In the past twelve months, the word “ransomware” has popped up in countless headlines worldwide across both print and digital publications: The Wall Street Journal, the BBC, the New York Times. It is no longer just being discussed by CISOs and security professionals, but politicians, school administrators, and hospital directors. Words like Babuk and REvil have entered the everyday lexicon. This is a threat that seems almost inescapable, regardless of whether or not users occupy the cybersecurity or tech space – and it is having a direct impact on lives.
That is precisely why we have chosen ransomware as our story of the year for Kaspersky’s annual Security Bulletin. But how did we get here and what has changed about the ransomware landscape since it was first our story of the year in 2019?
Arguably, it all started at the end of 2019, when Maze became a “pioneer” of the modern ransomware landscape. The operators behind that ransomware created a new, highly effective scheme for attacking large, profitable businesses: double extortion. With double extortion, not only do the attackers encrypt data, but they also steal highly sensitive information (personal data of clients and employees, internal documents, intellectual property, etc.) and threaten to publish that information if the ransom is not paid. This gives companies more reason to pay up. In 2020, we called this “Ransomware 2.0“, and, unsurprisingly, big ransomware players, including REvil (aka Sodinokibi), DarkSide, Babuk, Avaddon, Conti, etc., began adopting the new approach. Maze also began posting information about stolen data on their “Wall of Shame”, and other ransomware groups followed suit with their own leak sites.
In fact, by analyzing the number of victims on ransomware groups’ various leak sites, it is easy to visualize the growth in “Ransomware 2.0” in 2021. From January to November 2021, the number of victims was 30% higher than that in all of 2020, affecting a total of 1,500 organizations. Of course, it is important to know that these ransomware groups do not publish information about all of their victims on their leak sites; therefore, the actual figure could be much higher.
Around this same time, an entire criminal ecosystem began forming to support the burgeoning ransomware epidemic: Ransomware-as-a-Service or RaaS. Each of the players has a specific role within this ecosystem: there are those who provide the encryptor and the platform for negotiating and publicizing the details of the victims. Others (partners or affiliates) carry out direct attacks against organizations. In addition, attackers operating within this ecosystem purchase the tools to initially penetrate the victims’ infrastructure from third parties. This ecosystem added an additional level of operational efficiency and a massive support network for those looking to profit from ransomware.
Double extortion coupled with RaaS created the means for cybercriminals to successfully attack major corporations, extorting hundreds of thousands and even millions of dollars. In fact, according to data from the US Treasury’s Financial Crimes Enforcement Network (FinCEN), organizations in the U.S. alone may have paid nearly 600 million dollars to ransomware groups in the first half of 2021. And, according to the same report, if you look at the most prolific actors from the past year, they have potentially received $5.2 billion in transfers over the last three years.
This is the era of big game hunting: high-profile B2B targets, big ransom demands, sophisticated attacks, highly sensitive data being stolen, and major fallout from a successful attack. Given some of the ramifications of this past year’s biggest attacks, it is not surprising that ransomware has gone mainstream.
We are taking a deep dive into the evolution of ransomware in 2021, starting with the ransomware events of 2021 that made for some of the biggest headlines.
Key ransomware events in 2021
Perhaps the first headline that indicated the world was truly in unprecedented territory when it comes to ransomware was the shutdown of the United States’ largest fuel supplier: the Colonial Pipeline. The now-defunct ransomware gang known as DarkSide was able to infiltrate the pipeline’s network and steal nearly 100 gigabytes of information in early May. The pipeline was shut down for six days, and, ultimately, Colonial paid 4.4 million in ransom to DarkSide. Later that same month, another RaaS operator, REvil, followed in DarkSide’s footsteps. This notorious gang was able to shut down several production sites for JBS, the world’s largest beef supplier. The company ultimately paid $11 million to resume their operators and recover the stolen data.
Attacks like those on Colonial and JBS prompted President Biden to declare a state of emergency and to meet President Putin to discuss mutual cooperation in tackling the ransomware threat. This initiated a new, important trend related to ransomware: government involvement and increased international cooperation. In September 2021, the U.S. Treasury issued sanctions against the virtual cryptocurrency exchange Suex for their role in helping ransomware attackers get paid, and the pipeline attack proved to be DarkSide’s undoing: the group had attracted too much attention. After facing pressure from law enforcement agencies, they lost control of their servers, including their blog and payment systems, as well as some funds.
Another highly prolific RaaS operator from 2019, Avaddon, was also shut down in 2021 thanks to a crackdown by law enforcement – both against the ransomware gang and the infamous botnet Emotet. Avaddon was using the malware to gain an initial foothold in users’ systems. However, it appears Emotet has since reemerged.
REvil is another interesting example of what appears to be the new normal for the lifecycle of ransomware: a group makes a lot of noise with a large-scale attack and is then forced to shut down or rebrand due to legal pressure. REvil first appeared in 2019 and is reported to have earned over $100 million from their operations in 2020 and demanded $50 million in ransom from Apple after stealing information about the company’s upcoming releases. Of course, all of this attention came at a cost. After exploiting a vulnerability in Kaseya VSA, a leading unified remote-monitoring and management tool, REvil was able to hack into about 50 MSP providers. However, shortly after this attack, REvil’s servers were taken offline, with rumors that law enforcement pressure had forced them to close. They did reappear in October, stating the previous shutdown was due to internal reasons, but a multi-country push to force REvil’s leak site and Tor payment site offline ultimately led the group to shut down their operations…for now.
Babuk, a highly prolific RaaS operator first appearing in 2021 and inventors of the infamous “Babuk locker”, stole 250 GB of data from Washington’s Metropolitan Police Department network and held it for ransom. Their operations have also ceased, although this appears to be by their own volition: Babuk announced its retirement at the end of April, while releasing their source code into the wild so that it could be used by other ransomware operators. They later rebranded as Payload Bin and started offering their platform to other ransomware groups that do not have a leak site of their own.
Who are the key players now?
For now, former notable “Big Game Hunters” from 2021 have been taken down or have retired. As the ransomware threat has evolved and gained more attention, ransomware groups are facing shorter lifespans for their attacks, but the groups are highly capable of rebranding. Both REvil and Babuk originally emerged from the now defunct ransomware groups GrandCab and Vasa Locker, and DarkSide quickly regrouped as BlackMatter. After a brief period of success targeting U.S. companies and even the major Japanese technology company Olympus, the group shut down, apparently due to pressure from law enforcement.
One other notable RaaS operator that is still active is Conti. This ransomware group first appeared in 2019 and was quite prolific in 2020. Some of their most notable attacks in 2021 include an attack against the Broward County Public Schools in Florida and the takedown of the servers for Ireland’s Health Service Executive. However, it is worth noting that even Conti is feeling the pressure: after details about their inner workings were made public, they were forced to rethink their infrastructure, taking down their clearnet and dark web payment portals. Unfortunately, the group was able to get its servers back up and running within twenty-four hours.
That said, it is important to note that the ransomware groups most frequently appearing in the headlines are not the groups most often encountered by users. That is because the groups mentioned above conduct highly targeted attacks against copmpanies capable of paying millions in ransom. Older and more common ransomware actors are more interested in collecting smaller payments from a larger number of people.
When comparing the percentage of requests with a specific ransomware family among all ransomware requests processed by Kaspersky malware analysts, this is the distribution of ransomware attacks by ransomware family for the year 2020.
Distribution of ransomware attack by ransomware family, 2020 (download)
Crysis/Dharma and Stop/Djvu are both long-standing ransomware attackers. Crysis is capable of using multiple attack vectors but more recently has been seen primarily exploiting unsecured RDP access. And Stop, the most prevalent ransomware family with an “old-school” distribution scheme (victims searching for counterfeit software and finding executable files that contain ransomware), rather than human-operated attacks most often used by more modern groups. The former target both B2B and B2C, while the latter target primarily the B2C sector. In 2020, both groups accounted for over 50 percent of all ransomware attacks, with REvil making up a small 1.7%.
The first three quarters of 2021 showed a similar picture.
Distribution of ransomware attack by ransomware family, Q1-Q3 2021 (download)
The most frequently encountered ransomware family was Stop/Djvu, while Crysis/Dharma dropped to third place. The second most common family was Phobos, also an older ransomware family that targets small and medium-sized businesses. REvil did grow in its share of attacks to 2.2%, but it represented the least frequently encountered family among the ten most common. Because families like Crysis and Stop are more widespread rather than concentrated in their attacks (and request smaller payments), these typically do not make the headlines, however, they are indeed more commonly encountered encryptors.
The switch from mass infections to pinpoint attacks: enter Big Game Hunting
Earlier ithis year, we released a report, Ransomware by the Numbers, which seemed to contradict all the headlines: the total number of users that had encountered ransomware was actually on the decline. In fact, the ratio of unique users of Kaspersky B2B products who encountered ransomware trojans to the total number of users facing any type of threats has been steadily declining since the beginning of 2020.
The percent of unique B2B Kaspersky users that encountered ransomware to the number of users encountering any threats, 2020-2021 (download)
Indeed, while older families like Stop and Crysis may still be those most frequently encountered by users, the numbers of users that actually encounter them are going down.
That is because newer, high-profile gangs have switched from mass infections to pinpoint attacks against those who can pay millions: corporations and industrial organizations. In fact, from 2019 to 2020, the number of unique users affected by targeted ransomware (i.e. groups like Babuk and REvil which are involved in Big Game Hunting) increased by 767%. And this trend has only continued in 2021.
Launching the ransomware in the system is the last stage in these attacks. By this time, the organization’s network is often fully controlled by the attackers. As a result, after the data is encrypted, research is required to establish the initial attack vector, prevent re-infiltration by the attackers and attempt to restore data. This process is called incident response (IR), and mid-sized organizations and large corporations typically resort to it with the help of their own employees or contractors (i.e. Kasperksy provides IR services to its clients through Kaspersky Global Emergency Response Team). When looking at the data from 2019, 2020 and the first three quarters of 2021, an interesting pattern emerges.
The percentage of ransomware-related IR requests, 2019-2021 (download)
The percentage of IR requests related to ransomware for January to November of 2021 is already nearly 10 percentage points higher than the share of ransomware IR requests in 2020, and it is 12.7% higher than the percentage of requests in 2019.
The raw total of ransomware attacks may be lower, but the attacks against big organizations are on the rise.
A closer look at the industries under ransomware siege
If ransomware gangs are focusing on large companies and organizations, which industries are feeling the greatest fallout from these massive attacks?
The percentage of ransomware-related IR requests belonging to certain industries, 2020 (download)
In 2020, the industry that received the greatest percentage of IR requests was the industrial sector (26.85%), followed by the government (21.3%). Together, those two sectors accounted for nearly fifty percent of all IR requests in 2020. Both the industrial and government sectors contain “mission critical” companies, i.e. those that cannot afford to stay offline and are thus more likely to pay up.
In 2021, the distribution of IR requests was as follows.
The percentage of ransomware related IR requests belonging to certain industries, 2021 (download)
Both the government and industrial sectors remained the most frequently targeted ones, with the former increasing slightly and the latter decreasing slightly. There was also a major jump in the number of attacks affecting the IT sector: from 2.78% in 2020 to 13.33% in 2021.
It is important to keep in mind that statistics like the above are at least partially influenced by the company’s client base. Some of the most high-profile attacks against these sectors include the attack against the Colonial gas pipeline and the Health Service Executive. In addition, Kaspersky uncovered a series of attacks against industrial organizations by the Cring ransomware.
A look ahead: developing ransomware trends
This new era of Big Game Hunting is still unfolding, and high-profile groups making the headlines, as well as newcomers, are revamping their tactics to extract even greater profits from their victims. Here are two of the most significant trends.
In 2020, both DarkSide and RansomExx groups launched attacks against VmWare ESXi servers using Linux-sepcific ransomware builds. Now, in 2021, we have seen this gain popularity among other Big Game Hunters. Both REvil, HelloKitty, Babuk, Conti, Hive, and potentially, even PYSA and RagnarLocker added Linux to their arsenal. Why? This allows them to maximize the attack surface by encrypting virtual machines hosted on ESXi servers.
In April, DarkSide published a post on their leak site stating a wish to influence the stock prices of companies, i.e. conduct financial blackmail. However, DarkSide was not the first to express an interest in devaluing corporate stock: back in 2020, a former representative of REvil known as “Unknown” made a post on the Exploit forum encouraging ransomware operators to use the stock exchange when extorting their victims. Since then, financial blackmail has become an increasingly popular trend. In November of this year, the United States FBI put out a warning stating that ransomware actors are “using significant financial events, such as mergers and acquisitions, to target and leverage victim companies for ransomware infections”. According to the FBI, three companies were victims of ransomware during delicate merger and acquisition negotiations between March and July 2020. What is more, ransomware operators are updating their malware to scan networks for finance-related keywords, such as “NASDAQ” and “10-Q” (quarterly financial reports). Case in point: the trojan Pyxie used by Defray777/RansomEXX.
When companies are undergoing mergers or acquisitions, planning to go public, or are reassessing their financials, they are in a particularly vulnerable position. Any kind of leaked information could have devastating consequences for the company’s valuation. In fact, a study by Comparitech found that ransomware attacks cause, on average, a 22% decrease in the share value of companies in the short term.
Such consequences make the victims more inclined to pay the ransom. With law enforcement agencies and politicians shortening ransomware groups’ lifespan, efficiency has become paramount – and financial blackmail is a powerful tool. In 2022, we expect this type of extortion to become more popular and spread to average ransomware operators.
Will ransomware feature in the headlines in the coming year to the same extent it did, in 2021? Will more pipelines, schools, and hospitals fall? It is impossible to tell, but it is certainly not going away as a threat. There will undoubtedly be some new players that arise to take the place of groups like DarkSide, and 2021’s biggest players may either reappear or evolve and rebrand. And, as in 2021, they will be after “big game”; this will again lead to significant real-life consequences (food or gas shortages, human casualties, companies going bankrupt).
However, big attacks lead to big attention from the public, and, as we learned this year, that is not always a good thing. Groups like REvil and DarkSide received so much attention that governments and international law enforcement agencies worked together to push them offline. As these highly destructive attacks continue, expect continued cooperation to bring the groups behind them down. After all, it is only through international cooperation that ransomware can be effectively tackled.
At the same time, major attention from government organizations could put companies, too, in a difficult position. Last year, the US Office of Foreign Assets Control (OFAC) told victims that paying ransoms could constitute a breach of international sanctions, putting attacked organizations at risk of legal repercussions. However, companies have repeatedly shown that they would rather pay than suffer the consequences of a ransomware attack, particularly now that operators are threatening to dox corporate data. Unfortunately, this means ransomware continues to be profitable for cybercriminals. In the coming year, governments may enact more laws surrounding the payment of ransoms in an attempt to force victims not to pay.
With all of that said, there is one undisputed upside of ransomware being in the headlines: the more people know about the problem, the better they will know how to protect themselves.
Here are Kaspersky’s recommendations on staying secure from ransomware attacks:
- Do not expose remote desktop services (such as RDP) to public networks unless absolutely necessary and always use strong passwords for them.
- Promptly install available patches for commercial VPN solutions providing access for remote employees and acting as gateways in your network.
- Always keep software updated on all devices you use to prevent ransomware from exploiting vulnerabilities.
- Use a reliable endpoint security solution, such as Kaspersky Endpoint Security for Business, that is powered by exploit prevention, behavior detection and a remediation engine capable of rolling back malicious actions. KESB also has self-defense mechanisms that can prevent its removal by cybercriminals.
This content was originally published here.