DSIR Deeper Dive: The Ransomware Epidemic

Ransomware is among the most common and persistent threats faced by organizations of all sizes. In 2019, the ransomware threat landscape worsened in several significant ways: (1) average demands increased more than tenfold; (2) all industry segments saw increases in attack frequency, with stark increases seen by education and government entities; and (3) several threat actor groups began exfiltrating sensitive data from victims as an additional means to extort a payment.

Increased Ransom Demands. In our 2019 report, we dedicated a quarter page to ransomware, with the average ransom paid for the matters we handled being $28,920 and the largest payment being $250,000. For the 2020 report, we dedicated a full page to the epidemic, with the average ransom paid for matters we handled jumping to $302,539 and the largest payment being $5.6 million. Questions had arisen in years past as to why ransomware demands seemed relatively low. By deploying ransomware, the threat actors were crippling a company’s ability to function but would often settle for a five-figure ransom while the victims were losing hundreds of thousands or millions of dollars a day due to the business interruption. Whatever the reasons, threat actors changed their approach, and 2019 was the year they were ready to increase the stakes. 2020 has only seen these trends continue.

A primary reason for the demand increase stems from the rise of dedicated ransomware variants that are deployed by various threat actor groups with unique and identifiable TTPs (Tactics, Techniques and Procedures). As one example, the Ryuk threat actors most often gain entry through a phishing email when victims click on a malicious link or attachment, which downloads malware (Trickbot, Emotet, Mimikatz) used to collect system credentials. The threat actors then move laterally across the environment to encrypt as many systems as possible. Often different groups will work in parallel, with one group exploiting vulnerabilities to gain entry and then selling the access to a second group specializing in inflicting as much encryption damage as possible. The Ryuk threat actors were particularly adapt in 2019 at steadily increasing demands month over month in an effort to test a victim’s maximum price points.

A second example is the Sodinokibi threat actors, also known as REvil, which frequently target information technology managed service providers (MSPs). Once the group compromises the MSP’s remote management tools, they quickly move to as many downstream customer systems as possible and encrypt the systems of dozens or even hundreds of victims in one swoop (tip: require vendors to implement multifactor authentication (MFA) to access your environment). The Sodinokibi threat actors will often make one very large demand for a tool to decrypt all customer systems, thereby leaving small customers at the mercy of the MSP to procure a tool.

Increased Attacks on Vulnerable Industry Segments. Another reason that ransomware became an epidemic in 2019 was an increased focus by threat actor groups on entities that traditionally have weaker security postures, particularly education and local government organizations. In past years, threat actors frequently targeted large organizations, perhaps from belief that they have greater capacity to pay demands. Those organizations remain significant targets – manufacturing and professional services still lead all industry segments in attacks; however, many of these organizations have advanced cybersecurity and disaster recovery measures in place and did not pay the ransom (notably, across all business sizes, 73 percent of the organizations were able to restore systems without paying the ransom in 2019). Threat actors saw an opportunity to increase ransom demands as smaller and more diffuse organizations obtained cyber insurance and opened their network environments to remote access. These new victims often lacked necessary security measures such as endpoint monitoring, MFA, segregated backup systems, network segmentation and strong oversight of vendors with access to the environment, which allowed the threat actor groups to quickly cripple an organization, leaving no recourse but to pay the ransom in order for the business to survive.

The Next Wave – Extortion. Toward the tail end of 2019, several threat actor groups began a relatively new extortion tactic of stealing data from the environment to hedge against victims that were able to restore systems from backups. The first of these groups utilizes the Maze variant. But as the tactic has proved successful, many other groups including Sodinokibi, Doppelpaymer, Nefilim, Snatch, Lockbit and others have started to employ the same approach in 2020.

Extortion groups steal data they deem sensitive prior to deploying ransomware and then threaten to release the data to the public unless the victim pays a ransom, which is usually the same price as the ransomware demand. While the theft of personal information alone may trigger a notification obligation – both to individuals and regulators – the threat of public humiliation introduces a new level of crisis. A victim that does not pay the extortion demand (which itself is no guarantee to avoid publication) is faced with conducting an investigation into an incident about which the public and regulators have already been loudly informed but for which the victim will not be able to provide meaningful answers for some time. These incidents may challenge relationships with key stakeholders such as customers, patients, shareholders and the public at large.

As reflected in our 2020 report, only 6 percent of ransomware incidents in 2019 resulted in unauthorized access or acquisition of data resulting in notification obligations. However, less than five months into 2020, we have seen that percentage already jump severalfold, and we expect the trend to continue as threat actors refine their tactics to obtain as much money as possible from their victims. The era of extortion is here to stay.

As mentioned in the 2020 Report, here are some action items to address ransomware risk:

• Guard against phishing, address security gaps caused by limited utility of antivirus against banking trojans like Trickbot and Emotet, and secure remote access (e.g., open RDP ports).
• Enable MFA for the organization and any service providers with remote access.
• Evaluate your business continuity and disaster recovery plans and how they integrate with your incident response plan.
• Look at your strategy for backups. Current backups, segmented from production systems and easily accessed, can help you avoid business interruption without paying a ransom.
• Understand your insurance resources. Think through the hourly impact of downtime in the event you have to decide whether, when, and how much ransom to pay.
• Ransomware attacks can also involve access to data that triggers notification obligations – contractual and legal. In the rush to restore systems, some organizations wipe and reimage devices without preserving evidence, which complicates the ability to determine what occurred after the attacker gained access to the network before ransomware was deployed.