Commonly known as a malware from cryptovirology, Ransomware encrypts victim’s data and makes it inaccessible. The threat actors that operate a ransomware demand a ransom payment for releasing the data. They sometimes also threaten to publish the data online, breaching confidentiality of the victim organization.
For years, threat actors have been capitalizing over the fear of data loss. However, in the recent years, victim-shaming and the fear of confidentiality breach has brought them unprecedented capital, since some major ransomware operators actually published the data of victim organizations online. With a surge in cyber-attacks in the COVID-ridden cyberspace, Ransomware, of all other malware, is getting highest attention. This report is a brief presentation of Ransomware attack trends in 2020.
As the chart above shows a steady growth in Ransomware attacks since the beginning of 2019, it is reasonable to predict that the attacks will have a consistent surge in the second half of 2020 as well. Moreover, the trend line shows that the total ransomware attacks reported in 2020 so far are soon to level up with the total ransomware attacks reported in the entire duration of 2019. Of Ransomware attacks reported by Rewterz, 55% were seen in 2019 whereas 45% have been reported in the first half of 2020 alone.
Below is a breakdown of monthly ransomware attack trends in 2019 as well as 2020.
The monthly ransomware attack trend shows that ransomware attacks were at their peak in March 2020. The average monthly ransomware attacks in 2020 have doubled up compared to average monthly ransomware attacks in 2019.
As the pandemic of COVID19 brought major shifts in operational and security methods of organizational workflow, the cyberspace turned into an open field for attackers to experiment with malicious tools and to capitalize on the finances of organizations with weaker cybersecurity measures. A huge number of ransomware attacks were launched in 2020.
Moreover, the average sum paid by enterprises to ransomware attackers surged by 33% in the first quarter of 2020, as victim organizations struggled to mitigate remote working threats, finds Coveware. It also revealed that the average enterprise ransomware payment rose to over $111,000 in the quarter.
While most ransomware attacks in 2019 used some popular ransomware like GandCrab, RYUK and Maze ransomware etc., the beginning of 2020 introduced newer ransomware or older ones with newer versions. The chart below shows this experimentation with a diverse range of old and new ransomware, recorded in the first quarter of 2020. Sodinokibi (21%), Ryuk (16%) and Maze (9%) remained the top three most common variants in Q1 2020.
These diverse ransomware were not only used by a variety of emerging threat actors, but they were also distributed using a diverse range of attack vectors. Threat actors deviated from the most conventional attack vector of MalSpam campaigns and excessively experimented with other available options in Q1, 2020.
With the threat landscape more inviting than ever before, various endpoints exposed, remote work policies neglected, limited output of security controls and unpatched systems and software, the threat actors also experimented with a new range of attack vectors, marveling at some and failing at some. These included brand impersonation, deceptive downloads (untrue file types etc.), hacking of unsecure and vulnerable RDP connections, brute forcing, spear phishing, attacks on SMB hosts and distribution via infected, cracked and pirated software. However, which attack vector was used in how many attacks is still unknown.
Below are some major ransomware attacks reported in 2020 so far.
On May 8, 2020, it was reported that a new targeted attack infected several organizations in Taiwan with a new ransomware family, which researchers have dubbed ColdLock. The ransomware appeared to target databases and email servers for encryption. It is believed the threat actors somehow gained access to the Active directory servers of the targeted organizations and there they were able to set Group Policies that led to the ransomware file being downloaded and run onto machines within the affected domain.
On April 15, a ransomware attack was reported in which attackers using the Ragnar Locker ransomware encrypted the systems of Portuguese multinational energy giant Energias de Portugal (EDP) and demanded for a 1580 BTC ransom ($10.9M or €9.9M). EDP Group is one of the largest European operators in the energy sector (gas and electricity) and the world’s 4th largest producer of wind energy. The company is present in 19 countries and on 4 continents, it has over 11,500 employees and delivers energy to more than 11 million customers.
On 2nd May, Maze aka ChaCha an infamous ransomware group claimed having hacked into the Bank of Cost Rica in August 2019. The statement was released on their victim-shaming website. They claimed that in February 2020 during their routine check of previously accessed system they found out the bank security wasn’t improved and they still had access to the bank network. Maze claimed to have obtained years of transnational data including credit cards data of 11million with 4million unique credit cards in which 140,000 belonged to US citizens.
Into the business of foreign exchange and headquartered in London, Travelex faced a website shut down on the new-year eve following a Ransomware attack. the website. All branches of Travelex including those at Tesco Bank had to function manually till the digital transaction services got restored from data backups. Potential affected customers were from the UK, US, Australia, and France. As travelers having accounts in Tesco and Asda bank depend on Travelex for money services, a small portion of them seem to be affected by the ransomware attack. A ransomware gang called Sodinokibi had told BBC that it was behind the hack and wanted Travelex to pay $6m (£4.6m). Another source from Travelex, when provided anonymity, named Maze Ransomware for data stealing and encryption in the Travelex cyber attack.
DopplePaymer is a variant of Bitpaymer ransomware, first used in June 2019. DoppelPaymer is an enterprise-targeting ransomware that compromises a corporate network, eventually gains access to admin credentials, and then deploys the ransomware on the network to encrypt all devices. As these attacks encrypt hundreds, if not thousands of devices, they tend to have a huge impact on operators and the attackers demand a very huge ransom. On April 22, it was reported that Banka Ekonomike was hit by DopplePaymer ransomware. In this case too, the threat actors released confidential information of the bank online.
Banka Ekonomike has been operating since 2001 in Prishtinë, Kosovo, as the only 100 percent local bank. Banka Ekonomike has operated a total of 30 branches, which are divided into 7 main regions within which 23 sub-branches operate. According to the statistics from the total bank end-of-year 2018 report, out of 201 branches / sub-branches present in the banking market in Kosovo, Banka Ekonomike ranked 3rd. The published data included over 2GB of files with information of financial transactions and Database backup files.
On April 6th, Rewterz published its report on a ransomware attack on the state-owned oil company of Algeria. This Maze ransomware campaign targeted and encrypted data from Berkine, a joint venture between Sonatrach, the state-owned oil company of Algeria, and the US firm formerly known as Anadarko Petroleum Corporation, through its subsidiary Anadarko Algeria Company. The main goal of the ransomware was to crypt all files that it can in an infected system and then demand a ransom to recover the files. They too, upon failure of acquiring a ransom payment, exposed the data of Sonatrach on a victim-shaming website.
On March 21, 2020, Banking technology FinTech Firm Finastra was reported to have been hit by ransomware on Friday (March 20), and was forced to close key systems and send workers home. The company is based in London and has offices in 42 countries around the world, with 10,000 employees on its workforce. Last year, the firm reported $2 billion in revenue. Nearly all 50 of the top banks in the world are Finastra’s customers.
Bad Packets’ (Threat intel firm) reported that internet-wide scans on 16 September 2019 had discovered pulse secure VPN servers unpatched prone to CVE 2019-11510 RCE leaving its systems exposed to attacks. According to Bad Packets report of January2020, Finastra also ran outdated Citrix servers prone to CVE-2019-19781. Since exploits for both vulnerabilities are publicly available, it was a low hanging fruit for attackers. Finastra acknowledged the ransomware attack but lacked evidence that customer or employee data was accessed or exfiltrated.
Earlier in February, CISA informed of a ransomware attack aﬀecting control and communication assets on the operational technology (OT) network of a natural gas compression facility. The victim failed to implement robust segmentation between the IT and OT networks, which allowed the adversary to traverse the IT-OT boundary and disable assets on both networks. The threat actor used commodity ransomware to compromise Windows-based assets on both the IT and OT networks. Because the attack was limited to Windows-based systems, PLCs responsible for directly reading and manipulating physical processes at the facility were not impacted. The victim was able to obtain replacement equipment and load last-known-good conﬁgurations to facilitate the recovery process. All OT assets directly impacted by the attack were limited to a single geographic facility. Due to partial loss of visibility, a partial lockdown of operations had to be implemented.
In late February, a new Nemty ransomware campaign showed notable deviation in its distribution methods. The first wave of Nemty activity spread via RDP and quickly moved to using the Phorpiex botnet to spread via SMB hosts with weak credentials. In this new campaign, the Phorpiex botnet continued to be leveraged but this time to send spam emails. The emails had ZIP archives attached and a subject line that was simply a smiley emoji. The subject line was likely to evade keyword detection in spam filters. Inside the ZIP archive was a VBScript file used to download and execute the final payload. CMD was used in combination with both PowerShell and BITSadmin, which was likely to increase chance of infection if one of the methods got blocked by firewalls or AV. In some cases, garbage code was added to obfuscate the file and evade static detection. The Nemty ransomware was downloaded as an executable from a known Phorphiex server.
In conclusion, it is crucial to block all these entry points that aided the distribution of ransomware in these attacks. Segregation of OT and IT networks should be implemented. SMB hosts and RDP protocols should be secured. Backups should be maintained, and most importantly, all vulnerabilities should be patched in all systems and software. Moreover, as the pandemic has come to last for months, it’s important to use secure remote collaboration tools as well as VPNs as a basic line of defense in order to prevent cyberattacks. Ransomware is a threat that needs more attention than just maintaining backups. Considering the recent victim-shaming tactics of ransomware operators, damage is highly expected once a ransomware encrypts your files. To avoid confidentiality breach and online information disclosure of your organization, make sure to implement all these measures with continuous monitoring as well as by strictly controlling and limiting policy violations.