 2020 when the FBI arrested a Russian who tried to recruit a Tesla employee into a ransom scheme against the company. The employee was offered US$1 million in return for details about Tesla’s network that would be used to develop custom malware to steal the company’s data, which the employee would install during a diversionary DDoS attack.
The risk of insider threats is a continuing problem. According to a survey of IT firms in the United States conducted in December 2021, 65 per cent of employees revealed that hackers had offered them bribes to hand over access to their corporate networks. These campaigns used email, social media and even phone calls to reach out to employees.
Once inside a network, attackers will move on to the second stage and begin to explore, often with the aim of increasing their level of access. Modern operating systems typically assign a set of privileges to specific processes and users, which allows them to perform certain actions. This increases the security of a system because attackers that compromise systems as low-level users are limited in what they can do – having the highest level of privilege would allow attackers to do almost anything they want on the computer. So the attackers’ first task is to check whether the operating system or any installed applications allow them to elevate their privilege level, ideally to that of administrator. The second objective is to maintain access for future intrusions.
This task becomes easier if the attackers are on a computer storing information about the people using the network, as one option is to look for people who have not used their accounts in a long time and to assume their identities. This is a very good reason for network administrators to disable and remove the accounts of former employees, lest a ghost of them should reappear in the network. Although an attacker could create a new user account, this would likely be noticed by the IT administrator. This is why maintaining an inventory of internet-facing assets, users and software is a basic step in preventing attacks.
Another approach used by attackers to achieve future access is to introduce ‘backdoor’ software into a system that allows them to come and go at will, but ideally, an attacker will try to introduce as little malicious code as possible to minimise the chances of detection. This is a strategy known as ‘living off the land’ because it uses legitimate software, often used by the system’s actual administrators, and standard tools installed with the base operating system, to extend network penetration. There are valid reasons for these programs to be executed and so detecting abuse by an attacker can be difficult, although not impossible.
If endpoint protection is installed on the system and it can be turned off by a user with administrator privileges, the attacker will want to turn it off; therefore checking that all security solutions are protected with strong, unique passwords should be the first item in a security software audit.
How to protect your critical data
A basic step in defending against RDP attacks is to make an inventory of internet-facing accounts, listing those that have remote access enabled and deciding whether that access is necessary. Those accounts should have long and unique passwords – or passphrases, which are easier to remember.
Knowing you are under attack is useful. Some security products have brute-force attack protection that detects groups of failed external login attempts and blocks further attempts. In a brute-force attack, typically an attacker uses automated software tools to attempt to log in with standard administrator account names, such as ‘admin’, and lists of default or leaked passwords, sometimes making millions of attempts.
This can also be stopped by setting an account login threshold. For example, after three invalid login attempts, further login attempts could be blocked for a set period or still allow subsequent attempts but require longer intervals to flag the failed login.
Even better than relying on passwords is to use multi-factor authentication, which requires another piece of information in addition to the usual username and password.
Hardening and patching should be performed for all remotely accessible devices. All non-essential services and components should be removed or disabled and all system settings configured for maximum security.
Companies should adopt an email strategy. Many already have basic spam filtering and phishing detection in place but they can go further and block unused attachment types.
Organisations should protect all their endpoints and servers with endpoint protection software that stops employees going to web pages blacklisted by the software for hosting malware or deemed inappropriate for work use. The software also allows central management and updating and can control access to external devices, such as removable USB sticks, that are connected to a system.
Providing cybersecurity training for employees that reflects the latest trends significantly reduces cybersecurity incidents. Employees should report suspicious messages and attachments to the help desk or security team immediately.
Organisations should also have a comprehensive, properly managed and well thought out backup program. For example, when backup storage is ‘always on’, it can be compromised by ransomware in exactly the same way as local and other network-connected storage. This risk can be prevented by:
- ensuring that backups are not routinely and permanently online;
- protecting backed-up data from automatic and silent modification or overwriting by malware whenever online;
- protecting earlier generations of backed-up data from compromise, to provide a fallback;
- examining the organisation’s legal liability to its customers; and
- carrying out regular testing, validation of readiness and optimisation of the backup process.
Conclusion: To pay or not to pay?
The threat of cybercrime has raised the costs of the internet-enabled computer systems that are essential to modern businesses and forces three choices on organisations: invest in cybersecurity, pay for cyber insurance or foot the cost of an attack – sometimes a combination of the three.
From a technical viewpoint, there are several potential points where a ransom payment made in the hope of receiving a decryption key can go wrong:
- some of the data might have been corrupted in the encryption process and is not recoverable;
- the process for delivering the decryption key fails;
- the decryption tool might be bundled with other malware, might not work properly, or is much slower than backup recovery; or
- if the ransomware has been removed, the encrypted data may no longer be recoverable even with the cooperation of the criminals, because the decryption mechanism is often part of the malware.
Paying a ransom also has its risks: the criminals may not keep their word, although this is not ‘good’ business. It is also an acknowledgement of weakness. According to a survey carried out in 2021, almost half of the organisations that paid ransoms were attacked a second time, apparently by the same gang.
Cyber insurers now play an important part in protecting companies from cyber incidents but the increase in attacks is driving up premiums. Potentially large payments also encourage the growth of ransomware – there have already been cases of gangs digging through an attacked company’s files to discover whether it has a cybersecurity policy and how much it is covered for, suggesting the role of cyber insurers may need to change to providing insurance against the cost of recovery, rather than paying a ransom.
Regulatory attention is also beginning to be focused on ransomware gangs. This has led to a requirement in some jurisdictions to disclose incidents, and to add groups and individuals known to be associated to them to sanctions lists. A pushback is also occurring against the practice of ransom payment. It is possible governments may insist on mandatory disclosure before paying and limit the circumstances in which it can occur. As the FBI makes clear: ‘Paying a ransom not only emboldens current cyber criminals to target more organizations, it also offers an incentive for other criminals to get involved in this type of illegal activity.’
However, taking the moral high ground by not paying is not always the cheaper option. When WannaCryptor hit the UK’s National Health Service, experts estimated the rebuilding costs at £92 million in costs to rebuild.
When critical services such as healthcare are hit, some point out the potential harm to human life by not paying the ransom. There have already been two cases, in 2019 and 2020, in which a ransomware attack was named as one of the possible contributory causes of the death of a patient.
Paying ransoms also masks another issue, which is that perhaps companies should legally be obliged to protect their systems, particularly in certain industries.
In fact, the long-term costs of taking the easy path of paying now seem to be sparking new impetus among insurers to push organisations right back to the basic cybersecurity practices and tools in which they should have been investing all along.
 René Holt is a security writer at ESET. The author acknowledges that the main source of the information in this chapter is a white paper, updated by ESET Security Awareness Specialist Ondrej Kubovič in August 2021, that includes contributions by Stephen Cobb, former senior security researcher at ESET, and current ESET colleagues Research Fellow Bruce P Burrell and Chief Security Evangelist Tony Anscombe. See https://www.welivesecurity.com/wp-content/uploads/2021/08/ransomware_paper.pdf (last accessed 10 Mar. 2022).
 https://www.fdic.gov/news/financial-institution-letters/2021/fil21074.html (last accessed 8 Mar. 2022).
 https://www.warren.senate.gov/newsroom/press-releases/warren-and-ross-introduce-bill-to-require-disclosures-of-ransomware-payments (last accessed 8 Mar. 2022).
 ‘New Australian bill would force companies to disclose ransomware payments’, The Record (21 Jun. 2021), https://therecord.media/new-australian-bill-would-force-companies-to-disclose-ransomware-payments/ (last accessed 8 Mar. 2022).
 ‘Russia arrests REvil ransomware gang members, seize $6.6 million’, Bleeping Computer (14 Jan. 2022)), https://www.bleepingcomputer.com/news/security/russia-arrests-revil-ransomware-gang-members-seize-66-million/ (last accessed 8 Mar. 2022).
 ‘DOJ charges 2 men allegedly behind REvil ransomware attacks’, ABC News (8 No. 2021), https://abcnews.go.com/Politics/doj-charges-men-men-allegedly-revil-ransomware-attacks/story?id=81037690 (last accessed 8 Mar. 2022).
 https://en.wikipedia.org/wiki/Colonial_Pipeline_ransomware_attack (last accessed 8 Mar. 2022).
 ‘Ransomware gang urges victims’ customers to demand a ransom payment’, Bleeping Computer (26 Mar. 2022), https://www.bleepingcomputer.com/news/security/ransomware-gang-urges-victims-customers-to-demand-a-ransom-payment/ (last accessed 8 Mar. 2022).
 ‘Ransomware gang wants to short the stock price of their victims’, The Record (22 Apr. 2022)), https://therecord.media/ransomware-gang-wants-to-short-the-stock-price-of-their-victims/ (last accessed 8 Mar. 2022).
 ‘Ransomware Actors Use Significant Financial Events and Stock Valuation to Facilitate Targeting and Extortion of Victims’, Federal Bureau of Investigation (1 Nov. 2021), https://www.ic3.gov/Media/News/2021/211101.pdf (last accessed 8 Mar. 2022).
 ‘Another ransomware now uses DDoS attacks to force victims to pay’, Bleeping Computer (24 Jan. 2021), https://www.bleepingcomputer.com/news/security/another-ransomware-now-uses-ddos-attacks-to-force-victims-to-pay/ (last accessed 8 Mar. 2022).
 ‘Some ransomware gangs are going after top execs to pressure companies into paying’, ZDNet (9 Jan. 2021), https://www.zdnet.com/article/some-ransomware-gangs-are-going-after-top-execs-to-pressure-companies-into-paying/ (last accessed 8 Mar. 2022).
 This is highlighted by ESET in its 2020 Q4 Threat Report, at https://www.welivesecurity.com/wp-content/uploads/2021/02/ESET_Threat_Report_Q42020.pdf (last accessed 8 Mar. 2022).
 ‘Ransomware Group Turns to Facebook Ads’, Krebs on Security (10 Nov. 2020), https://krebsonsecurity.com/2020/11/ransomware-group-turns-to-facebook-ads/ (last accessed 8 Mar. 2022).
 Data collected by ESET security products deployed around the world shows that attackers have been making billions of attempts to brute force RDP logins by guessing passwords and usernames. The data revealed 29 billion malicious password guesses in 2020 alone. This number exploded in 2021, closing the year with 288 billion attacks, an almost tenfold increase in absolute numbers (897 per cent increase year-on-year).
 ‘Exchange servers under siege from at least 10 APT groups’, We Live Security (10 Mar. 2021), https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/ (last accessed 8 Mar. 2022).
 ESET’s detection data for 2021 showed the ProxyLogon vulnerability chain to be the second most frequently used attack avenue, at 14 per cent, beaten only by password guessing at 47 per cent.
 ‘WannaCryptor remains a global threat three years on’, We Live Security (12 May 2020), https://www.welivesecurity.com/2020/05/12/wannacryptor-remains-global-threat-three-years-on/ (last accessed 8 Mar. 2022).
 ‘Microsoft Exchange exploits – step one in ransomware chain’, ESET (29 Mar. 2021), https://www.eset.com/blog/enterprise/microsoft-exchange-exploits-step-one-in-ransomware-chain/ (last accessed 8 Mar. 2022).
 ESET research from Q4 2020 showed that eCh0raix was the most prominent ransomware targeting NAS devices.
 Some of the many known relationships between botnet and ransomware families include Emotet with Qbot, and Trickbot and Ryuk.
 ‘TeleBots are back: Supply-chain attacks against Ukraine’, We Live Security (30 Jun. 2017), https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/ (last accessed 8 Mar. 2022).
 ‘New TeleBots backdoor: First evidence linking Industroyer to NotPetya’, We Live Security (11 Oct. 2018), https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/ (last accessed 8 Mar. 2022).
 FBI Cyber Division Assistant Director James Trainor quoted in ‘Incidents of Ransomware on the Rise – Protect Yourself and Your Organization’, FBI News (29 Apr. 2016), https://www.fbi.gov/news/stories/incidents-of-ransomware-on-the-rise (last accessed 8 Mar. 2022).
 The first was in connection with a baby’s death (30 Sep. 2021), https://www.wsj.com/articles/ransomware-hackers-hospital-first-alleged-death-11633008116; the second with a woman’s death (17 Sep. 2020), https://www.zdnet.com/article/first-death-reported-following-a-ransomware-attack-on-a-german-hospital/; and a third clarifying the impact of ransomware (12 Nov. 2020), https://www.technologyreview.com/2020/11/12/1012015/ransomware-did-not-kill-a-german-hospital-patient/ (web pages last accessed 8 Mar. 2022).