An analysis from global cybersecurity company Group-IB reveals that ransomware attacks more than doubled last year and increased in both scale and sophistication.
The massive payouts that averaged between $1 and $2 million for some ransomware gangs attracted new actors that focused on large companies mostly in North America and Europe.
Pulling data from more than 500 attacks analyzed in incident response jobs, Group-IB was able to provide an overview of the evolution of the ransomware business in 2020 and the tactics, techniques, and procedures (TTPs) used in the events leading to encrypting victim systems.
The ransomware scene got larger and more dynamic, with operations of some prominent players being impacted or terminated either due to law enforcement efforts [1, 2] or because they retired [1, 2, 3]. More and more actors now have leak sites where they publish stolen data from victims that did not pay the ransom.
Others started new operations that followed the successful ransomware-as-a-service model, the so-called affiliate programs, or handling every step from finding and compromising victims to deploying the file-encrypting malware on the network and negotiating the ransom.
Among the new actors that joined the big-money ransomware game in 2020 are Conti, Egregor, and DarkSide. As per Group-IB’s data, the first two became so prolific that they have a spot in the top five gangs with the largest number of attacks.
Ryuk is missing from the above ranking because its attacks have been merged with its successor, Conti, Group-IB told BleepingComputer.
Important to note that all the groups above follow a business model where everyone involved focuses on what they do best: malware development, initial access, lateral movement. The profits are shared between the operators of the RaaS program and affiliates.
“Group-IB DFIR team observed that 64% of all ransomware attacks it analyzed in 2020 came from operators using the RaaS model. The prevalence of affiliate programs in the underground was the underlying trend of 2020.”
According to Group-IB’s data, this approach led to attacks increasing by 150% last year and a twofold growth of the average ransom, to $170,000. These figures are similar to statistics from ransomware remediation firm Coveware, which noted a $154,108 average for Q4 2020.
However, the greediest actors - Maze, DoppelPaymer, ProLock and RagnarLocker - demanded much higher ransoms that averaged between $1 million and $2 million. Among the highest payouts are astonishing figures reaching as much as $34 million.
Group-IB says that in terms of impact on victims ransomware attacks caused an average of 18 days of downtime last year.
For initial access to a target network, ransomware actors typically relied on botnets like Trickbot, Qakbot, Bazar, Buer, or IcedID that they partnered with specifically for this purpose.
Typically, the actors spent 13 days inside the compromised network before deploying the encryption process. During this period, they would move on the network and increase their control, identify and remove backups for increased impact.
The primary vector of compromise were external remote services - mostly RDP, followed by phishing, and exploiting public-facing applications (Citrix, WebLogic, VPN servers, Microsoft Exchange).
To help defenders stay up-to-date with how ransomware gangs operate, Group-IB mapped the most common TTPs observed during their 2020 incident response engagements according to the MITRE ATT&CK knowledge base of adversary tactics.
Group-IB describes the techniques and tactics below in a report released today, organized by the frequency of their encounter. The company provides mitigation recommendations for each attack method.
Based on their findings, the researchers predict that the ransomware threat will continue to grow and actors will adapt to make it even more profitable by using Linux variants more often and advancing or changing their techniques (e.g. focus on stealing data for extortion and abandoning encryption).
Furthermore, compromising enterprise networks for resale to ransomware affiliates will become a busier market as more actors will want to join the big-money game.
Group-IB also says that more state-backed threat actors will get involved either for financial rewards or disruptive purposes.
Oleg Skulkin, senior digital forensics analyst at Group-IB, says that ransomware has become “an organized multi-billion industry with competition within, market leaders, strategic alliances, and various business models.”
Comments
EmanuelJacobsson - 3 years ago
Its unfortunate as Ransomware, like almost all other cybercrime, is (mostly) preventable, yet people aswell as businesses just keep ignoring the dangers.
Edit: seems like I posted twice, weird..