Sobering news for organizations, as average ransom demand closes in on $200,000
The ransomware market, fueled by coronavirus pandemic turbulence, has become the biggest single money earner for cybercriminals, according to a new report.
Threat hunting and cyber-intelligence firm Group-IB estimates that the number of ransomware attacks grew by more than 150% in 2020.
Ransomware attacks not only grew in numbers but also in scale and sophistication – the average ransom demand increased by more than twofold and amounted to $170,000 in 2020.
Ransomware attacks on average caused 18 days of downtime for the affected organizations, while the average ransom amount almost doubled. Demands at the top end of the cyber-extortion scale exceeded $1 million.
Running the numbers
In attacks analyzed by Group-IB’s digital forensics and incident response team, publicly accessible Remote Desktop Protocol (RDP) servers were the most commonly used vector to gain initial access (52%), followed by phishing (29%), and exploitation of public-facing applications (17%).
The figures are based on an analysis of more than 500 cyber-attacks observed during Group-IB’s own incident response engagements and cyber threat intelligence activity.
The number of public-facing RDP servers last year increased enormously as organizations rolled out remote access to support workers obliged to work from home because of Coronavirus-lockdown restrictions.
Ransomware operators relied more heavily on commodity malware such as Trickbot, Qakbot, and Dridex to obtain initial access to target networks.
The Maze, Conti, and Egregor cybercrime gangs became the biggest source of threats, while North America, Europe, Latin America, and the Asia-Pacific became the most commonly attacked regions, respectively.
Some gangs operating under the Ransomware-as-a-Service (RaaS) model, such as Egregor and Netwalker, were impacted by the police efforts. Another notorious RaaS collective, Maze, called it quits at the end of 2020.
Despite these setbacks, the ransomware business as a whole continued to blossom, with off-the-shelf RaaS offerings turbo-charging the increase.
Group-IB researchers estimate that 64% of ransomware attacks it analyzed in 2020 came from operators using the RaaS model. In addition, Group-IB logged the arrival of 15 new public ransomware affiliate programs last year.
In addition, a number of botnet operators partnered with ransomware gangs last year.
Big game hunting
Going after larger enterprises became a defining trend in the ransomware marketplace last year.
“The operators were less concerned about the industry and more focused on scale,” Group-IB reports.
Based on the security firm’s observations, in 2020 ransomware operators spent 13 days on average in the compromised network before deploying their system-crippling malware.
The intervening period was spent burrowing further into compromised networks (moving latterly from the point of initial compromise), credential dumping, and exfiltrating data, as well as finding and destroying data backups.
State sponsored hacking Groups such as Lazarus (linked to North Korea) and APT27 (China) started to use ransomware during their operations, according to Group-IB.
Oleg Skulkin, senior digital forensics analyst at Group-IB, said that the global ransomware market had matured beyond all recognition over the last year.
“From what used to be a rare practice and an end-user concern, ransomware has evolved last year into an organized multibillion industry with competition within, market leaders, strategic alliances, and various business models,” Skulkin said.
The market is likely to grow still further over the coming year.
“Due to their profitability, the number of RaaS programs will keep growing, more cybercriminals will focus on gaining access to networks for resale purposes,” Skulkin warned.
“Data exfiltration effectiveness can make it another big niche, with some actors abandoning the use of ransomware at all.”
Group-IB’s digital forensics and incident response team has mapped the most commonly used cybercrime techniques and tactics in 2020, in accordance with Mitre ATT&CK framework.
The ‘Ransomware Uncovered 2020-2021’ offers a sitrep on the ransomware threat environment as well as detailing potential mitigation strategies.