Why ransomware attacks will explode in 2021

By Brian Dixon

The COVID-19 pandemic has proven a boon to ransomware operators, who only look set to step up their activities over the coming year.

Accurately predicting the future is difficult at the best of times, let alone during this present period of pandemic-induced uncertainty. However, one sure bet seems to be that the frequency and intensity of ransomware attacks will only escalate further over the coming 12 months. Or, as UK-headquartered cybersecurity firm Sophos puts it in its 2021 Threat Report, ransomware threat actors will “continue to innovate both their technology and their criminal modus operandi at an accelerating pace.”

Such a prognosis should not perhaps come as a shock given the levels of ransomware activity recorded in 2020, a year marked by an unprecedented upswing in remote working. A digitalised step taken to stem the spread of COVID-19, this rapid shift to global-scale teleworking has nonetheless led to a prevalence of what Switzerland's Acronis calls “remote, poorly protected workers” that in turn provide cybercriminals with a plethora of potential gateways “to the business data and systems located in empty offices and data centres.”

Significant increase

Specifically addressing the issue of ransomware, Greg Foss, senior cybersecurity strategist with US cybersecurity firm VMware Carbon Black, for instance, revealed during a recent end-of-year webinar that 2020 had seen “a significant increase” in such attacks “of upwards of 900%” compared to 2019. And while some might quibble with the exact stats at stake, it seems hard to dismiss the year's long litany of high-profile attacks. 

In addition to tech firm Garmin getting hit with a $10m ransom from WastedLocker operators in July, other organisations that found themselves in the crosshairs last year included:

  • Telecom Argentina, which received a demand of $7.5m from REvil
  • The Chinese arm of French shipping giant CMA CGM, which was attacked using Ragnar Locker
  • Japanese camera and optics manufacturers Canon and Konica Minolta, hit by Maze and RansomEXX, respectively
  • Data processing firm Equinix, itself targeted by Netwalker

Meanwhile, UK football team Manchester United also fell foul of an unspecified ransomware attack in November along with Italian alcohol producer Campari. Then, after Canadian telecoms firm Sangoma Technologies confirmed on Christmas Eve that it too had been compromised, the year ended with news that US home appliance manufacturer Whirlpool had also taken a hit.

Health and education

While Russia's Positive Technologies notes that ransomware operators generally tend to be selective in targeting “major companies able to provide a large payday or else organisations ill-able to afford any disruptions,” ransomware victims are definitely not confined to the world of commerce. This was made abundantly clear in 2020, with numerous ransomware families targeting the health and education sectors in Europe and the US alike, even as hospitals, as the Sophos report puts it, “became COVID-19 battlegrounds and schools struggled to invent an entirely new way to teach children through March and beyond.”

Moreover, such activity looks unlikely to cease anytime soon, with the US Treasury's Financial Crimes Enforcement Network (FinCEN) warning at the end of December that “cybercriminals, including ransomware operators, will continue to exploit the COVID-19 pandemic alongside legitimate efforts to develop, distribute, and administer vaccines.” Stating that it is “aware of ransomware directly targeting vaccine research,” FinCEN is thus urging financial institutions “to stay alert to ransomware targeting vaccine delivery operations as well as the supply chains required to manufacture the vaccines.”

Similarly, cybercriminals have proven themselves more than willing to exploit the explosion of remote schooling and distance learning borne of the COVID-19 pandemic. While attacks on US primary and secondary schools accounted for 28% of all ransomware attacks reported to the Multi-State Information Sharing and Analysis Center (MS-ISAC) between January and July, the figure more than doubled to 57% at the start of the new school year in August and September, with the US Cybersecurity and Infrastructure Security Agency (CISA) identifying Ryuk, Maze, Nefilim, AKO and Sodinokibi/REvil as the five most commonly identified ransomware variants involved in these attacks during the first nine months of the year. 

Mirroring this, the UK's National Cyber Security Centre (NCSC) also issued a warning in September of targeted ransomware attacks on the country's education sector, noting that since the previous month it had been “investigating an increased number of ransomware attacks affecting education establishments in the UK, including schools, colleges and universities.”

Not just encryption

However, while some targets managed to recover from these attacks by keeping secure backups, not all such victims escaped so easily as a result of a rapidly growing trend among ransomware operators. 

“As a countermeasure to their victims' preparedness, several ransomware families picked up on a side hustle designed to increase pressure on their victims to pay the ransom – even if every backup with essential data was safe,” the Sophos report states.

“Not only would they hold the machines hostage, but they would steal the data on those machines and threaten to release it to the world if the targets fail to pay a bounty.”

Although ransomware typically targets key file types for encryption, operators are showing themselves to be far less discerning when it comes to data theft, hoovering up whatever files and folders they can with little concern for size nor content. Indeed, Sophos reports that it has seen “as little as 5 GB and as much as 400 GB of compressed data being stolen from a victim prior to deployment of the ransomware.”

Furthermore, the company's analysts have also observed a trend among ransomware operators to exfiltrate data from a victim's network via “a common (and slowly growing) toolset” of well-known and legitimate utilities that therefore don't get flagged by endpoint security products. As well as Total Commander, 7zip and WinRAR, such tools also include psftp (PuTTY's SFTP client) and Windows cURL. 

Additionally, ransomware operators have also revealed a tendency to send exfiltrated data to legitimate cloud storage services, most notably Google Drive; Amazon S3 (Simple Storage Service); Mega.nz. Again, this makes such nefarious activity harder to spot as such sites represent common network traffic destinations. 

Worryingly, Sophos warns that the list of ransomware families engaged in data theft “continues to grow” and now includes Doppelpaymer, REvil, Clop, DarkSide, Netwalker, Ragnar Locker and Conti. Such cybercriminals are also operating leak sites where such stolen data can be publicised and bought. Although it remains to be seen as to whether data exfiltration will ultimately outstrip data encryption as a revenue source and therefore focus for ransomware operators, this could yet prove the reality, with Acronis for one envisaging just such a scenario in its Cyberthreats Report 2020.

Barriers to entry

The promotion and sale of stolen data on such dark web leak sites also ties in with another noticeable development observed in 2020, what Foss terms “the large resurgence of ransomware as a service” (RaaS). “Advanced and assisted by these initial access brokerage marketplaces” that sell access to compromised networks and organisations, RaaS opens up whole new vistas to cybercriminals that might otherwise lack the technical ability to execute attacks themselves. At the same time, Foss notes, it also highlights just “how the bar has been lowered for entry into this game” and in so doing making it “all that more devastating.” 

In line with this, there is also evidence to suggest that ransomware actors are increasingly working together and sharing knowhow. As attacks last year intensified, it initially appeared that the types of ransomware at play were widening, the Sophos report reveals. However, over time and after investigating “an increasing number of attacks,” the company's analysts “discovered that some ransomware code appeared to have been shared across families,” indicating that groups were inclined “to work in collaboration more than in competition with one another.”

To what extent this may be so, of course, is open to question. What seems less so, though, is that the ransoms at stake are rising. At the end of 2019, the average ransom payout came in at just over $84,000, Sophos calculates.

By the third quarter of last year, ransom payouts had risen to almost $234,000, itself a 21% increase on the prior quarter's figure of roughly $178,000.

“Ransomware threat actors understand how expensive downtime can be and have been testing the upper limit of what they can extract in a ransom attack,” the report states. Exactly when they will reach that limit, though, is something that as yet remains disconcertingly moot.

About the author: Brian Dixon is a freelance journalist and video editor with more than 20 years' experience covering business, tech and industrial beats for print and online publications in the UK, Poland and Sweden. A keen traveller, he has so far visited 75 countries on six continents. Pandemics permitting, he divides his time between the UK, Poland and Japan.