Ransomware continues to be a top cybersecurity threat to both individual users and public and private organizations.
Ransomware has proven to be the most insidious and persistent threat plaguing users and enterprises worldwide for money. Now, the latest statistics reveal that the average ransom demand increased tenfold, or even more, in one year.
The first ransomware family to change the rules of the game by improving the ransomware-as-a-service model was GandCrab. The operators behind the infamous cryptovirus created a very profiting business model which others quickly adopted.
The very first notable difference that made GandCrab stand out is the exposure, a true sign of a rising business model. “Before GandCrab, traditional ransomware teams, run by Russian-speaking hackers were acting privately, silently, and avoided underground forums,” an Advanced Intelligence report from 2019 outlined. GandCrab turned the ransomware business into a “full-fledged media operation”. Branding, marketing, outreach, and even Public Relations (PR) manifested in continuous communications with customers, affiliates, victims, and security researchers. All campaign elements were “meticulously set to establish a new type of ransomware enterprise”.
Ransomware Demands in 2018-2019
The highly successful and profitable RaaS model GandCrab introduced has turned into the norm, making it easier for threat actors to make money.
A new report by cybersecurity firm Group-IB is presenting new insight into how the ransomware landscape changed in one year since 2018. Shortly said, ransomware operators endorsed a wider range of initial infection methods, increased the average ransom demand, and even started to steal files from victims before encryption to increase the chance of a payment.
The data gathered by the researchers shows that ransomware attacks last year increased by 40%. With the focus moving on larger targets, the ransom demand also increased, varying from $6,000 to $84,000. The ransomware families demanding the largest ransoms have been Ryuk and REvil, also known as Sodinokibi.
The Ransomware Landscape in 2020
Surprisingly or not, the ransomware demand has continued to grow in 2020. Coveware data reveals that the average payout has increased in the first quarter of 2020, reaching the staggering $111,605, with Ryuk and Sodinokibi being the main culprits for this increase.
How has ransomware distribution changed in 2020?
According to researchers, drive-by attacks carried out via exploit kits, leveraging RDP and other external remote services, and spear phishing have been the top infection vectors so far in 2020.
It is noteworthy that advanced ransomware groups typically utilize methods that give them access to more valuable assets. Such attacks usually exploit unpatched vulnerabilities in public-facing apps and compromised MSPs (managed service providers). The later stages of these attacks include establishing persistence, escalating privileges, bypassing protections, obtaining various credentials, mapping networks, stealing files, and later encrypting them.
Most ransomware players, including big families such as Ryuk, LockerGoga, Sodinokibi, Maze, and Netwalker go for common intrusion tactics, like RDP. The reason is simple – the access to servers with an open port is an easy task, as it can be obtained from underground markets.
Ransomware in 2021
How has the ransomware threat landscape evolved so far in 2021?
According to Forbes, the average amount of reported ransomware transactions per month in 2021 was estimated at the staggering $102.3 million. Based on SARs data, security researchers said they identified 68 different ransomware variants active in the first half of 2021. The most commonly reported ransomware variants for this period include REvil/Sodinokibi, Conti, DarkSide, Avaddon, and Phobos.
Leveraging MSPs was definitely trendy in 2019. According to an Armor report released in October last year, at least 13 managed service providers (MSPs) have been attacked by ransomware.
Due to the nature of an MSP company, attacks on their infrastructure usually have many negative outcomes. A managed service provider manages the IT infrastructure of other businesses via remote administration tools. There are many reasons businesses decide to hire an MSP, such as cutting down on expenses for system administrators.
In order to rely on the services of an MSP, the company should install the MSP’s software, thus allowing remote access to the company’s network. This could create a liability, and as visible by the numbers of compromised MSPs, hackers have found a way to exploit this business model. Armor was able to identify 6 new MSPs and/or cloud-based service providers that were compromised by ransomware. Earlier in 2019, the threat intelligence firm uncovered 9 other attacks, totaling the number of MSP ransomware victims in 2019 to 13.