The ransomware rush of 2020: billion-dollar business, cooperative adversaries and fatal damage
Turbulence fueled by the global pandemic turned ransomware into the most significant money artery for cybercriminals, claims a report by cyber intelligence company Group-IB. Ransom demands grew twofold, and companies on average experienced 18 days of downtime from ransomware attacks.
“Group-IB experts estimated that ransomware groups made no less than USD 1 billion between 2019 and 2020, making the previous year the most profitable for ransomware to date,” claims the report.
An analysis of 500 attacks worldwide indicates that threat actors last year succeeded in capitalizing on the confusion caused by the pandemic. While companies were trying to remain operational with dwindling revenues and workforce in self-isolation, security measures did not keep up. Alarmingly, one attack even caused a fatality.
They are no script kiddies sending out spam anymore. This is a multi-billion industry now; the adversaries do their homework. They analyze their targets. The gangs balance their ransom demands against the targeted companies’ revenues,Oleg Skulkin.
“Dusseldorf paramedics were unable to admit a 78-year-old patient to a nearby hospital because it was under a ransomware attack. They were forced to travel 20 miles to the next nearest medical facility. The delay in treatment caused the patient’s death,” claims the report.
The number of attacks grew by a staggering 150%, whereas the average ransom demand averaged at $170,000, twice as much as in the previous year. However, the analysis shows that companies that had to deal with the average ransom demands could consider themselves lucky.
For example, Maze, DopplePlaymer, and RagnarLocker ransomware groups, on average, demanded their victims to pay up to two USD 2 million. Adversaries targeted large companies that cannot afford downtime averaging 18 days in 2020. Adversaries focused less on the industry and more on the scale of the operation.
“Big targets for quicker and bigger ransom payouts were the dominant theme of 2020. Such aspects as industry and location were all secondary factors for ransomware operators,” Oleg Skulkin, a senior digital forensics analyst at Group-IB, told CyberNews.
A general trend of big game hunting - targeted attacks against wealthy enterprises - continued to define 2020. That translated to North America and Europe, regions with the biggest concentration of Fortune 500 companies, getting the most attention. Latin America and Asia-Pacific followed in terms of attacks experienced.
“Downtime or a data loss ends up being more costly for the big business than the ransom amount, “Skulkin said.
An opportunity for quick profit expanded the number of players in big game hunting, attracting state-sponsored threat actors linked to North Korea and China. According to the report, Groups such as Lazarus and APT27 started to use ransomware during financially motivated operations.
The report, however, claims that the top 5 most active ransomware groups were Maze with 20% of all analyzed attacks, Egregor and Conti with 15%, followed by Revil and Doppel Paymer with 11%. It is worth mentioning that the prolific Maze cartel announced it was dissolving at the end of 2020.
‘They are no script kiddies’
The authors of the report notice a noticeable increase in cooperation between the threat actors. 64% of analyzed attacks employed a Ransomware-as-a-Service (RaaS) model. That involves developers selling or leasing malware programs to affiliates for further use. Threat actors share profits after the attack.
“Many RaaS programs offered to tailor ransomware to the partner’s needs, which means that such lists may be easily modified according to the target infrastructure, especially for high-profile attacks,” claims the report.
Such modus operandi allows ransomware groups to specialize in what they do best and increase the volume and scope of ransom operations. Group-IB recorded the emergence of at least 15 new public ransomware affiliate programs in 2020.
“They are no script kiddies sending out spam anymore. This is a multi-billion industry now; the adversaries do their homework. They analyze their targets. The gangs balance their ransom demands against the targeted companies’ revenues,” he explained.
Authors of the report note that botnet operators partnered with ransomware gangs last year. PowerShell, a powerful framework to execute commands and scripts, was the most frequently abused interpreter for launching the initial payload. Since the interpreter is part of every Windows-based system, it’s relatively easy to abuse it for conducting malicious activities. However, 2020 saw an increase in active exploitation of Linux systems as well.
On average, threat actors spent 13 days in the compromised networks before encrypting the data for impact. Unsurprisingly, before deploying ransomware, operators tried to compromise available backups to make it difficult to resume operations after threat actors served the ransom demand.
Public-facing RDP servers were targeted the most last year, with 52% of the attacks analyzed relying on RDP servers. The trend is linked with the global pandemic that forced the global workforce to self-isolate, causing a shift away from closed networks.