Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

1/26/2021
06:05 PM
50%
50%

Pay-or-Get-Breached Ransomware Schemes Take Off

In 2020, ransomware attackers moved quickly to adopt so-called "double extortion" schemes, with more than 550 incidents in the fourth quarter alone.

The "pay or get breached" ransomware trend — also known as the "double extortion" scheme — took off in 2020, despite the prolific Maze Team's Nov. 1 announcement that it would be discontinuing operations.

Using data collected by automated feeds, cyber-risk firm Digital Shadows documented 550 double-extortion postings on data leak sites maintained by more than a score of ransomware groups. By far, the industrial goods and services sector bore the brunt of ransomware attacks, with 29% of all 2020 attacks targeting the industry, while businesses in North America accounted for two-thirds of all attacks, Digital Shadows discovered.

Related Content:

Pay-or-Get-Breached Ransomware Schemes Take Off

Special Report: Understanding Your Cyber Attackers

New From The Edge: Learn SAML: The Language You Don't Know You're Already Speaking

Quarter over quarter, the cybersecurity firm saw a signifiant increase in ransomware attacks using the twin strategies of demanding a ransom and then leaking the data if the victim did not pay, says Jamie Hart, a cyberthreat intelligence analyst with the company.

"We are going to continue to see ransomware increase because the pay-or-get-breached method gives an opportunity for the new and less-known ransomware groups to make a name for themselves in 2021," she says. "There is no sector that is off limit to these groups."

By all measures, ransomware is now the default approach for monetizing compromised companies, with cybersecurity services firm CrowdStrike finding more than half of all of its client engagements were to clean up ransomware attacks. The number of companies hit by ransomware each year has remained steady, with 51% acknowledging a ransomware attack in the past year, and three-quarters of those attacks succeeding in encrypting some data, according to a survey by security-software firm Sophos.

While Maze accounted for a third of documented ransomware attacks in the third quarter of 2020, according to Digital Shadows' Q3 threat report, Egregor accounted for a third of incidents in the last quarter, according to ZeroFox's report. Egregor targeted Barnes & Noble Booksellers, game maker Ubisoft, and Epicor Software.

"Throughout 2020, we saw the 'pay or get breached' trend take off like a rocket and it didn’t seem to slow down," Digital Shadows stated in it analysis, published today. "To add to the already stressful situation of having their files exfiltrated and encrypted, victim organizations were pressured into paying ransom payments quickly by the threat of public exposure on a data leak site."

Digital Shadows monitors the data leak sites that ransomware groups use to publicize stolen data. Sites for six groups — Maze, Egregor, Conti, Sodinokibi, DoppelPaymer, and Netwalker — accounted for 84% of the breaches in 2020, the company said. The remaining data leak sites include more than a dozen other groups, including Ako/Ranzy Locker, Avaddon, Clop, DarkSide, Everest, LockBit, Mount Locker, Nefilim, Pay2Key, PYSA, Ragnar Locker, RansomEXX, Sekhmet, and SunCrypt, according to Digital Shadows.

While Maze accounted for a third of documented ransomware attacks in the first three quarters of 2020, Egregor accounted for a third of incidents in the last quarter. Overall, the steep rise in ransomware attacks at the end of 2020 quashed any thought that the November dissolution of the Maze Team would lead to a decline in cybercriminal activity. 

"No one really expected the Maze group to up and quit, but the statement they posted on their site said they would be back," Hart says.

The shuttering of the Maze group and the subsequent rise of the Egregor ransomware has led to speculation that remnants of the Maze group have joined with the Egregor developers. The collaboration would explain the success of Egregor, according to an analysis by the ZeroFox Alpha Team.

"One theory for the high volume of victim data is that former Maze actors may now be working on Egregor," the researchers said in the company's Q4 threat report. "These actors have prior knowledge of running a successful ransomware operation and can help the Egregor team achieve success of Maze's caliber, which ultimately makes Egregor a highly dangerous threat to vulnerable end users." 

Continuing the trend of attacks on industrial goods and services, American packaging giant WestRock acknowledged on Jan. 25 that it had suffered a ransomware breach, which had hobbled its operational technology systems. 

While cybersecurity experts and law enforcement officials have urged companies not to pay, most do not criticize when companies do pay. Ransomware groups have started using new tactics, such as cold calling victims and even threatening employees' safety, to get victims to pay, Digital Shadows said.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-16632
PUBLISHED: 2021-05-15
A XSS Vulnerability in /uploads/dede/action_search.php in DedeCMS V5.7 SP2 allows an authenticated user to execute remote arbitrary code via the keyword parameter.
CVE-2021-32073
PUBLISHED: 2021-05-15
DedeCMS V5.7 SP2 contains a CSRF vulnerability that allows a remote attacker to send a malicious request to to the web manager allowing remote code execution.
CVE-2021-33033
PUBLISHED: 2021-05-14
The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads to writing an arbitrary value.
CVE-2021-33034
PUBLISHED: 2021-05-14
In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value.
CVE-2019-25044
PUBLISHED: 2021-05-14
The block subsystem in the Linux kernel before 5.2 has a use-after-free that can lead to arbitrary code execution in the kernel context and privilege escalation, aka CID-c3e2219216c9. This is related to blk_mq_free_rqs and blk_cleanup_queue.