The ransomware ransomware payments made last year, whose average cost was between $ 1 million and $ 2 million, attracted new groups to cybercrime, which focused on large companies, mainly in North America and Europe. Global study by cybersecurity firm Group-IB reveals that ransomware attacks more than doubled in 2020 and increased in scale and sophistication.
Based on data from more than 500 attacks analyzed in incident response work, Group-IB has produced a comprehensive report to provide an overview of the evolution of the ransomware business and the tactics, techniques and procedures (TTPs) used In the attacks that resulted in the encryption of the victim’s systems.
The ransomware attacks have gotten bigger and more dynamic, with the operations of some prominent hacker groups, although some have been terminated due to law enforcement action or have “retired”. However, more and more ransomware operators now have leak sites where they publish data stolen from victims who do not pay the ransom.
In addition, other groups initiated operations that followed the successful ransomware as a service (RaaS) model, so-called affiliate programs, or dealt with all stages of the attack, from finding and compromising victims to deploying encryption malware. files on the victim company’s network and negotiate the ransom.
Among the new players who joined the multi-billion dollar ransomware industry in 2020 are Conti, Egregor and DarkSide. According to the Group-IB data, the first two have become so prolific that they have a place in the top five gangs with the most attacks.
The report notes that all groups follow a business model in which everyone involved focuses on what they do best: malware development, initial access, sideways movement. Profits are shared between RaaS program operators and affiliates.
The Group-IB’s digital forensics and incident response (DFIR) team found that 64% of all ransomware attacks it analyzed in 2020 came from operators using the RaaS model. The prevalence of affiliate programs in the cybercrime underworld was the prevailing trend in the past year.
According to the Group-IB data, this approach led to a 150% increase in attacks last year and an increase in the average ransom value to $ 170,000. These numbers are similar to statistics from the ransomware remediation company Coveware, which saw an average ransom charge of $ 154,108 in the fourth quarter of 2020.
However, the most greedy actors, such as Maze, DoppelPaymer, ProLock and RagnarLocker, demanded much higher bailouts, averaging between $ 1 million and $ 2 million. But there were payments of much higher figures, which reached US $ 34 million.
Grupo IB says that, in terms of impact on victims, ransomware attacks caused an average of 18 days of inactivity last year.
For initial access to a network, ransomware operators typically relied on botnets such as Trickbot, Qakbot, Bazar, Buer or IcedID, with whom they partnered specifically for this purpose.
Typically, hackers spend 13 days within the compromised network before implementing the encryption process. During this time, they move around the network and increase their control, identify and remove backups to increase the impact of the attack.
The main vector of compromise was external remote services, mainly RDP (Remote Desktop Protocol), followed by phishing and exploitation of applications aimed at the general public (Citrix, WebLogic, VPN servers, Microsoft Exchange).
To help companies stay up to date on how ransomware gangs operate, Group-IB mapped the most common TTPs seen during their incident response actions, according to the Miter ATT & CK knowledge base.
Based on their findings, the researchers predict that the ransomware threat will continue to grow and actors will adapt to make it even more profitable, using Linux variants more often and advancing or changing their techniques – for example, focus on stealing data for extortion and abandon encryption.
In addition, compromising corporate networks for resale to ransomware affiliates will become a more profitable market, as more players will want to join the game that generates a lot of money. Group IB also says that more state-backed threat actors will be involved for both financial rewards and disruptive purposes.
Oleg Skulkin, senior digital forensic analyst at Group-IB, says ransomware has become “an organized multi-billion dollar industry with internal competition, market leaders, strategic alliances and various business models”.