2020 saw a dramatic rise in ransomware activity. While it is difficult to predict specifically what ransomware authors will do next, it can be expected that they will continue to do what has worked well for them in the past if it continues as profitable. Ransomware ‘payment’ amounts saw a 217% rise in 2020 from an average of $84,000 to $234,000. This has been largely due to attackers focusing on large organizations with deep pockets that can afford higher ransom amounts. Also, the usage of cyber extortion insurance policies gives victim organizations the ability to pay higher ransoms. However, this does not mean small organizations are not being targeted. We expect ransoms to continue to rise if victims continue to pay ransom amounts.
Ransomware operators will continue to evolve the capabilities of their tools and techniques to remain stealthy and blend in with the victim’s IT infrastructure. Increasingly, ransomware is being deployed manually after an initial intrusion to increase its effectiveness and to remain undetected until the last minute. They are also increasing the speed of their tools so that the encryption of victim data can happen before defenders have a chance to respond. As their capabilities evolve, they will eventually approach the level of nation state actors.
In addition to simply encrypting data and demanding a ransom for the decryption tool, attackers exfiltrated data and threatened to sell it on the black market. In fact, several ransomware variants have dedicated data marketplaces for this. This tactic is very effective and we expect it to continue into 2021.
Ransomware as a business. Cyber criminals are actually becoming very sophisticated and utilizing business analysis techniques to target victim companies. They research their various open-source business statistics and calculate the proper amount of ransom. It used to be, target a company, infect the network with ransomware and then throw out various amounts for a ransom demand. Now they are using busines data to pick a ransom amount that may just cause the decision makers to pay the ransom and get back to operations.
2020 also saw an increase in remote work due to the pandemic. As a result, Remote desktop usage saw an increase in attack deployment. Over the past several years, RDP has been exploited by attackers to gain both an initial foothold and also move laterally move through an organization’s IT infrastructure. Internet facing Windows machines that are running the RDP service will be relentlessly subjected to a brute force type attack in an attempt to guess login credentials.
Once compromised, an attacker could use the machine for many different types of attacks including: data theft, lateral movement, crypto-mining, botnet malware, sending spam email, and of course - ransomware.
Internet facing RDP servers are very easy to find using tools such as Shodan, ZoomEye, and Censys. Additionally, login credentials for compromised RDP servers are plentiful and cheaply available for sale on dark web marketplaces. We expect RDP to continue to be an important attack vector to protect.
VPN usage also saw an increase as employees moved to remote work in 2020. The US , DHS CISA organizationreleased several Alerts throughout 2020 warning that attackers were actively exploiting VPN devices. The most distressing thing in these cases were the age of the vulnerabilities being exploited. Some had been public knowledge since the mid-2019 showing a lack of patch deployment. In November 2020, an individual posted publicly a list of nearly 50,000 vulnerable VPNs for one single vulnerability: CVE-2018-13379. Once compromised, an attacker would be able to perform the same types attacks as a compromised RDP server.
Cyber to Physical Ransomware
In September 2020, threat actors attacked University Hospital system in Dusseldorf, Germany – the attack was Ransomware. After affecting more than 30 servers at the facility, the hospital was forced to turn away emergency patients. According to German authorities, this directly resulted in the death of a woman whose care was delayed, because she needed to be transferred to another facility 20 miles away. The death places the cyber crime in a whole different and higher criminal statute category.
Ransomware actors have shown their capabilities of targeting critical infrastructure such as 911 systems, which has had severe consequences both socially and financially. Red Sky Alliance believes this will not slow down in 2021, but will actually increase as attackers understand the willingness of government agencies to pay ransoms.
As Ransomware-as-a-service or RaaS platforms expand, even low skill attackers are able to earn a profit by targeting emergency services and vulnerable cities. Municipalities around the US in states such as Florida, Maryland and California have been taken offline because they are often ill-prepared and have lower budgets for security operations. The consequences of these attacks have gone from financial loss to the loss of emergency services which could potentially result in the loss of human life.
The fact that so many companies have paid ransomware actors so much money during previous attacks means that these attackers now have better resources to attack their targets.
Until these attackers are arrested, prosecuted, and severely punished, they will become more emboldened to take down bigger targets likely resulting in the injury, if not death, of multiple victims. Being that many of the actors are protected by hostile foreign governments, prosecution is very unlikely.
Dark Clouds are Forming
In May 2020, threat actors broke into BlackBaud, a provider of software and cloud hosting solutions, and attempted to encrypt files on the company’s network in a ransomware attack. While the company was able to expel attackers from their systems, the attackers were able to steal some confidential data before being removed. Blackbaud claimed that while the files were not encrypted, they paid the ransom to avoid the disclosure of some of the stolen data. With the increase in data extortion or threatening the release of sensitive data if a ransom is not paid, analysts suspect that the Cloud will become a much bigger target for ransomware attacks.
The increase in companies using cloud technology does not automatically mean an increase in cloud system administrators. This means that many IT teams are learning how to use the Cloud, but not necessarily learning how to keep that data secure. Red Sky Alliance has recently begun monitoring for misconfigured cloud servers, as well as malware that could specifically affect Cloud technology. However, analysts believe that 2021 will see a large spike in attackers targeting Cloud technologies such as Amazon Web Services and Microsoft Azure. Traditional attacks on the Cloud such as crypto-mining and leveraging the Cloud for DDoS attacks are unlikely to decrease in 2021.
If attackers do target the Cloud more successfully in 2021, companies should expect to see the shift from ransoming encrypted files, to ransoming the release of stolen data. As many companies discovered over 2020, the Cloud can help companies significantly but can also provide a major attack surface for attackers looking to steal private data and make a profit. According to Aqua Security's 2020 Cloud Native Threat Report, attacks against cloud systems exploded at the start of 2020 when the company recorded a 250% jump in attacks from the previous year. Red Sky analysts expect to see another increase over 2021.
Red Sky Alliance has been has analyzing and documenting cyber threats and vulnerabilities for over 9 years and maintains a resource library of malware and cyber actor reports. Specifically, our analysts are currently collecting and analyzing underground data stolen from many of the critical infrastructure sectors across the Globe.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or firstname.lastname@example.org
Weekly Cyber Intelligence Briefings: https://attendee.gotowebinar.com/register/8782169210544615949
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941