To evaluate the current state of the ransomware threat landscape, the Unit 42 threat intelligence team and the Crypsis incident response team collaborated to analyze the ransomware threat landscape in 2020, with global data from Unit 42 as well as US, Canada, and Europe data from Crypsis.
This report details the top ransomware variants (with links to threat assessments for each variant), average ransomware payments, ransomware predictions, and actionable next steps to immediately reduce ransomware risk.
.
I-AML – Providing Our Customers with Ransomware Response and Recovery Services
.
Cybercriminals Are Making, and Demanding, More Money Than Ever
Note: The following data is from the US, Canada, and Europe.
The average ransom paid for organizations increased from US$115,123 in 2019 to $312,493 in 2020, a 171% year-over-year increase. Additionally, the highest ransom paid by an organization doubled from 2019 to 2020, from $5 million to $10 million. Meanwhile, cybercriminals are getting greedy. From 2015 to 2019, the highest ransomware demand was $15 million. In 2020, the highest ransomware demand grew to $30 million.
Of note, Maze ransom demands in 2020 averaged $4.8 million, a significant increase compared to the average of $847,344 across all ransomware families in 2020. Cybercriminals know they can make money with ransomware and are continuing to get bolder with their demands.
.
Healthcare Organizations in the Crosshairs
The world changed with COVID-19, and ransomware operators took advantage of
the pandemic to prey on organizations— particularly the healthcare sector, which was the most targeted vertical for ransomware in 2020. Ransomware operators were brazen in their attacks in an attempt to make as much money as possible, knowing that healthcare organizations—which needed to continue operating to treat COVID-19 patients and help save lives—couldn’t afford to have their systems locked out and would be more likely to pay a ransom.
Ryuk ransomware stood out from the pack. In October 2020, a joint cybersecurity advisory was issued by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS), warning healthcare organizations against Ryuk attacks.
.
The Rise of Double Extortion
A common ransomware attack consists of the ransomware operator encrypting data and forcing the victim to pay a ransom to unlock it. In a case of double extortion, ransomware operators encrypt and steal data to further coerce a victim into paying a ransom. If the victim doesn’t pay the ransom, the ransomware operators then leak the
data on a leak site or dark web domain, with the majority of leak sites hosted on the dark web. These hosting locations are created and managed by the ransomware operators. At least 16 different ransomware variants are now threatening to expose data or utilizing leak sites, and more variants will likely continue this trend.
The ransomware family that leveraged
this tactic the most was NetWalker. From January 2020 to January 2021, NetWalker leaked data from 113 victim organizations globally, far surpassing other ransomware families. RagnarLocker was second,
leaking data from 26 victims globally. It’s worth noting that the US Department of Justice announced in January 2021 it had coordinated international law enforcement action to disrupt the NetWalker ransomware gang. The dark web domain managed by the NetWalker operators, which hosted leaked data, is no longer accessible.
.
2020 Top Ransomware Observations
COVID-19 Pandemic
Adversaries take advantage of current events to lure victims into opening phishing emails, visiting fake websites, or downloading malicious files. Case in point: with the global impact of the COVID-19 pandemic, ransomware attackers heavily exploited it as a theme in ransomware attacks targeting
a variety of industries. While the healthcare sector was a top target throughout 2020 due to the coronavirus, many industries suffered deeply from ransomware incidents.
Battling with a more fragile financial outlook throughout the year as well as the added challenges of employees working from home, many businesses have had to make do with less. With fewer staff and budget cutbacks, cyberthreat awareness and cybersecurity protections may be more difficult to implement.
.
Shifts in Approach
Ransomware has become increasingly easy to get hold of and is available in many formats targeting multiple platforms. We’ve observed shifts from high-volume and spray-and-pray models to a more focused “stay-and-play” model, where operators take their time to learn the victims and their networks, following a more traditional network penetration approach.
.
I-AML – Providing Our Customers with Ransomware Response and Recovery Services
.
Platforms Targeted
In addition to ransomware being observed on Microsoft Windows®, Apple macOS®, and mobile operating systems, we are now seeing Linux being targeted as well.
.
Ease of Use and Availability
Adversaries understand that ransomware, specifically the ransomware as a service (RaaS) subscription- based model, is simple to execute, exceptionally effective, and potentially profitable—both from
direct payments and sale of valuable information. The RaaS model allows affiliates to utilize existing ransomware software to carry out attacks, thereby earning a percentage of each successful ransom payment.
Ransomware operators continue to gain access to victim environments through traditional methods, including phishing, weak or compromised Remote Desktop Protocol (RDP) credentials, and exploiting application/software vulnerabilities. Despite 2020’s larger remote workforce, these entry techniques remained the same. Many operators are also combining commodity malware such as Dridex, Emotet, and Trickbot for initial access. Once inside a network, adversaries use native tools such as PSExec and PowerShell to enumerate the network and move laterally.
.
The Rise of Double Extortion
Several ransomware families—NetWalker, RagnarLocker, DoppelPaymer, and many others, as shown
in figure 1—have displayed their ability to exfiltrate data and use double extortion techniques. Instead of only encrypting files on the victim host(s), operators exfiltrate files first to further coerce the victim into paying the ransom. Exfiltrated files are then posted, or threatened to be published, on a public or dark web leak site, with the majority of leak sites hosted on the dark web. These hosting locations are created and managed by the ransomware operators. Some ransomware operators will further prove their knowledge of a victim’s network environment by displaying the data in the form of directories or file trees.
.
Ransomware Incident Costs
Organizations of all sizes across many industries have been impacted by ransomware. Compared to 2019, we observed an increase of ransomware incident response cases across several industries in the US, Canada, and Europe, as displayed in figure 5. While this figure depicts a summary of overall industry targeting, it is not representative of the known increase in incidents across sectors such as healthcare, manufacturing, and education. Ransomware engagements throughout 2020 were more complex than in prior years, leading to longer, more in-depth breach response times.
Most notably, the information technology sector saw a 65% increase in ransomware incident response cases from 2019 to 2020. As organizations shifted to remote workforces due to the COVID-19 pandemic, ransomware operators adapted their tactics accordingly, including the use of malicious emails containing pandemic-based subjects and even malicious mobile apps claiming to offer information about the virus.
Additionally, ransomware actors are demanding more money year over year in the US, Canada, and Europe. In 2020, ransom demands were an average of US$847,344, often requested in the form of bitcoin or Monero cryptocurrency. This amount can vary dramatically depending on the ransomware family.
The total cost of a ransomware incident is also typically much more than the demand itself. In 2020, the average cost of a forensic engagement (or incident response investigation) was US$73,851, even when backups were considered a viable option for the organization. This number does not account for other costs potentially accrued, monetary or otherwise, bringing the total average cost overall to a number that would incapacitate many businesses.