Ransomware 2020: A Year of Many ChangesExtortion and COVID-19 Leveraged by Gangs as Ransomware Explodes
Ransomware gangs entered 2020 with a full and dangerous set of weapons at their disposal and then rolled out additional tools such as extortion and new distribution methods, a trend that is expected to continue into 2021.
Among the major changes this year were the use of:
- Double extortion;
- A healthcare facility's need to remain online to bring additional pressure;
- Trickbot and Emotet to deliver ransomware.
"[This year] will be even worse. Ransomware attacks will keep trending up until secure cloud architecture is widely adopted," says Lee McKnight, an associate professor at Syracuse University's School of Information Studies.
So, what stood out to cybersecurity pros in 2020? Topping the list was the widespread use of extortion to force ransom payments and the associated quick rise and then retirement of the Maze ransomware gang. Secondly, COVID-19 forced a massive shift to a work-from-home environment, creating more opportunities for attackers and exposing healthcare facilities to even more attacks. Finally, there was a huge increase in ransomware-as-a-service.
Ransomware attacks proliferated this year due in no small part to attackers bringing more advanced tools to bear on victims, as well as choosing their targets with an eye toward maximizing returns, says Jim Cummings, a former Director of Homeland Defense, National Security Council at the White House and currently co-founder of the security firm Next Peak.
In 2020, attackers moved from engaging in one-off events, using a single malware strain and targeting just a specific system, to taking a much more detailed and strategic approach, notes Chris Sperry, threat intelligence manager with IBM Security X-Force. Additionally, groups such as Maze, Egregor and Ryuk made the leap, integrating what had been considered low-end commodity malware such as Trickbot and Emotet into their ransomware campaigns.
"What we saw in 2020 was a push to this affiliate, or as-a-service model, where you had groups that were very capable in terms of developing a ransomware and then managing infrastructure associated with it and allowing people to purchase access or, in lieu of purchasing access, share profits potentially from a ransomware event that occurred," Sperry tells Information Security Media Group.
New Tactics: Double Extortion
The tactic of adding a layer of data extraction and then a threat to make the stolen information public if the victim refuses to pay the ransom became the go-to tactic for many ransomware groups in 2020. This technique first appeared in late 2019 when the Maze ransomware gang attacked Allied Universal, a California-based security services firm, Malwarebytes reported.
"Advanced tools enable stealthier attacks, allowing ransomware operators to target sensitive data before they are detected, and encrypt systems. So-called 'double extortion' ransomware attacks are now standard operating procedures – Canon, LG, Xerox and Ubisoft are just some examples of organizations falling victim to such attacks," Cummings says.
This exploded this year as both Maze and other gangs saw extortion as a way to strong-arm even those who prepared for a ransomware attack by properly backing up their files but could not risk the data being exposed, says Stefano De Blasi, threat researcher at Digital Shadows.
"This 'monkey see, monkey do' approach has been extremely common in 2020, with threat actors constantly seeking to expand their offensive toolkit by mimicking successful techniques employed by other criminal groups," De Blasi says.
Megan Stifel, executive director of the Global Cyber Alliance, says a key takeaway for organizations from 2020 is that more than basic hygiene is needed. It's not enough to just back up files; security staffers have to ensure details, such as using DMARC for email security and keeping three sets of backups.
DMARC, or Domain-based Message Authentication, Reporting and Conformance, is an email authentication, policy and reporting protocol that allows email senders and receivers to cooperate in sharing information about the email they send to each other. By doing so, senders can improve the mail authentication infrastructure so that all their mail can be authenticated.
An added twist cybersecurity executives called out was a switch to “big game hunting,” which is when the attacker only goes after organizations that can pay a large amount or have an inherent need to pay to regain use of their system, McKnight notes.
"The ransomware professionals making a living this way were not wasting time tricking senior citizens via mass spam/phishing campaigns into clicking on something they shouldn't, although that is still a big business. Instead, groups using Ryuk, Maze and others have targeted school districts and city governments - like Baltimore, hit for a third time in three years," he says.
Filip Truta, information security analyst with the security firm Bitdefender, says 2020 also saw ransomware gangs picking up the phone and calling their targets.
"Ransomware gangs are now going so far as to cold-call individual victims with threatening messages if they restore from backups without paying. Industry research shows the tactic has been in practice since August by such groups as Sekhmet, Conti and Ryuk," he says.
New Tactics: Using COVID-19
Ransomware operators showed no compunction about using a pandemic that has killed hundreds of thousands worldwide to their advantage.
Ransomware attacks on healthcare facilities spiked during the year as criminal groups saw that these organizations were being overwhelmed by patients and had to keep functioning, so were likely to quickly cave to anyone who could disrupt their activities.
By combining the threat of releasing any exfiltrated data, and thus making the target open to HIPAA violations and crippling a hospital's ability to care for its patients created a perfect storm to put pressure on a hospital, Sperry says.
"So I think the pressure of having all these emergency rooms and services at near capacity changes the calculus for these healthcare systems. We need to be up and operational, and it's probably worth paying the ransom in some cases to be able to say what to do," Sperry says.
McKnight called out the attack on Universal Health Services, which operates about 400 hospitals, and was taken down in September, possibly, by Ryuk ransomware.
"Whether ransom was paid, and how much, was not disclosed. But, my hunch is we are talking many millions - given how quickly they got back online," he says.
Adding to the Arsenal
As if bringing in extortion and using COVID-19 were not enough, cybercriminals added other weapons during the year.
Ransomware gangs’ use of what IBM's Sperry called commodity malware such as Trickbot and Emotet to deliver their malware, along with the ransomware-as-a-service trend, picked up a great deal of steam during the past 12 months. Cummings pointed to a report from the threat intelligence firm Intel 471 that tracked 20 new RaaS groups that surfaced in 2020.
Traditionally, Trickbot and Emotet were used to deliver banking Trojans to collect login in and account credentials, but both were wholeheartedly adopted by ransomware gangs in 2020 for use against large enterprises, Sperry says.
"If I can get one user in a corporate environment to execute this low-level malware, that gives me a toehold into the environment that I can then come in and deploy ransomware and try to reap a big payday," he says.
The following is a list of the most active ransomware gangs from Intel 471.
- Ragnar Locker
Maze also made news this year by deciding to call it quits, although it left the door open to make a return. In early November, the gang issued a statement saying it was retiring.
Maze posted a "retirement" notice to its darknet site, saying: "This project is now closed." In the note, the gang also denied it was ever the center of a larger group and ended by saying it would be back.
The Damage in Dollars
Coveware's third-quarter ransomware report tracked how these changing tactics affected the cybercriminals' bottom line. The average ransom payment increased to $233,817 in the third quarter, up 31% from the previous quarter. At the same time, the median ransom payment in the third quarter rose slightly, from $108,597 to $110,532.
The report also noted the prevalence of extortion tactics, with 50% of all attacks exfiltrating data as part of the operation. Coveware, however, believes 2020 may have seen the extortion model jump the shark, with gangs reneging on their agreement and posting data after a ransom payment was made.
The security firm listed Sodinokibi, Maze/Egregor, Netwalker, Mespinoza and Conti as groups that have gone back on their agreements.