A new report from cyber intelligence firm Group-IB provides a deep analysis of 2020’s ransomware trends, finding that ransomware attacks have now become the most lucrative area of cyber crime. The primary driver has been large and organized ransomware gangs with a preference for targeting large enterprise-scale organizations (a trend referred to as “Big Game Hunting”), with these threat groups taking full advantage of the rapid switchover to remote work during the Covid-19 pandemic.
Ransomware attackers have also stepped up their affiliate marketing efforts, licensing their botnets and software to smaller players in return for a cut of the earnings. Collectively ransomware is now a multi-billion dollar industry that is projected to continue growing even as the pandemic subsides.
Ransomware attacks once again the preferred tactic of criminals
After a brief dip in recent years, ransomware attacks have come roaring back. 2020 presented the best opportunity ransomware groups may have ever seen, as companies scrambled to shift to remote work models and cloud services as coronavirus-related shutdowns came on suddenly early in the year.
Most ransomware attacks in 2020 were directed at large organizations with the resources to pay hefty demands, particularly those perceived as being unable to tolerate even short periods of network downtime. Opportunists were willing to attack other targets, however, most notably with a trend in attacking hospitals and university medical centers (which cannot tolerate much downtime but are usually not particularly well-funded). Surprisingly, the travel industry was also heavily targeted despite being in a severe down period during the pandemic. There is no one strong industry preference, however; ransomware groups are simply looking for large targets with the ability to pay and ready vulnerabilities to exploit. The average ransom demand more than doubled in 2020, jumping to $170,000 from $80,000 in the previous year.
While ransomware groups had already begun dabbling in extortion (via the public dumping of documents when ransoms go unpaid), 2020 saw this become a more standard component of ransomware attacks. The larger ransomware groups are increasingly maintaining their own dark web sites which sensitive documents are dumped to for public viewing when victims refuse to pay. Organizations that suffer ransomware attacks now need to expect that confidential data or personal information has been exfiltrated first.
2020 was also the first year in which ransomware attacks could be tied directly to a death. A 78-year-old patient being transported by paramedics had to be turned away from a Dusseldorf hospital as equipment was down due to ransomware. The next available facility was 20 miles away, and the patient died in transit.
There are about a dozen organized and highly active groups that regularly execute ransomware attacks; the biggest among these in 2020 were Maze, Conti and Egregor. The study incorporated 500 attacks, and when all the smaller and more irregular players are counted the number of active ransomware attackers worldwide is now likely in the triple digits. State-sponsored threat actors tied to North Korea and Vietnam also made an appearance carrying out ransomware attacks for profit.
Ransomware-as-a-service (RaaS) is also now much more common than direct attacks from specific groups; 64% of all of the attacks studied were RaaS versus 16% traceable to a known threat actor. Ransomware operators are also more commonly using commodity malware botnets: TrickBot, Qakbot and IcedID are the ones most commonly used.
When ransomware attackers start hunting for ways into an organization, they overwhelmingly look at publicly accessible RDP servers first. The overall number of these servers in the wild grew quite a bit given the mass shift to remote work in 2020. Attackers start with the basics, sometimes gaining access simply by entering common default passwords or by credential stuffing. Attackers also show a strong preference for VPN appliances that do not have multi-factor authentication enabled.
Ransomware attackers also commonly scan public-facing applications for known and unpatched vulnerabilities. And 29% of the ransomware attacks surveyed incorporated some manner of phishing to gain access. Most phishing is done by email, with targeting techniques used to make it look like it is coming from a trusted party. Phishing emails most commonly link to a malicious attachment hosted on services such as Dropbox or Google Drive.
Ransomware attacks in 2021
What does this data tell us about what’s coming in 2021 and beyond? Group-IB includes several predictions for the near future. They expect RaaS to continue to grow and overwhelmingly be the most common source of ransomware attacks, likely translating into many more smaller players in the threat landscape. Linux RaaS will also become more common. The major ransomware operations will stay in business, however, and continue to focus on enterprise networks.
Group-IB sees these groups increasingly going into business selling the access they establish to other parties, rather than executing attacks themselves. Some of these groups may dump the ransomware aspect entirely and simply blackmail companies with a focus on data exfiltration. Group-IB also sees state-backed threat actors getting more involved in the ransomware market, particularly targeting rival CIS countries that have extensive enterprise networks.