Fraud Management & Cybercrime , Fraud Risk Management , Governance & Risk Management

Fueled by Profits, Ransomware Persists in New Year

Increasing Ransomware Varieties and Attack Volume Look Set to Continue, Experts Warn
Fueled by Profits, Ransomware Persists in New Year
Average ransom amounts demanded by ransomware operators (Source: Group-IB, November 2020)

Different types of criminality may come and go, but when it comes to cybercrime, ransomware dominated in 2020 and looks set to continue well into the new year.

See Also: Illumination Summit: Poker & Cybersecurity: A Game of Skill, Not Luck

Of course, ransomware attacks these days encapsulate a whole range of behaviors, including crypto-locking systems and extorting victims to buy a decryption key, but also naming and shaming victims and stealing and leaking data, among other tactics, techniques and procedures.

"Ransomware threat actors continue to innovate both their technology and their criminal modus operandi at an accelerating pace," security firm Sophos says in a recent report.

Data leaking in particular has helped fuel a boom in ransom payments. In late 2019, experts said that while the average ransom payment was increasing, fewer victims appeared to be paying a ransom.

The average ransom payment has continued to increase. (Source: Coveware)

Unfortunately, business has been booming over the past 12 months, and that's largely because at least 17 ransomware operations are now stealing data and threatening to leak it unless victims pay. Data exfiltration and the threat of leaking data have driven record ransomware profits. So far, there's no sign of this trend abating.

"We anticipate there will be more cases of data theft in 2021 than there were in 2020 - likely, at least twice as many," security firm Emsisoft says.

Criminal Imperative: Payday

The researchers' reasoning is simple: Criminals engage in crime - online or offline - to turn a profit. Whatever helps them reach payday more quickly is what they're more likely to do.

"Like legitimate businesses, criminal enterprises adopt strategies that are proven to work, and data theft has indeed been proven to work," Emsisoft says in a recent report. "Some organizations which were able to use backups to recover from attacks still paid the ransom simply to prevent their data being published. This resulted in a greater percentage of attacks being monetized and, as a result, better ROI for the cybercriminals."

Emsisoft adds: "We anticipate that cybercriminals will put stolen data to more use, using it to attack the individuals to which it relates in order to put additional pressure on the organizations from which it was stolen."

Fabian Wosar, Emsisoft's CTO, notes that “2021 need not be a repeat of 2020," and that "proper levels of investment in people, processes and IT would result in significantly fewer ransomware incidents, and those incidents which did occur would be less severe, less disruptive and less costly.” Unfortunately, similar exhortations from experts in recent years have not led to a drop in ransomware incidents.

Ransomware Attacks in 2020

Last year featured many examples of extortionists' constant innovation.

Top 2020 targets of ransomware attackers were schools and universities, especially as organizations and individuals grappled with the effects of the COVID-19 pandemic and work-from-home arrangements, Emsisoft says.

Of the 2,354 victims of ransomware attacks recorded by Emsisoft in 2020, 113 were government agencies and 560 were healthcare organizations, while 84 attacks collectively affected at least 1,681 schools, colleges and universities. In response to many victims refusing to pay a ransom - law enforcement agencies urge victims to never pay criminals - criminals often dumped stolen data. Emsisoft notes that over the course of the year, data dumped included private health data, details on school staff as well as students and police records describing active investigations.

Target: Education

As the COVID-19 pandemic has forced many educational institutions to operate remotely, ransomware attackers have added disrupting virtual classes to their arsenal of threats.

Examples abound: Last September, Hartford Public Schools in Connecticut and Miami-Dade County Public Schools in Florida were hit by ransomware. Two months later, the Baltimore County Public Schools district was hit by a suspected Ryuk ransomware attack.

In December 2020, the U.S. Cybersecurity and Infrastructure Security Agency warned that hackers were targeting vulnerable networks of K-12 schools.

Data Exfiltration Trends

In 2020, exfiltrating data from victims before crypto-locking their systems and naming and shaming victims via leaks sites became common. The practice was pioneered by the now-defunct Maze group in late 2019, and many other groups followed suit. Those include Clop, DoppelPaymer, Nefilim, Sekhmet and, more recently, Avaddon.

DoppelPaymer was also tied to an attack against a hospital in Germany, which led to a seriously ill patient having to be rerouted to another hospital. "This individual later died, though German authorities ultimately did not hold the ransomware actors responsible because the German authorities felt the individual’s health was poor and the patient likely would have died even if they had not been re-routed," the FBI notes in a private industry alert issued last month.

For exfiltrating data, "size doesn’t matter" for attackers, Sophos says. "They don’t seem to care about the amount of data targeted for exfiltration. Directory structures are unique to each business, and some file types can be compressed better than others. We have seen as little as 5GB, and as much as 400GB, of compressed data being stolen from a victim prior to deployment of the ransomware."

Exfiltrating data has facilitated fresh tactics. Some gangs began charging extra to provide not just a decryption tool, but also a promise to delete stolen data. Gangs that historically trafficked in banking Trojans have been adding ransomware to their arsenal, given its amazing earning potential.

More ransomware operations are practicing so-called "big-game hunting," which involves taking down large targets. Experts say such victims don't take much more technical acumen to hack, and the potential payoff can be far higher.

"Back in the day, we saw ransom demands of $100,000 or a few hundred thousands, but these days, we are seeing ransom demands in the millions more and more often," Oleg Skulkin, lead digital forensics specialist at cybersecurity firm Group-IB, said in a presentation at the company's CyberCrimeCon last November.

For big-game hunting, "the main threat actor who uses this approach is Dharma - it's quite a popular piece of ransomware," Skulkin says. "Dharma emerged in 2015, but it's still active and it has quite a lot of different affiliates," last year expanding to include "even some affiliates from Iran."

Ransomware-as-a-Service Model Flourishes

While some ransomware operators keep their operations in-house, ransomware-as-a-service operations also are surging. RaaS involves operators providing ransomware code to affiliates, who infect endpoints and share any ransom-payment profits. Such operations include Conti, which is restricted to private members, as well as Sodinokibi - aka REvil - which has more of an open-door policy for affiliates.

In general, operators keep 15% to 30% of all profits. Sometimes, they also help shake down victims and handle negotiations.

Source: Group-IB

Ransomware operators as well as RaaS affiliates are also making use of an increasing range of services, including specialists in various aspects of the attack chain, says Costin Raiu, director of Kaspersky's global research and analysis team.

"We've seen cooperation between cybercriminal groups in the creation of so-called ransomware cartels, and the splitting of functions between different criminal groups - such as maybe one group focusing on the initial access, then just selling the victims to another group," Raiu says. "And those guys encrypt the data, then outsource the whole process of negotiation to yet another group."

Still to Come: Yet More Rapid Growth

Unfortunately, the ransomware landscape looks set to get worse before it gets better.

"We expect ransomware to continue its rapid growth in 2021, with ransomware varieties increasing along with frequency of attacks," cybersecurity firm FireEye says in a report. "One troubling trend is that attackers are not only making adjustments to their ransomware TTPs (tactics, techniques and procedures), but also increasingly moving to ransomware-as-a-service, which includes offering malware and the skills to deploy it on a one-time or ongoing basis."

Group-IB's Skulkin also predicts the problem "is going to get worse, because more and more threat actors are starting to focus on big-game hunting operations" against large organizations with "great revenues … so all of them are potential targets for human-operated ransomware."

He says some ransomware gangs might even move away from ransomware altogether and focus instead on exfiltrating data and attempting to extort victims by threatening to leak it.

Unfortunately, nothing today looks set to blunt the impact of ransomware. "Unless significant action is taken, we anticipate 2021 being another banner year for cybercriminals," Emsisoft says.


About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent

Asokan is senior correspondent for Information Security Media Group's global news desk. She has previously worked with IDG and other publications where she reported on developments in technology, minority-rights and education.

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing cuinfosecurity.com, you agree to our use of cookies.