Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

10/20/2020
06:15 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Ransomware Attacks Show Little Sign of Slowing in 2021

With businesses paying increasingly larger ransoms, attackers remain motivated, say security experts who foresee a rise in attacks.

Security experts see little chance of ransomware attacks slowing down in 2021 given the continued and growing success that criminal groups have had in extorting sizeable ransoms from victims this year.

If anything, attacks will only get qualitatively worse as criminal groups become more organized and targeted in their campaigns, and ransomware tools become easier to obtain and deploy.

Related Content:

How Ransomware Threats Are Evolving & How to Spot Them

2020 State of Cybersecurity Operations and Incident Response

New on The Edge: Expert Tips to Keep WordPress Safe

Many experts expect a sharp increase in ransomware attacks that involve the threat of data exposure — and consequentially, potential regulatory compliance issues for victim organizations. Businesses that are inclined to pay to bring their systems back online are also likely to face closer scrutiny by the US government, over concerns about ransom funds ending up in the hands of entities on US sanctions lists.

"If 2020 was a good year for anyone, ransomware operators would certainly be at the top of the list," says Ricardo Villadiego, CEO of Lumu. The past 12 months have seen more companies than ever negotiate and pay ransoms to get their data back, despite the FBI's strong guidance to not do so, he says. At the same time, he adds, the size of ransoms that attackers demand has increased sharply, with amounts well in excess of $10 million becoming fairly routine.

As examples, Villadiego points to a reported $14 million ransom demand that Brazilian utility Light SA faced following an attack on its systems earlier this year, and a $15 million demand that Telecom Argentina had to contend with in a similar situation.

"Both of these ransoms were originally half that amount and automatically doubled after three business days," he says. While it's unclear if either entity paid the ransom, the sheer size of these demands shows how criminal organizations behind these attacks have begun going after big game, Villadiego notes. Many groups behind ransomware attacks have begun to resemble conventional corporate entities, offering everything from subscription ransomware services to affiliate selling models to broaden their reach. 

IBM reports one in four attacks remediated by its X-Force incident response team, as of September 2020, were ransomware-related. Some attacks involved ransom demands of more than $40 million. Schools and universities became especially popular ransomware targets this year: the switch to distance learning and hybrid environments as a result of the COVID-19 pandemic has increased their exposure to cyberattacks.

One in three ransomware attacks that IBM remediated in 2020 involved Sodinokibi, a ransomware family that replaced 2019's GandCrab as the most prolific ransomware strain. IBM's analysis showed that Sodinokibi operators consider the victim organization's revenues when determining ransom demand, with average requests ranging from 0.08% to 9.1% of a company's annual revenue. Thirty-six percent of Sodinokibi's victims paid a ransom in exchange for their data's return.

Meanwhile, a Sophos-commissioned survey of 5,000 IT managers released in May revealed 26% of ransomware victims paid their attackers over the past year. More than half (51%) of organizations represented in the survey reported a ransomware attack over the last 12 months. Though this number is marginally less than the 54% that reported an attack two years ago, Sophos learned ransomware incidents became more severe this year. Many of those reported were server-based attacks that required more effort to deploy and sought to encrypt high-value, business-critical assets.

A Grim Outlook

"As long as extortion payments continue to be made and cybercriminals continue to profit from these schemes, targeted ransomware attacks that enlist the pay-or-get-breached method will likely continue well into and beyond 2021," says Kacey Clark, threat researcher at Digital Shadows.

While there hasn't been any global ransomware event on the level of 2017's WannaCry or NotPetya, attacks have become more targeted, Clark says. In 2019, small-to-medium-sized government and public sector entities took the full brunt of ransomware attacks. This year, the most heavily affected were organizations in the technology, health, financial services, and industrial goods and services sector, she notes.

Clark, like others, expects that ransomware attacks threatening data exposure will become more popular in the coming year. "In December 2019, cybercriminals began further extorting ransomware victims by exfiltrating system contents before encrypting systems, then threatening to leak the stolen data on a public platform until the organization paid the ransom," Clark says. "This method has gained traction and ultimately became the most prominent ransomware trend of 2020."

Some 80% of Digital Shadows' ransomware-specific intelligence reports in the second quarter of 2020 were associated with three such platforms: Dopple Leaks was linked to DoppelPaymer ransomware, Happy Blog was tied to Sodinokibi, and Maze News related to the Maze ransomware family.

Weakly protected remote desktop protocol (RDP) services and phishing emails with weaponized attachments continue to be the most common ransomware infection and attack vectors. But unlike the 'spray and pray' mass attacks of the past, threat actors have begun putting more effort into remaining undetected on a breached network after gaining initial entry, Villadiego points out.

"You should expect to see ransomware operators seeking to extend their dwell time inside the network," he says.

Attackers are increasingly looking for opportunities to escalate privileges while working to identify caches of sensitive documents and other assets that could be further exploited, Villadiego says. "This is probably why you are seeing growing demand in the cybercrime forums for subcontractors with expertise using post-exploit frameworks and Red Team pentesting tools such as Cobalt Strike," he says.

Hank Schless, senior manager of security solutions at Lookout, says organizations should expect to see more ransomware targeting mobile devices in the coming year as well. Screen overlay attacks, in which threat actors essentially render a mobile device unusable, emerged as a new type of threat in 2020.

"Looking forward into 2021, mobile ransomware will continue to get more advanced," he predicts. "Threat actors are investing significant resources in mobile ransomware's ability to be effective for a long time."

The vast majority of all ransomware infections continue to result from unpatched systems, rampant password reuse, or lack of multi-factor authentication, says Anthony Grenga, vice president of cyber operations at IronNet.

By employing basic best practices against these issues, organizations can make things much harder for attackers and protect against large-scale compromise. "It's also important to plan for the worst and have regular backups for critical systems and isolate them from the main corporate network so they are not compromised in a widespread attack" Grenga says.

Clark advises that organizations prioritize patching based on the impact a particular vulnerability has on corporate data. As part of the exercise, they must consider the type and number of systems affected, the access level required to exploit the vulnerability, and how widely known the vulnerability is. In addition, businesses should consider implementing a robust security awareness program to train employees on recognizing and reporting phishing attempts, Clark says.

"I expect that ransomware operators will continue to refine those strategies that have already been proven effective," Villadiego says. "This means we should anticipate seeing more targeted attacks on large enterprises who have the most at stake in terms of their brand reputation, and the greatest potential for operational disruption."

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-23727
PUBLISHED: 2020-12-03
There is a local denial of service vulnerability in the Antiy Zhijia Terminal Defense System 5.0.2.10121559 and an attacker can cause a computer crash (BSOD).
CVE-2020-28175
PUBLISHED: 2020-12-03
There is a local privilege escalation vulnerability in Alfredo Milani Comparetti SpeedFan 4.52. Attackers can use constructed programs to increase user privileges
CVE-2020-13524
PUBLISHED: 2020-12-03
An out-of-bounds memory corruption vulnerability exists in the way Pixar OpenUSD 20.05 uses SPECS data from binary USD files. A specially crafted malformed file can trigger an out-of-bounds memory access and modification which results in memory corruption. To trigger this vulnerability, the victim n...
CVE-2020-13525
PUBLISHED: 2020-12-03
The sort parameter in the download page /sysworkflow/en/neoclassic/reportTables/reportTables_Ajax is vulnerable to SQL injection in ProcessMaker 3.4.11. A specially crafted HTTP request can cause an SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.
CVE-2020-23726
PUBLISHED: 2020-12-03
There is a local denial of service vulnerability in Wise Care 365 5.5.4, attackers can cause computer crash (BSOD).