With the unanticipated migration to remote work over the past few months, cyberattacks have increased exponentially. Certainly, all forms of attack are on the rise. But the main headline recently has been on ransomware attacks. A Group-IB report revealed that ransomware surged by 150 percent, with an average extortion amount doubling. In addition, Sophos’ global survey found that 49 percent of organizations in Israel have experienced a ransomware attack in the last 12 months.
Moreover, thirty-five percent of ransomware victims had their data encrypted. The State of Ransomware 2021 survey states that the average cost of remediating a ransomware attack in Israel is half a million dollars. In comparison, the average total cost of recovery globally stands at $1.85 million in 2021.
The Changing Ransomware Attacks Landscape
Typically, ransomware attacks involve the deployment of ransomware to encrypt files and systems. More frequently, hackers use phishing emails to target victims and deploy malware. The malware would then encrypt company systems, servers, and information. Ultimately, hackers would offer decryption keys in exchange for a ransom. More frequently, bad actors request hackers to pay the ransom via bitcoin or other cryptocurrencies.
The traditional ransomware definition and narrative are changing. More recently, the attack has become a massive business for cybercriminals. In 2020, ransomware victims paid $350 million in ransom. This figure represents a 311 percent increase compared with the previous year. Subsequently, the ransomware protection market size is expected to reach $ 17.36 billion this year. Undeniably, these numbers reveal that ransomware has grown into a multibillion-dollar industry.
Apart from asking for higher ransoms, the ransomware attack tactic is changing. In particular, hackers quickly launch malicious programs to steal information, especially if the targeted data is critical to daily operations. Nowadays, they set the malware to execute once they access the target network.
Besides, the COVID-19 pandemic and remote working have contributed to increasing ransomware attacks. Criminal groups use COVID-19 themed lures to exploit employees’ or consumers’ concerns regarding the pandemic. Such lures include:
- Information about in-demand commodities like hand sanitizers and vaccines
- Scams pretending to offer financial assistance as a result of the economic shutdown
- Free collaboration tools to facilitate remote working strategies
- Details on ways to prevent getting infected
Important Ransomware Trends in 2021
- The uptick in Ransomware Attacks
There has been an uptick in ransomware attacks in 2021. According to Check Point, ransomware attacks have surged by 102% globally in 2021 compared to 2020. Security researchers have noted an average of more than 1,000 victims become victims of ransomware attacks. However, the healthcare industry remains to be the most affected worldwide. An average of 109 attacks per healthcare institution has been recorded every week.
- Ransomware Attack Impacts
As with all cyber-attacks, ransomware attacks cause system downtime, interrupting critical operations. The average system and operational downtime stand at 21 days in 2021. However, downtime remains to be a costly affair as far as ransomware is concerned. Downtime can include several aspects that hinder an organization’s ability to render services. In this case, organizations are required to allocate adequate resources to achieve resiliency against ransomware attacks.
- Ransomware Attack Tactics and Procedures
Additionally, different ransomware gangs use various techniques to execute ransomware attacks. According to CISA, RDP vulnerabilities, software flaws, and phishing campaigns are the most commonly used methods. RDP vulnerability exploitation has especially soared due to remote working requirements. Besides, Covid-19 themed phishing emails have increased by 667% worldwide. Attackers target employees in healthcare organizations to gain access to secured networks.
- Paying Ransom is not the Solution
Furthermore, it is vital to understand why law enforcement agencies advise against paying a ransom. While some organizations still pay after being attacked, it is an ill-advised move. A recent survey involving 1,263 companies found that 80% of victims that pay a ransom suffer another attack later. Also, the same study found that 46% of those who pay to regain access to stolen or encrypted data find it corrupted. Understandably, paying a demanded ransom may cause more damage on top of the lost finances.
- The emergence of Ransomware as a Service
Today, we are experiencing the destructive rise of ransomware as a service (RaaS). Ransomware attacks have evolved to an extent where franchisers provide attackers with encryption tools, communications, and ransom collection. Typically, they charge a percentage of the ransom that bad actors collect. So, what is the fuss about RaaS? Why is it a big concern today? What are some of the examples of RaaS?
Ransomware as a Service (RaaS) – a Growing Problem
RaaS is a growing headache for organizations and security companies. This is because RaaS works the same as Software as a Service, where ransomware developers can lease ransomware programs just like leasing legitimate SaaS products. In this regard, it implies that anyone, even those possessing little technical know-how, can hire the service and start executing ransomware attacks.
Therefore, malicious actors lacking the skills and time can quickly sign up for RaaS products. RaaS provides anyone wanting a piece of cyber extortion crimes with the required malware. RaaS kits are easy to locate on dark websites, starting as low as $40 per month. The implication for RaaS kits is they provide low-level cybercriminals with the ability to execute ransomware campaigns easily.
Subsequently, it makes sense that cybersecurity researchers traced two-thirds of ransomware attacks in 2020 to RaaS models. Due to the increasing demand for RaaS kits, 15 ransomware affiliate schemes emerged in 2020. The growing competition may see some developers providing lower rates to more crooks, spelling bad news for businesses.
Why RaaS is a Bigger Concern
In 2021, attackers are demanding expensive ransoms. Using RaaS means that ransomware attacks are no longer restricted to the actual ransomware developers. Instead, ransomware affiliates hire programs to extort victims. At the same time, RaaS kits lower risks to the ransomware developers as they don’t require to be involved in an attack. Subsequently, the ransomware affiliates are capable of determining the ransom to demand.
Many adversaries also use RaaS kits in ransomware attacks since they lower the cost of developing ransomware from the ground up. The kits further increase the ransomware threat environment. For a few bitcoins, they can hire any RaaS kit variant. As such, businesses should anticipate increased ransomware attacks due to the ready availability of various ransomware variants.
RaaS will continue being a thorn for the security community. A collaboration of ransomware developers and affiliates implies more challenges in tracking and apprehending culprits responsible for attacks. Essentially, some ransomware variants are associated with specific groups. Therefore, capturing affiliates still leaves the ransomware developers creating more malware for leasing to new affiliates.
Examples of Ransomware Groups Providing RaaS Services
- Sodinokibi/REvil
REvil is a ransomware group holding the record of one of the largest ransomware demands amounting to $10 million. Usually, REvil runs an affiliate model where it takes 40% of a paid ransom. The group first warns affected victims of a data leak in its data leak site and uploads a small sample as proof. REvil leaves a link displaying the leaked data in a ransom note and a countdown time begins upon clicking the link. If the victim fails to pay up, REvil leaks the rest of the data in bulk once the given time expires.
Security experts believe REvil is behind the Kaseya ransomware attack that has affected hundreds of businesses globally. Recently, hackers infiltrated a Florida-based information technology firm and deployed a ransomware attack, seizing huge data amounts and demanding $70 million in payment for a universal decryptor that would unscramble all affected machines. The Kaseya incident is already being referred to as the biggest ransomware attack on record.
REvil ransomware group has compromised at least 52 new victims in 2021. The victims included construction firms, logistic companies, and healthcare institutions. In addition, the group targeted high-profile tech companies, including Acer, Quanta, and Apple demanding a $50 million ransom. However, all of the companies refused to pay the ransom. In the case of Apple, Sodin hackers warned to publish technical information of Apple’s current and future hardware. The gang made the same threat to Acer and Quanta. The hackers published several blueprint images belonging to Quanta.
- DarkSide
Carbon Spider is a cybercrime group operating the DarkSide RaaS affiliate program. The group specializes in hacking computers running on Windows 10 but has recently expanded to Linux. Since DarkSide became active in 2020, the group and affiliates have affected companies in at least 15 countries.
In 2021, DarkSide affiliates have compromised 37 organizations. Additionally, the FBI confirmed that DarkSide was behind the ransomware attack that shut down the US-based Colonial Pipeline. The group indicated that the attack occurred after providing the malware to affiliates using the RaaS model.
- Dharma
Dharma ransomware attacks are associated with an Iranian cybercrime group. The attacks have been financially motivated as the Dharma RaaS affiliate has been in existence since 2016. Dharma ransomware usually exploits vulnerabilities in remote desktop protocols (RDPs). The focus of Dharma ransomware attacks is on small and medium-sized businesses and usually demands a small ransom compared to other variants. Due to its ready availability, Dharma has become a popular RaaS model. The providers of the Dharma RaaS model offer technical support and expertise. In addition, they operate backend systems to support successful ransomware attacks.
Request a Live Demo
Want to enhance your cybersecurity operations?
Are you looking for your first cybersecurity expert?
Want to gain visibility for your exposed assets?
You can request a live demo by scheduling date and time on our available hours:
Ransomware State in 2021
Just a few days ago, US President Joe Biden ordered a probe of a wave of recent ransomware attacks in the country. The attacks have impacted more than 1,500 American organizations in 2021 alone. In addition, surging ransomware attacks have been noted in other countries worldwide.
Furthermore, ransomware attacks have extended beyond cybercrime groups to advanced state actors. For example, North Korean adversaries responsible for the destructive WannaCry target organizations across Europe using a new ransomware strain called VHD. Also, state cyber groups continue to collaborate with cybercrime actors to obtain information. Data exfiltrated during ransomware attacks are helpful to state intelligence goals. The overlaps indicate targeting patterns as cybercrime organizations focus on targets within their host states. There are increased attacks targeting government and high-tech organizations and defense contractors in Northern Europe, the US, and the UK.
Ransomware Gangs Claiming New Victims in 2021
A recent threat report found that specific ransomware gangs attacked hundreds of organizations in 2020. However, what’s more concerning is they collectively hacked 292 victims between January and April 2021. In a Palo Alto 2021 ransomware report, the estimated average ransom paid per organization increased by 171% from $115,123 to $312,493 between 2019 and 2020. Using the estimates, ransomware gangs have potentially reaped at least $41 million in 2021 alone. While ransomware attackers usually target schools, healthcare, and local governments, ransomware groups have shifted focus to other industries. These include logistics/transportation companies, construction firms, and manufacturers in the US, Canada, France, the UK, and Israel.
Agrius is one of the new ransomware gangs targeting Israeli organizations with the Apostle ransomware. According to security researchers, the Apostle ransomware is a disk-wiping malware with destructive capabilities. Also, the researchers indicated the new Agrius ransomware group has ties to the Iranian state. A deeper analysis of the Apostle ransomware found its encryption implementation masks the primary intention of destroying victim information. Agrius utilizes web shells to enable hackers to move laterally within a compromised network.
A different Iranian ransomware group known as N3tw0rm (Networm) has also targeted Israeli firms in recent attacks. Unlike previous Covid-19 themed ransomware attacks, N3tw0rm attacks are hacktivism motivated. The ransomware gang has breached a non-profit organization and four Israeli companies. Veritas Logistics and H$M Israel are some of the companies that threatened that their files would be leaked online unless they met a demand of 3 bitcoins (approx. $ 170,000) and four bitcoins (approx. $231,000).
Other ransomware groups that have hacked different companies worldwide include DoppelPaymer and CLOP (ClOp).
- DoppelPaymer
The DoppelPaymer has been active since 2019. In December 2020, an FBI Private Industry Notification (PIN) warned that unidentified actors were using DoppelPaymer. According to the warning, the actors “encrypt data from victims within critical industries worldwide such as healthcare, emergency services, and education, interrupting citizens’ access to services.” DoppelPaymer compromised at least 52 victims in 2020. The victims include numerous government organizations and educational centers.
- CLOP
CLOP became famous after becoming the first ransomware group to demand a ransom exceeding $20 million. In 2021, CLOP has affected 35 victims in the finance, legal, education, and manufacturing industries. Most of the victims had been affected by an initial supply chain attack targeting Accellion. Accellion provides file transfer applications to global services. However, it is unclear whether CLOP was behind the Accellion attack.
CLOP used new tactics where it acquired customer contact information. For example, CLOP attackers would state they would publish customer-sensitive information on a dark website if the target company failed to pay the ransom. Then, the group would email affected customers to urge them to make the compromised company meet the ransom demands.
How Cynergy Helps with RaaS
Essentially, organizations need to continually identify breachable points where RaaS can enter. With Cynergy, you can leverage our strategic risk-driven platform for lean cybersecurity teams managing multiple product lines to support secure agile development on a huge scale. Our solution reduces the risk cycle from vulnerability discovery to mitigation. We actively exploit IT assets to ensure they are vulnerability-free. This strategy also ensures Cynergy’s solution only highlights the vulnerabilities that need to get attention. Not only that, we build a prioritized action plan that can be directly acted upon from the Cynergy platform.
What’s more, Cynergy’s solution identifies and alerts for sensitive data leakage that may potentially cause ransomware attack. Cynergy achieves this through wide asset discovery in zero time, including discovering publicly exposed cloud interfaces, subdomains, websites, and employee leaked information. The solution also elevates employees’ and IT teams’ awareness. Cynergy team understands that even with the most advanced perimeter network protections, malicious actors leverage creative tactics to reach employees undetected. Our solution helps you measure insider vulnerability while ramping up awareness of the seriousness of the RaaS risk.