There's little sign that cybercriminals are about to let up on ransomware attacks anytime soon. If anything, they appear to be honing their tactics for even more dangerous and disruptive attacks on enterprise organizations over the short term.
Emsisoft recently analyzed threat data from the second and third quarters of this year and found ransomware attacks have become more focused and targeted. The success some attackers have had in extorting ransoms from enterprise targets appears to have spawned more concerted efforts by others to do the same.
"While the total number of ransomware attacks has declined, there has been a significant increase in the number of high-impact attacks targeting companies and public entities," says Fabian Wosar, CTO at Emsisoft.
Like other businesses, criminal enterprises typically tend to adopt strategies that will produce the greatest returns. For the moment, enterprise ransomware attacks appear to be one of them. "Ransoming critical business data is more profitable than spray-and-spray attacks against home users," Wosar says.
The most visible example of the trend was Sodinokibi, a ransomware-as-a-service threat used by multiple groups in targeted attacks on various major organizations in Q2 and Q3. The malware is believed to be the work of the same group behind GandCrab, a now largely inactive ransomware strain that is estimated to have netted its distributors some $2 billion in less than two years.
Sodinokibi first surfaced in April 2019 and accounted for 4.5% of all ransomware detections in Emsisoft's study. The malware is extremely evasive and includes advanced techniques to avoid detection by security tools, Emsisoft said. Attackers have used multiple methods to distribute the malware, including via phishing emails, by exploiting a security bug in Oracle's WebLogic software, and through compromised managed service providers.
Most initial Sodinokibi attacks involved targets in Asia. But in recent months the ransomware strain has been deployed against targets in Europe and the US as well. The most high-profile of these was a series of coordinated attacks on 22 local governments in Texas that disrupted critical services, including payment processing and ID-card printing in several of the affected cities. None of the victims paid the demanded ransom.
Another ransomware sample that caused considerable havoc for enterprise organizations in Q2 and Q3 was Ryuk, according to Emsisoft. Like Sodinokibi, Ryuk was used in multiple damaging attacks on local governments, including one against Riviera Beach, Florida, which netted the attackers $600,000, and another against Lake City, Florida, where the threat actors walked away with $460,000.
Emsisoft detected significantly larger volumes of attack traffic associated with other ransomware strains. The most commonly reported ransomware strain in the previous two quarters, for instance, was STOP, aka DJVU, which accounted for 56% of all submissions. The malware, which targets home users, first surfaced in 2018 and currently has more than a dozen variants. Victims are typically asked to pay the equivalent of about $490 in Bitcoin to get their data back.
Other high-volume strains included one called Dharma targeting businesses, which accounted for 12% of all ransomware attacks in the previous two quarters; Phobos, a tool used in targeted attacks on schools with 8.9% of all ransomware traffic; and GlobeImposter 2.0 (6.5%).
"While Dharma and Phobos are more commonly used than Ryuk and Sodinokibi, the latter have a higher profile because they're the malware of choice in attacks that are publicly disclosed — namely, attacks on state and municipal government, schools, and hospitals," Wosar says.
Emsisoft's analysis showed that US organizations are among the most heavily targeted in ransomware attacks. Some 13.5% of all ransomware submissions between April and the end of September were from the US. Hundreds of local government agencies, schools, and public entities in the country were hit in ransomware attacks during the period under review, Emsisoft says. Only Indonesia, with 17.1%, and India, with 15%, had more attacks in Q2 and Q3 this year.
Disruptive Attacks Increase
Emsisoft's report is consistent with those from others about an increase in targeted ransomware attacks on enterprise organizations. Some vendors have reported evidence of attackers gaining access to target networks and then lurking in them for weeks to identify high-value systems to attack.
The trend prompted the FBI to issue an alert earlier this month warning of high-impact ransomware attacks threatening US businesses and other organizations.
"Since early 2018, the incidence of broad, indiscriminant ransomware campaigns has sharply declined, but the losses from ransomware attacks have increased significantly," the FBI warned, citing complaints it has received from victims. While state and local government entities have borne the brunt, threat actors have actively targeted organizations in other sectors as well, including healthcare, industrial, and transportation, the agency noted.
The FBI has advised organizations not to pay a ransom to get encrypted data back. But there are signs that attackers, in turn, are finding new ways to force victims to comply.
FireEye earlier this month reported an increase in incidents where attackers are infecting hundreds of machines across a victim's network — instead of just high-value ones — to maximize disruption and leave them with little choice but to pay.
"Ransom demands vary enormously, with the average being in the region of $30,000," Wosar notes. But recovery and business interruption costs can be substantially higher. "The largest publicly disclosed ransom demand so far this year has been the $5.3 million that the city of New Bedford [Massachusetts] was asked to pay," he adds.
This free, all-day online conference offers a look at the latest tools, strategies, and best practices for protecting your organization’s most sensitive data. Click for more information and, to register, here.