Cyberattacks have skyrocketed in the last year as a result of the shift to remote work. We’ve seen a spike in all kinds of attacks, but ransom attacks are the most notable. They increased by 150% in 2020, while the amount paid by victims has tripled.
In 2021, we’re seeing headlines about high-profile ransom attacks targeting municipalities, big companies, and critical infrastructure with demands of tens of millions of dollars. The attacks are also becoming more sophisticated.
Late last year, we learned that hackers had compromised SolarWinds, a company that develops software for businesses. The monitoring and management software created by SolarWinds is used by both Fortune 500 companies and government agencies. This attack affected Cisco, Belking, Intel, and Nvidia but also the US Treasury, Commerce, State, Energy, and Homeland Security departments.
The US government has updated its estimates of how many businesses and federal agencies were affected: 9 federal agencies and roughly 100 private sector companies. Authorities believe that the cyberattack is most probably of Russian origin, but it was launched from within the United States.
In March this year, hackers exploited Microsoft Exchange Server vulnerabilities to gain access to email accounts and install web shell malware which granted them administrative access to victims’ servers. This attack affected more than 30,000 organizations in the US.
And this month, Colonial Pipeline – the largest fuel pipeline in the United States – confirmed that it paid $4.4 million in ransom after cybercriminals infiltrated its network and forced it to shut down.
Apple was also targeted by hackers through Quanta – a Taiwan-based manufacturer that makes MacBooks for Apple as well as other products. The attackers wanted $50 million, and when Quanta refused to pay, they demanded the ransom from Apple.
Ransomware has become a big expense for corporations. According to IBM Security X-Force, the hacking group Sodinokibi managed to make more than $123 million in 2020, and keep in mind that this is just one group. Cybercriminals are becoming more daring in the tactics they use. For example, another hacking group called DarkSide has gained a reputation for being particularly aggressive, harassing executives on their mobile phones, and threatening to notify the media and customers.
And executives are certainly feeling the pressure – 64% of CEOs surveyed by security company Proofpoint believe they’re at risk for a material cyberattack.
Most Dangerous Ransomware Attacks
Ransomware is a type of malware that encrypts a victim’s files so attackers can then demand a ransom in exchange for giving the victim back access to their files. They’ll receive instructions on how to pay, and once they comply, they’ll get a decryption key. The ransom can start at a few hundred dollars, but attacks targeting companies averaged at $850,000 in 2020. Even if the company has backups, the groups of hackers may have also transferred the sensitive information to their servers and increased the pressure through a DDoS attack.
At the moment, the Maze is the most notorious ransomware threat to companies throughout the world. It was discovered by malware intelligence analyst Jerome Segura and was originally known as “ChaCha ransomware.” In the beginning, this ransomware hacker group employed exploits kits like Fallout and Spelvo to launch attacks.
The group is best known for its approach to hacking. The creators of the Maze malware have come up with a new way to exert pressure on ransomware victims. They encrypt files and ask for a ransom, but if the victim is not convinced because they have backed up their data, the group threatens to publish the information on the internet.
The threat is not idle, and they do actually publish their victims’ files. Even if their victims sue, it’s too late because the damage is done.
Since the Maze introduced this new tactic, other ransomware groups have begun to use it.
Allied Universal, a security services company based in California, was the first victim. The company refused to pay the ransom, so 700MB of their data was released on the internet. Most ransomware groups that use this strategy have dedicated websites to publish the data from victims who refuse to meet their demands.
Cognizant and Xerox are two of the big companies that have been targeted.
REvil stands for Ransomware Evil, and it’s the name of an ambitious criminal ransomware-as-a-service (RAAS) enterprise that’s also known as Sodinokibi. The REvil group was inspired by the Resident Evil movie series and has extorted large amounts of money from organizations all over the world.
Similar to the Maze, REvil encrypts the victims’ files and sends a message explaining that they have to pay a ransom in bitcoin to regain access. If the victims don’t pay before the deadline, the ransom gets doubled.
Developers behind RaaS operations such as REvil enlist the help of other hackers known as affiliates to distribute the ransomware on their behalf. They get around 20% to 30% of the proceeds, and the rest goes to their affiliates who break into corporate networks and deploy the malware.
If a RaaS operation builds a reputation for being successful, it will attract affiliates more easily. When one operation closes, the affiliates simply move one to another, which is what happened to the Maze as well.
The REvil group seems to tailor its ransom demands to the annual revenue of its victims, so it can vary from $1,500 and $42 million.
This ransomware has made the headlines many times for targeting A-list celebrities including Madonna, Elton John, Mariah Carey, Drake, Rod Stewart, Bruce Springsteen, Robert De Niro, Bette Midler, and Barbra Streisand and then leaking their data on the internet.
Ryuk is another crypto-ransomware that uses encryption to prevent access to a file, system, or device until the ransom is paid, and it’s one of the most active right now.
It gets access through TrickBot – a banking Trojan that has extended its capabilities and is now considered a complete modular malware ecosystem – or other means such as Remote Desktop Services. It encrypts files using military-grade algorithms like RSA and AES and assigns a unique key to each executable.
Ryuk ransomware mostly targets large corporations and government entities that can afford to pay a large ransom.