It is reported by Bleeping Computer that security researcher DarkTracer has tracked data leaks since 2019, concluding that 34 ransomware groups have leaked data stolen from 2,103 organizations to date. The data are usually leaked on the dark web following a cyber-attack in which the attackers have been able to infiltrate a company system, exfiltrate sensitive data, encrypt the data to prevent access, demand a ransom payment to decrypt the data and— when the victim refuses to pay the ransom— demand a second ransom for the destruction of the exfiltrated data. This is called a double extortion ransomware attack.
According to DarkTracer, the top five groups leaking stolen data include: Conti, Sodinokibi/REvil, DoppelPaymer, Avaddon, and Pysa. In addition, since ransomware groups have been successful in extorting ransoms with the threat of leaking data, data leak marketplaces have been created to sell the stolen data following exfiltration. According to Bleeping Computer, “[W]hile it may seem better to pay a ransom to prevent a data leak, there is no guarantee that the data won’t be released or sold to other threat actors. Therefore, if your data is stolen, you are better off treating it as a data breach and being transparent about it to those who are affected.”
We spend a lot of time reporting on ransomware because we are seeing more incidents than ever before, and our readers comment that keeping them up to date on ransomware tactics is helpful. The ransomware gangs, strains and vectors are constantly changing, so it is very challenging for companies to keep up with their latest tactics.
The Coveware Quarterly Report is one resource that is very helpful in understanding the newest methods and successes of ransomware attackers, and Coveware’s Third Quarter Report was recently released.
The Report confirms what we are seeing in the field, and confirms how the landscape is changing. The big news is that the Maze group has allegedly dispersed, with some members joining others. Maze wreaked havoc last year, when it started exfiltrating data from victims before it dropped the ransomware and then threatened to publish the data if the company didn’t pay.
The Report is a must read, but here are some highlights (depressing as they are):
- There is no guarantee that if you pay the ransom to delete data that they will actually delete it or that they will not come after you again. (They are criminals, after all). In Q3, exfiltration of data before the introduction of ransomware doubled, and half of all ransomware attacks included exfiltration of data. These are not promising statistics.
- Although Maze is allegedly out of business, others have copied its tactics forexfiltrating data, including AKO, Ranzy, Netwalker, Mespinoza, Conti, Sekhmet, and Egregor. Egregor is believed to have inherited Maze. Sodinokibi has re-extorted victims after they have paid the ransom.
- Some gangs provide fake proof that they have your data to get you to pay.
- There is no guarantee that the exfiltrated data will not be sold to other groups.
- Ransom demands are increasing.
- The biggest ransomware threats in Q3 were Sodinokibi, Maze, Netwalker, Phobos, and DoppelPaymer.
- Wasted, Nephilim and Avvadon made it into the top 10 list of market share of ransomware variants.
- More than 50 percent of all attacks are successful through attacks on Remote Desktop Protocols (RDP). Coveware sees this method of attack as the most cost-effective way to compromise organizations and stresses the importance of properly securing RDP connections.
- Almost 30 percent of attacks see the ransomware distributed via phishing emails, which have steadily increased since late 2019.
- The average ransom payment in Q3 was $233,817, up 31 percent from Q2 2020.
- The median ransom payment in Q3 was $110,532 up 2 percent from Q2 2020.
- Ransomware is a disproportionate problem for small and medium-sized businesses—those with a median of 168 employees—which is up 68 percent from Q2 2020.
- Most victims of ransomware have less than $50 million dollars in annual revenue.
- Professional service firms, especially small ones such as law firms and accounting firms, are especially vulnerable.
- The average number of downtime days of victimized businesses is 19 days.
These statistics are ones to pay close attention to and use when determining risk management priorities. It is clear from the Report that addressing RDP and employee education as top priorities makes sense. According to the Report, one possible reason for the increase in the use of RDP is “that the influx of remote and work-from-home setups using RDP and other remote technologies allowed threat actors to leverage attack vectors that previously didn’t exist.”
As coronavirus cases increase again throughout the U.S., remote working appears to be the norm, so ransomware attackers are using, and will continue to use, the shift from the office to the home to attack victims.