The year 2020 witnessed a growth of 150% in ransomware attacks, with a two-fold surge in ransom amount on average. Group-IB and threat hunting, cybersecurity firms, have observed it on the ground of its analysis of more than 500 attacks. After analyzing the attacks discerned during its cyber threat intelligence activity and incident response engagements, the Singapore-based firm concluded it. At first, the jaw-dropping information came across us when the firm released its report with a title name called Ransomware Uncovered 2020-2021.
Fat Facts in the Report
The companies affected by ransomware attacks faced 18 days of downtime on average in 2020. Besides, the ransom amount doubled on average and amounted to $170,000. The report also revealed that ransomware operations have turned more robust than ever. Consequently, larger enterprises and companies have become targets for better returns by ransomware gangs.
According to the report’s researchers, the prominent groups who remained at the forefront were Maze, Egregor, and Conti. Likewise, RagnarLocker and DoppelPaymer had surfaced as the most money-grubbing groups among all. It is the case since their ransom demands reached between $1m and $2m. The report also claimed that even nation-state groups like APT27 from China and Lazarus from North Korea have got involved in covert activity.
Moreover, the report encompassed the global ransomware outbreak in 2020. It examined the TTPs (tactics, techniques, procedures) of major players. Additionally, it indicated that the ransomware market had upgraded to the most significant profiteering crime business by the end of 2020. The disturbance caused by the pandemic has played its fair share in making it happen. As a result, the ransomware attacks reached a crescendo of more than 150% in 2020, with the ransom amount got doubled.
Some Technical Aspects of the Report
In light of the security firm’s perceptions, ransomware operators went through 13 days on average in the undermined network prior to deploying their devastating malware. The mediating period was utilized to penetrate further into compromised systems, credential dumping, exfiltrating information, and locating and annihilating data backups.
In 2020, the most common target for various ransomware gangs was the public-facing RDP (Remote Desktop Protocol) servers. The count of such servers dramatically increased because many people around the globe have started working from home.
To your surprise, a large chunk of publicly accessible RDP servers had become a means to gain initial access. It took 52% of all cyberattacks examined by Group-IB researchers. With 29%, phishing became the following top means, while public-facing apps took the third position with 17%. For launching the initial payload, the most regularly abused interpreter was PowerShell.
The Upswing of RaaS
The driving force behind the startling rise of ransomware attacks is the Ransomware-as-a-Service (RaaS) model. RaaS involves the developers selling or leasing malware to the program affiliate for ransomware deployment and further network compromise. In the end, the profits go to both program affiliates and operators.
64% of all ransomware attacks Group-IB analyzed in 2020 derived from operators using the RaaS model, according to the report. Furthermore, Group-IB recorded 15 novel public ransomware affiliate projects and joined forces of various botnet operators with ransomware gangs last year.
Oleg Skulkin, a senior analyst at Group-IB, reported that the worldwide ransomware attacks’ market had developed in the most recent year. He also said that the market was probably going to grow even further over the coming year.
Given that, organizations need to comprehend how attackers operate and what tools they use. It is because most of the attacks are human-operated. Having a complete understanding will help counter ransomware attacks unleashed by operators. Moreover, it will also help to hunt for them proactively.
LIFARS develops proactive tactics and strategies to counter evolving cybersecurity threats. Learn more about us by clicking here.