By Jessica Ellis | December 15, 2020
In 2020, cybercrime has seen a dramatic evolution in ransomware attacks. This threat type has adopted increasingly malevolent tactics and targeted some of the year’s most vulnerable industries. Operators are linking up, franchising their attacks, extorting their victims, then expecting organizations to believe them trustworthy. By 2021, ransomware is anticipated to cause $20 billion in loss.
In this piece, we take a look at ransomware, and how it became one of the most significant threats to organizations this year.
A Year of Change
We cannot examine ransomware without first taking a look at how the pandemic impacted organizations in 2020. Many businesses required employees to work from home, and with that came the rushed implementation of new security controls, collaboration tools, and file sharing services. With security teams stretched thin and many employees focused on virus fears rather than safety protocols, gaping vulnerabilities in company networks and careless clicking through malicious emails gave threat actors ample opportunity for compromise.
The risks associated with this digital transformation became clear when in Q1 8.4 billion records were exposed. It is just before this time that ransomware operators first introduced a blended tactic to attacks: extracting and publishing data rather than simply encrypting it. This practice, adopted first by Maze operators, is now known as double extortion, and over the course of 2020 it was used in almost half of all ransomware attacks.
Ryuk and Sodinokibi operators were particularly busy employing this tactic at the beginning of the year, owning 46.3 percent of all ransomware attacks. Unlike Maze, who promised not to capitalize on the healthcare industry’s vulnerabilities during a global pandemic (then later released stolen data anyway), Ryuk and Sodinokibi took advantage of industries least capable of tolerating downtime during the pandemic, and chose to target health providers heavily. Notably, the same research also showed Ryuk and Sodinokibi responsible for ransom payments doubling in Q1.
Coveware Quarterly Ransomware Report
Ransom amounts, as well as attack volume, continued to climb aggressively in Q2, with the average payment 60% higher than in Q1. Not surprisingly, this surge did not slow, and in Q3 the U.S. alone saw a 139% year-over-year increase in ransomware hits. Global numbers fell just short of 200 million.
Tactics, Targets, and Families
The rise in attacks and ransom amounts in 2020 can be attributed to a few factors:
As we mentioned previously, in 2020 ransomware threats grew more elaborate as organizations no longer simply risked losing access to sensitive data. They now risked information being exposed if demands were not met. Operators became more creative with how they leaked data as well, by using social media, blogs, forums, and the dark web to draw publicity around the attack. Some even created auction sites where stolen information could be sold to the highest bidder. That organizations felt pressured to pay was evident, with demands met 40% of the time– more than doubling from the previous year.
Ransomware operators have become more strategic with who they target during 2020. This is most apparent by looking at the near vertical increase in ransom demands over the past year. The increase can best be attributed to the size and revenue of the targeted organization. Criminals are specifically targeting larger organizations that are capable, even willing, to part with larger amounts of cash because of their substantial revenue and ability to do so. Some operators are even spending time inside compromised networks studying financials to determine what a victim is capable of paying. Sodinokibi is one example of a group whose ransom demands indicated they carefully consider annual revenue before requesting a ransom.
Attack volume can also be attributed to malware families linking and franchising their tools. Maze (whose operators have supposedly closed out 2020 by shutting down operations), and Sodinokibi, the top ransomware attackers in Q3, ran their businesses on the ransomware-as-a-service (RaaS) model, which allowed their variants to be distributed among multiple threat actor groups in return for a cut of their profit. This gave less experienced groups the sophisticated tools to launch attacks that otherwise may not have been possible.
Wrapping up 2020
As we approach the end of the year, ransomware has accounted for one-third of all cyber attacks. Recently, the government issued not one, but two different imminent threat alerts warning of ransomware activity. Vulnerabilities brought on by digital transformation, as well as global uncertainty around the pandemic, have given ransomware operators the opportunity to access systems and con victims into disclosing sensitive information. Billions of records have already been exposed this year, and with double extortion growing in popularity, very little is keeping threat actors from taking sensitive data and exposing it to the world.
The most effective way for organizations to protect against ransomware is to prevent its delivery. Advanced email intelligence that includes proactive detection and real-time response will strengthen resiliency and mitigate risk.
In addition, external data leak intelligence should be used to monitor for exposure. If sensitive data is present online, organizations may use this intelligence to assess risk and formulate response strategies.