Pay-or-Get-Breached Ransomware Schemes Take Off

In 2020, ransomware attackers moved quickly to adopt so-called "double extortion" schemes, with more than 550 incidents in the fourth quarter alone.

4 Min Read

The "pay or get breached" ransomware trend — also known as the "double extortion" scheme — took off in 2020, despite the prolific Maze Team's Nov. 1 announcement that it would be discontinuing operations.

Using data collected by automated feeds, cyber-risk firm Digital Shadows documented 550 double-extortion postings on data leak sites maintained by more than a score of ransomware groups. By far, the industrial goods and services sector bore the brunt of ransomware attacks, with 29% of all 2020 attacks targeting the industry, while businesses in North America accounted for two-thirds of all attacks, Digital Shadows discovered.

Quarter over quarter, the cybersecurity firm saw a signifiant increase in ransomware attacks using the twin strategies of demanding a ransom and then leaking the data if the victim did not pay, says Jamie Hart, a cyberthreat intelligence analyst with the company.

"We are going to continue to see ransomware increase because the pay-or-get-breached method gives an opportunity for the new and less-known ransomware groups to make a name for themselves in 2021," she says. "There is no sector that is off limit to these groups."

By all measures, ransomware is now the default approach for monetizing compromised companies, with cybersecurity services firm CrowdStrike finding more than half of all of its client engagements were to clean up ransomware attacks. The number of companies hit by ransomware each year has remained steady, with 51% acknowledging a ransomware attack in the past year, and three-quarters of those attacks succeeding in encrypting some data, according to a survey by security-software firm Sophos.

While Maze accounted for a third of documented ransomware attacks in the third quarter of 2020, according to Digital Shadows' Q3 threat report, Egregor accounted for a third of incidents in the last quarter, according to ZeroFox's report. Egregor targeted Barnes & Noble Booksellers, game maker Ubisoft, and Epicor Software.

"Throughout 2020, we saw the 'pay or get breached' trend take off like a rocket and it didn’t seem to slow down," Digital Shadows stated in it analysis, published today. "To add to the already stressful situation of having their files exfiltrated and encrypted, victim organizations were pressured into paying ransom payments quickly by the threat of public exposure on a data leak site."

Digital Shadows monitors the data leak sites that ransomware groups use to publicize stolen data. Sites for six groups — Maze, Egregor, Conti, Sodinokibi, DoppelPaymer, and Netwalker — accounted for 84% of the breaches in 2020, the company said. The remaining data leak sites include more than a dozen other groups, including Ako/Ranzy Locker, Avaddon, Clop, DarkSide, Everest, LockBit, Mount Locker, Nefilim, Pay2Key, PYSA, Ragnar Locker, RansomEXX, Sekhmet, and SunCrypt, according to Digital Shadows.

While Maze accounted for a third of documented ransomware attacks in the first three quarters of 2020, Egregor accounted for a third of incidents in the last quarter. Overall, the steep rise in ransomware attacks at the end of 2020 quashed any thought that the November dissolution of the Maze Team would lead to a decline in cybercriminal activity. 

"No one really expected the Maze group to up and quit, but the statement they posted on their site said they would be back," Hart says.

The shuttering of the Maze group and the subsequent rise of the Egregor ransomware has led to speculation that remnants of the Maze group have joined with the Egregor developers. The collaboration would explain the success of Egregor, according to an analysis by the ZeroFox Alpha Team.

"One theory for the high volume of victim data is that former Maze actors may now be working on Egregor," the researchers said in the company's Q4 threat report. "These actors have prior knowledge of running a successful ransomware operation and can help the Egregor team achieve success of Maze's caliber, which ultimately makes Egregor a highly dangerous threat to vulnerable end users." 

Continuing the trend of attacks on industrial goods and services, American packaging giant WestRock acknowledged on Jan. 25 that it had suffered a ransomware breach, which had hobbled its operational technology systems. 

While cybersecurity experts and law enforcement officials have urged companies not to pay, most do not criticize when companies do pay. Ransomware groups have started using new tactics, such as cold calling victims and even threatening employees' safety, to get victims to pay, Digital Shadows said.

About the Author(s)

Robert Lemos, Contributing Writer

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights