Comprehensive ransomware report from Palo Alto Networks –
The subject of ransomware has been a massive concern of the economy and the tech industry for several months. Due to the recently discovered security gaps in SolarWinds (keyword SolarStorm) and the MS Exchange Server (keyword hafnium), practically no one could avoid dealing with blackmail via cyberattacks.
Palo Alto Networks exclusively presents a detailed inventory of ransomware. Methods, costs, trends, scenarios.
What is the current state of the ransomware threat landscape? How severely are German companies threatened? What happens to stolen data?
Palo Alto Networks’ Unit 42 Threat Intelligence Team and Crypsis Incident Response Team worked together to analyze the ransomware threat landscape in 2020. The Unit 42 Ransomware Threat Report details the top ransomware variants, average ransomware payments, ransomware predictions and actionable next steps to reduce ransomware risk immediately.
Particularly noteworthy: According to the evaluation, more companies were only affected by the illegal disclosure of data in the USA and Canada than in Germany, which thus ended up in third place.
Cyber criminals are making and demanding more money than ever before
The following data is from the United States, Canada, and Europe. The average corporate ransom paid rose from $ 115,123 in 2019 to $ 312,493 in 2020, a 171 percent year-over-year increase. In addition, the highest ransom paid doubled from $ 5 million in 2019 to $ 10 million in 2020. In the meantime, cyber criminals are getting greedy. From 2015 to 2019, the highest ransomware claim was $ 15 million, and in 2020 it rose to $ 30 million. Notably, Maze ransom demands averaged $ 4.8 million in 2020, a significant increase compared to the average of $ 847,344 for all ransomware families in 2020. Cyber criminals know they make money from ransomware can earn and are getting bolder with their demands.
Healthcare organizations in the crosshairs
The world was changing with COVID-19, and ransomware operators used the pandemic to spy on organizations – especially healthcare, which was the top ransomware target in 2020. The ransomware operators were brash in their attacks and tried to make as much money as possible. They knew healthcare organizations needed to keep going to treat COVID-19 patients and save lives. Clinics couldn’t afford to go without their systems and were more willing to pay ransom.
2020 top observations on ransomware
Cyber attackers use current events such as the COVID-19 pandemic to trick victims into opening phishing emails, visiting fake websites or downloading malicious files. For example, the global impact of the COVID-19 pandemic has been exploited as a subject for ransomware attacks on a wide variety of industries. While the healthcare sector was a top target in 2020 due to the coronavirus, many other industries have suffered badly from ransomware incidents. Grappling with more fragile financial conditions and the added challenges of employees working from home year-round, many companies had to get by with less. With fewer staff and budget cuts, it can be more difficult to raise cyber threat awareness and implement cybersecurity protections.
Shifts in the approach
Ransomware is becoming easier to come by and is available in many formats targeting different platforms. Researchers have seen a shift from high-volume and spray-and-pray models to a more focused “stay-and-play” model, where operators take time to get to know victims and their networks, and one follow a more traditional approach to network penetration.
Ransomware is not only being observed on Microsoft Windows, Apple macOS, and mobile operating systems, but is now targeting Linux as well.
Ease of use and availability
Attackers know that ransomware, especially the subscription-based Ransomware as a Service (RaaS) model, is easy to run, highly effective, and potentially profitable – both through direct payments and the sale of valuable information. The RaaS model enables affiliates to use existing ransomware software to carry out attacks and thus earn a share of every successful ransom payment.
Ransomware operators continue to use traditional methods to gain access to victims’ environments, e.g. Phishing, weak or compromised RDP (Remote Desktop Protocol) credentials and exploitation of application / software vulnerabilities. Despite the greater number of teleworkers in 2020, these access techniques have remained the same. Many operators also combine standard malware such as Dridex, Emotet and Trickbot for initial access. Once inside a network, the attackers use native tools like PSExec and PowerShell to enumerate the network and move sideways.
Trend towards double blackmail
A common ransomware attack is when the ransomware operator encrypts data and forces the victim to pay a ransom to unlock it. In the case of double extortion, the ransomware operators encrypt and steal data to further compel the victim to pay a ransom. If the victim does not pay the ransom, the ransomware operators publish the data on a leak site or a dark web domain, with most of the leak sites being hosted on the dark web. These hosting locations are created and managed by the ransomware operators.
At least 16 different varieties of ransomware are now threatening to reveal data or use leak sites, and more varieties are likely to continue this trend. Some ransomware operators also prove their knowledge of a victim’s network environment by displaying the data in the form of directories or file trees.
Several families of ransomware, such as NetWalker, RagnarLocker, DoppelPaymer, and many others, have demonstrated their ability to exfiltrate data and use double blackmail techniques. The ransomware family that most commonly used this tactic was NetWalker. From January 2020 to January 2021, NetWalker leaked data from 113 victim organizations worldwide, far surpassing other ransomware families. RagnarLocker ranked second, leaking data from 26 victims worldwide.
The US Department of Justice announced in January 2021 that it would coordinate international law enforcement efforts to break up the NetWalker ransomware gang. The dark web domain managed by the NetWalker operators, on which the leaked data was hosted, is no longer accessible.
The future of ransomware
If you look at the activities in 2020 and look back over the last few years, it is easy to see which trends in ransomware are continuing and which components have increased faster than expected.
The ease with which ransomware attacks are successful suggests that more and more financially motivated operators will appear on the scene. Attackers of all types are constantly on the lookout for companies to target and they know that ransomware is not only effective but can also be low-cost, especially if they are ransomware-as-a-service -Model use. The researchers assume that more and more operators will follow this model in order to extort money.
Increase in variants and skills
Some of the most prevalent ransomware families observed in 2020 were less than a year old. New and updated flavors of ransomware continue to be developed and deployed, used as standalone malware or in conjunction with traditional malware. As Linux becomes more and more a target for ransomware, it is clear that attackers will continue to develop the ability to attack all types of systems.
More profit from double blackmail
Proof of compromise and double blackmail techniques were also less than a year old at the start of 2020, but they have now exploded in popularity. At least 16 different ransomware flavors are now threatening to reveal data or use leak sites, and more flavors are likely to continue this trend. In this sense, the use of Tor and other anonymous services will continue to increase. The use of anonymous services makes it difficult for security researchers and law enforcement officers to track activity and identify indicators that can be used for network defense.
Rising demands for ransom The highest ransom demand has risen from $ 500 to more than $ 30 million in just a few years, and has doubled from $ 15 to 30 million from $ 15 to 30 million by 2020 alone. As long as the attackers continue to be paid, these demands will continue to grow. Very few operators make ransom demands in forms other than virtual currency, with a general preference for Bitcoin, although Monero has also been called for in several incidents observed by the researchers.
Continued use of the familiar
Much of the success of these operators lies in their ability to evade detection. The attackers will continue to infiltrate networks using traditional phishing methods, weak credentials and tools that are present in the target environments. This includes using post-exploitation frameworks such as Cobalt Strike, PowerShell Empire, and PowerSploit.
Conclusion and recommendations
Defending against ransomware attacks is similar to protecting against other malware. However, ransomware poses a much higher risk for businesses.
Initial access in the event of an attack
The initial access is relatively uniform for all ransomware variants. Organizations should educate and educate their users about email security, and consider ways to detect and eliminate malicious email as soon as it gets into an employee’s inbox. Organizations should also ensure that they are properly patch management and reviewing what services may be exposed to the Internet. Remote desktop services should be properly configured and secured, using the principle of least privilege whenever possible, with a policy to identify patterns associated with brute force attacks.
Backup and restore process
Organizations should continue to back up their data and have an appropriate recovery process in place. Ransomware operators will specifically encrypt backups on-site, so companies should ensure that all backups are kept securely offline. Recovery processes must be implemented and rehearsed with key stakeholders to minimize downtime and costs for the company in the event of a ransomware attack.
The most effective forms of ransomware protection are endpoint security, URL filtering or web protection, advanced threat prevention (unknown threats / sandboxing), and anti-phishing solutions, which are used in all corporate environments and on all devices. While these solutions do not guarantee complete protection, they drastically reduce the risk of infection from common variants and provide bypass measures so that one technology provides a line of enforcement when another may not be effective.