Cryptographers have effectively become the # 1 cyber threat for both business and government: the number of successful attacks last year grew by more than 150% by 2019, and the average ransom amount more than doubled to $ 170,000 in 2020 , according to the latest report from Group-IB “Ransomware 2020-2021”…
First of all, large corporate networks were at risk – targeted ransomware attacks (The Big Game Hunting) paralyzed the work of such giants as Garmin, Canon, Campari, Capcom and Foxconn in 2020. Downtime from one attack averaged 18 days. Most of the attacks analyzed by Group-IB occurred in North America and Europe, where most of the Fortune 500 companies are located, as well as in Latin America and the Asia-Pacific region.
The most greedy extortionists turned out to be the groups Maze, DoppelPaymer and RagnarLocker – the amount of the ransom they demanded from the victim was on average $ 1,000,000 before $ 2,000,000… Criminal groups Conti, Egregor and DarkSide joined the “gold rush” only last year, but were so active that they took the top lines of the unofficial ransomware ranking. The top 5 most active ransomware families, according to Group-IB, include Maze, Egregor, Conti, REvil and DoppelPaymer… Some of them retired by the end of the year: Egregor and Netwalker were hit by police actions, and Maze operators announced their retirement at the end of 2020. Despite these events, the criminal business of ransomware in 2021, according to forecasts of experts from Group-IB, will continue to flourish.
In Russia, despite the unspoken rule among cybercriminals “do not work on RU”, the Russian-speaking criminal group OldGremlin operated – for the first time Group-IB told about her in a report last September. Since spring 2020, OldGremlin has conducted at least 9 campaigns and attacked exclusively Russian targets – banks, industrial enterprises, medical organizations and software developers. In August 2020, a large company with a network of regional branches became a victim of OldGremlin – a ransom of $ 50,000 was demanded from it for decryption.
“For the pandemic, ransomware has become the main cyber threat for the whole world, including Russia,” says Oleg Skulkin, Leading Specialist of the Group-IB Computer Forensics Laboratory. – Last year we saw numerous OldGremline attacks on Russian enterprises, IT companies and financial institutions. This year, experts are already seeing activity with traditional groups like RTM, which have also switched to using ransomware. “
Very organized crime
One of the main driving forces behind the phenomenal growth of ransomware has been the model Ransomware-as-a-Service (“Extortion as a Service”). Its meaning is that developers sell or rent their malware to partners to further compromise the network, infect and deploy ransomware. All profits obtained in the form of the ransom were then distributed among the operators and program partners. The Group-IB DFIR team notes that 64% of all ransomware attacks analyzed in 2020 involved carriers using the RaaS model.
Another trend in 2020 is collaborations between different criminal groups. The Group-IB Threat Intelligence & Attribution system recorded 15 new public ransomware partnerships in the underground last year. Active criminal groups using the Trickbot, Qakbot and Dridex malware increasingly helped ransomware operators gain initial access to corporate networks.
The main attack vector for most ransomware gangs turned out to be public RDP servers. In 52% of all attacks analyzed by the Group-IB DFIR team, RDP servers were used to gain initial network access, followed by phishing (29%) and exploitation of open source applications (17%).
Before encrypting the data, the ransomware operators spent an average of 13 days on the compromised network, trying to find and delete all available backups before the victim could recover the encrypted files. Another success factor that allowed the gangs to obtain ransom was the preliminary theft of critical data – documents, reports, to use them as leverage to pressure the victim – a fashion for such a “double blow” set the notorious group Maze.
Given that most ransomware attacks are “manually driven,” it is critical for cyber security professionals to understand what tactics, techniques, and procedures (TTP) attackers use. Comprehensive technical analysis of attacker TTPs mapped against MITER ATT & CK®, a public knowledge base of targeted attack tactics and techniques, and threat search and detection recommendations compiled by the Group-IB Digital Forensics and Incident Response (DFIR) team. are already available in a new report “Ransomware 2020-2021”…