A Ransomware Pandemic

The vast majority of modern businesses rely heavily on optimised computer networks utilising shared drives and remote connections. The threat that ransomware poses to this network configuration is second to none.

2020 was tough, the world found itself in unfamiliar territory, we faced the challenges of remote working and while doing so ransomware found a gateway to thrive. Worldwide organisations found themselves under a new level of pressure, in a year where ransomware attacks not only grew drastically in numbers, but broke records for its reckless and damaging methods.

Our Threat Intelligence Team observed gangs upping intimidation techniques, with companies being threatened over the phone if they refused to pay the ransom.1 The notorious Maze operators established the first ever large-scale ransomware cartel.2 Operators of Ryuk reportedly reached a staggering $150 million worth of Bitcoin repayments from their attacks.3 Ransomware-as-a-service (RaaS) expanded its offerings, with never-before-seen products dedicated to phishing and espionage operations4 and if that does not panic you enough, we witnessed the first death and homicide case opened after a ransomware attack on a German hospital shut down lifesaving equipment.5

The healthcare sector, already facing a colossal strain from the fight against COVID-19, became a leading target for attackers. Some thieves made the ethical choice and promised not to shut down emergency services, while others made no such promise, notably the operators of Ryuk.6 Reports from the healthcare sectors saw that half of the attacks launched against them in 2020, were linked to ransomware which unfortunately in most instances could have easily been avoided if patching had been prioritised.7

Weaknesses identified in the higher education sectors infrastructure – due largely to its move to remote learning – saw the sector face more attacks than ever before, with state actors desperate to retrieve any information they could related to COVID-19 and the production of a vaccine. The National Cyber Security Centre (NCSC) issued a warning for higher education in the UK to be put on high alert, specifically against ransomware attacks.8 While sectors such as technology, who have traditionally received a large portion of these attacks, continued to do so, we also observed previously unaffected sectors, receive a huge surge in ransomware attacks reiterating the unselective and boundless nature this tooling now carries when infecting organisations.9

Of what we did witnessed in 2020; Ryuk, Sodinokibi and (prior to its retirement) Maze accounted for the top 35% of attacks.10 Regarding infiltration methods, researchers found that nearly half (47%) of attacks seen last year, took advantage of employees working from home and utilised remote desktop protocol (RDP). Further, 26% of instances were traced back to phishing emails, while 17% made use of known vulnerabilities, the remaining 10% were attributed to account takeovers.11 Half of these attacks adopted an approach we have only recently seen become extremely popular; exfiltrating and publicising stolen data, regardless of a ransom being paid, with operators able to make large profits via hacker forums and other parties interested in this sensitive information.12

One of the major takeaways from 2020 is that the COVID-19 pandemic enabled an environment for ransomware operators to dominate the cyber landscape. As we move into 2021, we can begin to see a light at the end of the tunnel for COVID-19, but it is extremely sensible to assume that we still have a long way to go before we move from the ‘new normal’ back to the ‘normal’, which begs the question – what does this means for ransomware in 2021? Many will argue that 2020 has only been a trailer for what we will witness in 2021.

In 2020, roughly 30% of Talion’s Threat Bulletins involved ransomware. Alerting our clients to new strains, but also developments in the attack techniques, tactics, and procedures of existing strains. This reporting saw the Talion SOC able to set up internal defences for our clients, whilst also providing the necessary steps for our clients to take themselves, to defend their estate against these catastrophic and often bankrupting attacks.