It is predicted that in 2021 a wave of ransomware will affect Russian business and enter the CIS.
Group-IB has presented a new report "Ransomware 2020-2021" - a large-scale study of one of the most pressing cyber threats during the COVID-19 pandemic. Last year, the number of ransomware attacks increased by more than 150% compared to the previous year.
The average downtime of an attacked company was 18 days, and the ransom amount almost doubled to $ 170,000. The main targets of the hackers were corporate networks of large companies from North America, Europe, Latin America, and the Asia-Pacific region. Experts also recorded the first attacks in Russia: it is predicted that in 2021 a wave of encryption ransomware will affect Russian business and enter the CIS.
Gold Rush of 2020
ransomware has become the # 1 cyber threat for both businesses and government agencies: the number of successful attacks in the past year has grown by more than 150% by 2019, and the average ransom amount has more than doubled and amounted to $ 170,000 in 2020. The most greedy ransomware turned out to be Maze, DoppelPaymer and RagnarLocker. The ransom they demanded from the victim averaged between $ 1,000,000 and $ 2,000,000.
Large corporate networks are at risk - targeted ransomware attacks (The Big Game Hunting) paralyzed the work of such giants as Garmin, Canon, Campari, Capcom and Foxconn in 2020. Business downtime from one attack, on average, averaged 18 days. Most of the attacks analyzed by Group-IB occurred in North America and Europe, where most of the Fortune 500 companies are located, as well as in Latin America and the Asia-Pacific region.
In Russia, despite the unspoken rule among cybercriminals “do not work on RU”, the Russian-speaking criminal group OldGremlin operated - for the first time Group-IB spoke about it in a report last September. Since spring 2020, OldGremlin has conducted at least 9 campaigns and attacked exclusively Russian businesses - banks, industrial enterprises, medical organizations and software developers. In August 2020, a large company with a network of regional branches became a victim of OldGremlin - a ransom of $ 50,000 was demanded for decryption from it.
“For the pandemic, ransomware has become the main cyber threat for the whole world, including Russia,” says Oleg Skulkin, a leading specialist at the Group-IB Computer Forensics Laboratory. - Last year we saw numerous OldGremline attacks on Russian enterprises, IT companies and financial institutions. This year, experts are already seeing activity with traditional groups like RTM, which also switched to using ransomware. "
Mortal Kombat: very organized crime
One of the driving forces behind the phenomenal growth of ransomware has been the Ransomware-as-a-Service model. Its meaning is that developers sell or rent their malware to partners for use in their attacks in order to compromise the network, infect and deploy ransomware. All profits obtained in the form of the ransom are then distributed among the operators and program partners. The Group-IB DFIR team notes that 64% of all ransomware attacks analyzed in 2020 involved carriers using the RaaS model.
Another trend in 2020 is collaboration between different criminal groups. The Group-IB Threat Intelligence & Attribution system recorded 15 new public ransomware partnerships in the underground last year. Active criminal groups using the Trickbot, Qakbot and Dridex malware increasingly helped ransomware operators gain initial access to corporate networks.
The main attack vector for the majority of ransomware gangs turned out to be public RDP servers (52%). In second place is phishing (29%), followed by exploitation of publicly available applications (17%).
Before encrypting the data, the ransomware operators spent an average of 13 days on the compromised network, trying to find and delete all available backups so that the victim could not recover the encrypted files. Another success factor that allowed the gangs to obtain ransom was the preliminary theft of critical data - documents, reports, to use them as leverage to pressure the victim - a fashion for such a "double blow" set the notorious group Maze.
Given that most ransomware attacks are “manually controlled,” it is critical for cyber security professionals to understand what tactics, techniques, and procedures (TTP) attackers use. Comprehensive technical analysis of attacker TTPs mapped against MITER ATT & CK®, a public knowledge base of targeted attack tactics and techniques, as well as threat search and detection recommendations compiled by the Group-IB Digital Forensics and Incident Response (DFIR ) are already available in the new Ransomware 2020-2021 report.
__________________
Group-IB has presented a new report "Ransomware 2020-2021" - a large-scale study of one of the most pressing cyber threats during the COVID-19 pandemic. Last year, the number of ransomware attacks increased by more than 150% compared to the previous year.
The average downtime of an attacked company was 18 days, and the ransom amount almost doubled to $ 170,000. The main targets of the hackers were corporate networks of large companies from North America, Europe, Latin America, and the Asia-Pacific region. Experts also recorded the first attacks in Russia: it is predicted that in 2021 a wave of encryption ransomware will affect Russian business and enter the CIS.
Gold Rush of 2020
ransomware has become the # 1 cyber threat for both businesses and government agencies: the number of successful attacks in the past year has grown by more than 150% by 2019, and the average ransom amount has more than doubled and amounted to $ 170,000 in 2020. The most greedy ransomware turned out to be Maze, DoppelPaymer and RagnarLocker. The ransom they demanded from the victim averaged between $ 1,000,000 and $ 2,000,000.
Large corporate networks are at risk - targeted ransomware attacks (The Big Game Hunting) paralyzed the work of such giants as Garmin, Canon, Campari, Capcom and Foxconn in 2020. Business downtime from one attack, on average, averaged 18 days. Most of the attacks analyzed by Group-IB occurred in North America and Europe, where most of the Fortune 500 companies are located, as well as in Latin America and the Asia-Pacific region.
In Russia, despite the unspoken rule among cybercriminals “do not work on RU”, the Russian-speaking criminal group OldGremlin operated - for the first time Group-IB spoke about it in a report last September. Since spring 2020, OldGremlin has conducted at least 9 campaigns and attacked exclusively Russian businesses - banks, industrial enterprises, medical organizations and software developers. In August 2020, a large company with a network of regional branches became a victim of OldGremlin - a ransom of $ 50,000 was demanded for decryption from it.
“For the pandemic, ransomware has become the main cyber threat for the whole world, including Russia,” says Oleg Skulkin, a leading specialist at the Group-IB Computer Forensics Laboratory. - Last year we saw numerous OldGremline attacks on Russian enterprises, IT companies and financial institutions. This year, experts are already seeing activity with traditional groups like RTM, which also switched to using ransomware. "
Mortal Kombat: very organized crime
One of the driving forces behind the phenomenal growth of ransomware has been the Ransomware-as-a-Service model. Its meaning is that developers sell or rent their malware to partners for use in their attacks in order to compromise the network, infect and deploy ransomware. All profits obtained in the form of the ransom are then distributed among the operators and program partners. The Group-IB DFIR team notes that 64% of all ransomware attacks analyzed in 2020 involved carriers using the RaaS model.
Another trend in 2020 is collaboration between different criminal groups. The Group-IB Threat Intelligence & Attribution system recorded 15 new public ransomware partnerships in the underground last year. Active criminal groups using the Trickbot, Qakbot and Dridex malware increasingly helped ransomware operators gain initial access to corporate networks.
The main attack vector for the majority of ransomware gangs turned out to be public RDP servers (52%). In second place is phishing (29%), followed by exploitation of publicly available applications (17%).
Before encrypting the data, the ransomware operators spent an average of 13 days on the compromised network, trying to find and delete all available backups so that the victim could not recover the encrypted files. Another success factor that allowed the gangs to obtain ransom was the preliminary theft of critical data - documents, reports, to use them as leverage to pressure the victim - a fashion for such a "double blow" set the notorious group Maze.
Given that most ransomware attacks are “manually controlled,” it is critical for cyber security professionals to understand what tactics, techniques, and procedures (TTP) attackers use. Comprehensive technical analysis of attacker TTPs mapped against MITER ATT & CK®, a public knowledge base of targeted attack tactics and techniques, as well as threat search and detection recommendations compiled by the Group-IB Digital Forensics and Incident Response (DFIR ) are already available in the new Ransomware 2020-2021 report.
__________________