Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:05 PM

Pay-or-Get-Breached Ransomware Schemes Take Off

In 2020, ransomware attackers moved quickly to adopt so-called "double extortion" schemes, with more than 550 incidents in the fourth quarter alone.

The "pay or get breached" ransomware trend — also known as the "double extortion" scheme — took off in 2020, despite the prolific Maze Team's Nov. 1 announcement that it would be discontinuing operations.

Using data collected by automated feeds, cyber-risk firm Digital Shadows documented 550 double-extortion postings on data leak sites maintained by more than a score of ransomware groups. By far, the industrial goods and services sector bore the brunt of ransomware attacks, with 29% of all 2020 attacks targeting the industry, while businesses in North America accounted for two-thirds of all attacks, Digital Shadows discovered.

Related Content:

Pay-or-Get-Breached Ransomware Schemes Take Off

Special Report: Understanding Your Cyber Attackers

New From The Edge: Learn SAML: The Language You Don't Know You're Already Speaking

Quarter over quarter, the cybersecurity firm saw a signifiant increase in ransomware attacks using the twin strategies of demanding a ransom and then leaking the data if the victim did not pay, says Jamie Hart, a cyberthreat intelligence analyst with the company.

"We are going to continue to see ransomware increase because the pay-or-get-breached method gives an opportunity for the new and less-known ransomware groups to make a name for themselves in 2021," she says. "There is no sector that is off limit to these groups."

By all measures, ransomware is now the default approach for monetizing compromised companies, with cybersecurity services firm CrowdStrike finding more than half of all of its client engagements were to clean up ransomware attacks. The number of companies hit by ransomware each year has remained steady, with 51% acknowledging a ransomware attack in the past year, and three-quarters of those attacks succeeding in encrypting some data, according to a survey by security-software firm Sophos.

While Maze accounted for a third of documented ransomware attacks in the third quarter of 2020, according to Digital Shadows' Q3 threat report, Egregor accounted for a third of incidents in the last quarter, according to ZeroFox's report. Egregor targeted Barnes & Noble Booksellers, game maker Ubisoft, and Epicor Software.

"Throughout 2020, we saw the 'pay or get breached' trend take off like a rocket and it didn’t seem to slow down," Digital Shadows stated in it analysis, published today. "To add to the already stressful situation of having their files exfiltrated and encrypted, victim organizations were pressured into paying ransom payments quickly by the threat of public exposure on a data leak site."

Digital Shadows monitors the data leak sites that ransomware groups use to publicize stolen data. Sites for six groups — Maze, Egregor, Conti, Sodinokibi, DoppelPaymer, and Netwalker — accounted for 84% of the breaches in 2020, the company said. The remaining data leak sites include more than a dozen other groups, including Ako/Ranzy Locker, Avaddon, Clop, DarkSide, Everest, LockBit, Mount Locker, Nefilim, Pay2Key, PYSA, Ragnar Locker, RansomEXX, Sekhmet, and SunCrypt, according to Digital Shadows.

While Maze accounted for a third of documented ransomware attacks in the first three quarters of 2020, Egregor accounted for a third of incidents in the last quarter. Overall, the steep rise in ransomware attacks at the end of 2020 quashed any thought that the November dissolution of the Maze Team would lead to a decline in cybercriminal activity. 

"No one really expected the Maze group to up and quit, but the statement they posted on their site said they would be back," Hart says.

The shuttering of the Maze group and the subsequent rise of the Egregor ransomware has led to speculation that remnants of the Maze group have joined with the Egregor developers. The collaboration would explain the success of Egregor, according to an analysis by the ZeroFox Alpha Team.

"One theory for the high volume of victim data is that former Maze actors may now be working on Egregor," the researchers said in the company's Q4 threat report. "These actors have prior knowledge of running a successful ransomware operation and can help the Egregor team achieve success of Maze's caliber, which ultimately makes Egregor a highly dangerous threat to vulnerable end users." 

Continuing the trend of attacks on industrial goods and services, American packaging giant WestRock acknowledged on Jan. 25 that it had suffered a ransomware breach, which had hobbled its operational technology systems. 

While cybersecurity experts and law enforcement officials have urged companies not to pay, most do not criticize when companies do pay. Ransomware groups have started using new tactics, such as cold calling victims and even threatening employees' safety, to get victims to pay, Digital Shadows said.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-14
An issue was discovered in MDaemon before 20.0.4. There is Reflected XSS in Webmail (aka WorldClient). It can be exploited via a GET request. It allows performing any action with the privileges of the attacked user.
PUBLISHED: 2021-04-14
An issue was discovered in MDaemon before 20.0.4. Remote Administration allows an attacker to perform a fixation of the anti-CSRF token. In order to exploit this issue, the user has to click on a malicious URL provided by the attacker and successfully authenticate into the application. Having the va...
PUBLISHED: 2021-04-14
An issue was discovered in MDaemon before 20.0.4. There is an IFRAME injection vulnerability in Webmail (aka WorldClient). It can be exploited via an email message. It allows an attacker to perform any action with the privileges of the attacked user.
PUBLISHED: 2021-04-14
An issue was discovered in MDaemon before 20.0.4. Administrators can use Remote Administration to exploit an Arbitrary File Write vulnerability. An attacker is able to create new files in any location of the filesystem, or he may be able to modify existing files. This vulnerability may directly lead...
PUBLISHED: 2021-04-14
Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. Multiple privilege escalation vulnerabilities were discovered in version 5.2.4 of Pi-hole core. See the referenced GitHub security advisory for details.