Security experts see little chance of ransomware attacks slowing down in 2021 given the continued and growing success that criminal groups have had in extorting sizeable ransoms from victims this year.
If anything, attacks will only get qualitatively worse as criminal groups become more organized and targeted in their campaigns, and ransomware tools become easier to obtain and deploy.
Many experts expect a sharp increase in ransomware attacks that involve the threat of data exposure — and consequentially, potential regulatory compliance issues for victim organizations. Businesses that are inclined to pay to bring their systems back online are also likely to face closer scrutiny by the US government, over concerns about ransom funds ending up in the hands of entities on US sanctions lists.
"If 2020 was a good year for anyone, ransomware operators would certainly be at the top of the list," says Ricardo Villadiego, CEO of Lumu. The past 12 months have seen more companies than ever negotiate and pay ransoms to get their data back, despite the FBI's strong guidance to not do so, he says. At the same time, he adds, the size of ransoms that attackers demand has increased sharply, with amounts well in excess of $10 million becoming fairly routine.
As examples, Villadiego points to a reported $14 million ransom demand that Brazilian utility Light SA faced following an attack on its systems earlier this year, and a $15 million demand that Telecom Argentina had to contend with in a similar situation.
"Both of these ransoms were originally half that amount and automatically doubled after three business days," he says. While it's unclear if either entity paid the ransom, the sheer size of these demands shows how criminal organizations behind these attacks have begun going after big game, Villadiego notes. Many groups behind ransomware attacks have begun to resemble conventional corporate entities, offering everything from subscription ransomware services to affiliate selling models to broaden their reach.
IBM reports one in four attacks remediated by its X-Force incident response team, as of September 2020, were ransomware-related. Some attacks involved ransom demands of more than $40 million. Schools and universities became especially popular ransomware targets this year: the switch to distance learning and hybrid environments as a result of the COVID-19 pandemic has increased their exposure to cyberattacks.
One in three ransomware attacks that IBM remediated in 2020 involved Sodinokibi, a ransomware family that replaced 2019's GandCrab as the most prolific ransomware strain. IBM's analysis showed that Sodinokibi operators consider the victim organization's revenues when determining ransom demand, with average requests ranging from 0.08% to 9.1% of a company's annual revenue. Thirty-six percent of Sodinokibi's victims paid a ransom in exchange for their data's return.
Meanwhile, a Sophos-commissioned survey of 5,000 IT managers released in May revealed 26% of ransomware victims paid their attackers over the past year. More than half (51%) of organizations represented in the survey reported a ransomware attack over the last 12 months. Though this number is marginally less than the 54% that reported an attack two years ago, Sophos learned ransomware incidents became more severe this year. Many of those reported were server-based attacks that required more effort to deploy and sought to encrypt high-value, business-critical assets.
A Grim Outlook
"As long as extortion payments continue to be made and cybercriminals continue to profit from these schemes, targeted ransomware attacks that enlist the pay-or-get-breached method will likely continue well into and beyond 2021," says Kacey Clark, threat researcher at Digital Shadows.
While there hasn't been any global ransomware event on the level of 2017's WannaCry or NotPetya, attacks have become more targeted, Clark says. In 2019, small-to-medium-sized government and public sector entities took the full brunt of ransomware attacks. This year, the most heavily affected were organizations in the technology, health, financial services, and industrial goods and services sector, she notes.
Clark, like others, expects that ransomware attacks threatening data exposure will become more popular in the coming year. "In December 2019, cybercriminals began further extorting ransomware victims by exfiltrating system contents before encrypting systems, then threatening to leak the stolen data on a public platform until the organization paid the ransom," Clark says. "This method has gained traction and ultimately became the most prominent ransomware trend of 2020."
Some 80% of Digital Shadows' ransomware-specific intelligence reports in the second quarter of 2020 were associated with three such platforms: Dopple Leaks was linked to DoppelPaymer ransomware, Happy Blog was tied to Sodinokibi, and Maze News related to the Maze ransomware family.
Weakly protected remote desktop protocol (RDP) services and phishing emails with weaponized attachments continue to be the most common ransomware infection and attack vectors. But unlike the 'spray and pray' mass attacks of the past, threat actors have begun putting more effort into remaining undetected on a breached network after gaining initial entry, Villadiego points out.
"You should expect to see ransomware operators seeking to extend their dwell time inside the network," he says.
Attackers are increasingly looking for opportunities to escalate privileges while working to identify caches of sensitive documents and other assets that could be further exploited, Villadiego says. "This is probably why you are seeing growing demand in the cybercrime forums for subcontractors with expertise using post-exploit frameworks and Red Team pentesting tools such as Cobalt Strike," he says.
Hank Schless, senior manager of security solutions at Lookout, says organizations should expect to see more ransomware targeting mobile devices in the coming year as well. Screen overlay attacks, in which threat actors essentially render a mobile device unusable, emerged as a new type of threat in 2020.
"Looking forward into 2021, mobile ransomware will continue to get more advanced," he predicts. "Threat actors are investing significant resources in mobile ransomware's ability to be effective for a long time."
The vast majority of all ransomware infections continue to result from unpatched systems, rampant password reuse, or lack of multi-factor authentication, says Anthony Grenga, vice president of cyber operations at IronNet.
By employing basic best practices against these issues, organizations can make things much harder for attackers and protect against large-scale compromise. "It's also important to plan for the worst and have regular backups for critical systems and isolate them from the main corporate network so they are not compromised in a widespread attack" Grenga says.
Clark advises that organizations prioritize patching based on the impact a particular vulnerability has on corporate data. As part of the exercise, they must consider the type and number of systems affected, the access level required to exploit the vulnerability, and how widely known the vulnerability is. In addition, businesses should consider implementing a robust security awareness program to train employees on recognizing and reporting phishing attempts, Clark says.
"I expect that ransomware operators will continue to refine those strategies that have already been proven effective," Villadiego says. "This means we should anticipate seeing more targeted attacks on large enterprises who have the most at stake in terms of their brand reputation, and the greatest potential for operational disruption."