The latest Coveware Quarterly Ransomware Report states that the growth in ransomware attacks in 2020 has persisted in 2021 as most threat actors target the healthcare industry. 11.6% of all attacks in quarter 1 of 2021 were healthcare ransomware attacks, the same with the public sector attacks. Attacks on professional services companies accounted for 24.9% of all attacks.
Although ransom demands dropped in Q4 of 2020, that pattern quickly changed in Q1 of 2021 as the average ransom payment went up to $220,298,
an increase of 43%. The median ransom payment of $78,398 increased by 59%. The higher ransom payments was because of the Clop ransomware gang’s data exfiltration extortion attacks.
Because of two zero-day vulnerabilities in the Accellion legacy File Transfer Appliance, the Clop ransomware gang was able to exfiltrate customers’ information, then threatened the victims to post the stolen information if no ransom was paid. If victims declined to pay, the Clop ransomware gang posts the stolen data on its data leak site.
These attacks demonstrate that file encryption isn’t always required, as the danger of publishing stolen information is usually enough to make sure that the victim pays. Coveware says that although exploitation of the vulnerabilities made data exfiltration possible, it wasn’t possible to install ransomware throughout victims’ systems, otherwise, ransomware would probably have been utilized in the attacks as well.
The Clop ransomware gang was specifically active in Q1 of 2020. The group frequently attacks big companies and makes big ransom demands and just like a lot of other ransomware gangs, steals information before file encryption and gives threats to publish that information when payment isn’t made. These double extortion techniques have become typical. Many ransomware attacks currently entail data exfiltration. In Q1, 77% of ransomware attacks had data exfiltration increasing to 70% from Q4 of 2020.
Ransomware victims might have no option apart from having to pay the ransom in case they cannot retrieve encrypted files from backups, however there are problems connected with ransom payment, particularly to avoid a data exposure. There’s no assurance that the ransomware gang will destroy the data and not trade or sell it to other threat groups after ransom payment. Exfiltrated information could also be saved in several places. Even though the threat actor deletes the information, third parties could still get a copy. Coveware remarks that although data exfiltration has grown, a lot more ransomware victims are choosing not to give the threat actor’s demands and don’t pay the ransom to avoid a data leak for some reasons.
A lot of RaaS operations have elevated the volume of attacks by getting more affiliates, however, a number of RaaS operations found it difficult to level up their campaigns. The Conti gang hired chat operators which made transactions and recoveries more complicated. The Lockbit and BlackKingdom gangs encountered technical problems resulting in permanent loss of data for a number of their victims, and even the most recognized ransomware operation – Sodinokibi – encountered issues matching encryption keys with victims causing permanent loss of data.
These technical issues indicate that even ransomware gangs that plan to give the decryption keys cannot always do so. Coveware additionally noticed an upsetting trend where ransomware gangs intentionally disrupt recovery after receiving ransom payment. The Lockbit and Conti gangs were seen trying to steal more information during the recovery stage and even trying to re-introduce their ransomware after the payment of victims. Coveware remarks that this type of disruption was uncommon in 2020, however, it is now more prevalent. Technical problems and disruption to the restoration process have led to 10% more downtime (23 days in Q1) because of an attack.
In Q4, email phishing has become the most frequent way of ransomware delivery, however connections with Remote Desktop Protocol are once more the most frequent way of getting access to victim systems. Phishing continues to be popular and is the tactic preferred by the Conti ransomware gang.
There were also more exploitation of software vulnerabilities, the most common of which were the unpatched vulnerabilities identified in Fortinet and Pulse Secure VPN appliances. Coveware thinks most ransomware-as-a-service operators and affiliates never exploit vulnerabilities in software, instead they hire professional threat actors to get access to compromised systems.
