As much as people recall 2020 infamously as the pandemic year even today, for many businesses and organisations, it was a year of ransomware. Ransomware in 2020, not only touched new heights in terms of ransom demands but also its cost and consequences.
In 2020, ransomware attacks estimated to have caused economic damage worth hundreds of billions of dollars, according to New Zealand based anti-malware company Emsisoft.
Ransomware in 2020
Last year, while the world was struggling with this unprecedented COVID-19 crisis and nations were undergoing prolong lockdowns. Organisations and businesses took a lesser-known but risky route of remote working. They extended their corporate networks’ reach, provided data access to remotely working employees over unsecured internet connections, vulnerable devices and home networks.
But this new remote working shift also brought along an easy expanded attack surface for threat actors. They were having ample opportunities to strike and exploit – from corporate networks and data to employees’ devices and home networks.
“With attack surfaces expanded, sensitive company data being accessed from vulnerable devices and remote staff inevitably cutting corners on normal security protocols, COVID created the perfect environment in which ransomware could thrive,” Emisoft Malware Lab wrote in a blog.
This remote working shift triggered new security challenges and IT complexities for organisations. But for threat actors and specialized ransomware attack groups this was the perfect moment to exploit, experiment and encash on their victim’s data.
For ransomware groups, this remote working environment was no match to what they had faced in past trying to attack organisations. Knowing that close to 90% of desktops and laptops run on Microsoft Windows OS, threat actors aimed at the remote desktop protocol (RDP).
It almost became the first choice to breach into remote working devices or systems, making way for the ransomware to penetrate deep into corporate networks, servers and ultimately take control over the data.
Maze, REvil and other ransomware groups are known for deploying sophisticated techniques to hit their targets. “The REvil (also known as Sodin or Sodinokibi) ransomware has been known since 2019 and it can both encrypt data and steal it. It is distributed on specialized forums by subscription,” said Denis Legezo, Senior Security Researcher, Kaspersky’s Global Research and Analysis Team.
In 2020, attackers continued to rely on targeted ransomware to aim at large organisations and businesses. Besides RDP, attackers were using malicious spam, phishing emails, injecting exploits and even taking advantages of unpatched software vulnerabilities.
That’s a new modus operandi in 2020 that most organisations and their remote staff were learning to deal with. In most cases, the victims were asked to pay ransom to get back their stolen data. But if they refuse to pay, threat actors would leverage the stolen data in other ways. The stolen data would end up on the dark web also known as the darknet where it gets sold, auctioned or traded.
According to Malwarebytes’ 2021 State of Malware report, “the REvil ransomware group not only holds data hostage but the victims are threatened of publicly releasing swiped data, if a ransom is unpaid.”
To make worst for the victims, attackers would even leak some part of the stolen data with a some threat or embarrassing message for others to see. That’s how ransomware groups made big money in 2020, forcing and extorting organisations to pay big ransom.
In fact, Malwarebytes’ new report mentions that the REvil ransomware group with a successful affiliate model believed to have earned $100 million in a year. In many cases, organisations have paid ransom money to cybercriminals and protected their business reputation.
But paying the ransom doesn’t assure any guarantee to organisations or the victims, according to security experts. Attackers may not even release the entire stolen data or can create a copy to sell it on the darknet and may keep it for future ransom demands.
“Victim organisations of targeted ransomware fear that even after paying the ransom, there’s no guarantee that they will get their data back. Or the nefarious cybercriminals would misuse the data by leaking it publicly or even selling it on the dark web,” said Kaspersky (APAC) MD Chris Connell.
Organisations breached and losing sensitive data to cybercriminals can also damage the reputation of the organisation amongst its stakeholders and consumers. “It is cardinal for businesses and institutions to be prepared to fight against these attacks and be transparent with their stakeholders in case of an incident,” added Connell.
Kaspersky’s latest ransomware landscape report revealed that between 2019 and 2020, its users encountering targeted ransomware increased by 767%. The targeted ransomware group breached at least 61 entities in APAC in 2020. Australia and India were the top two countries that logged the highest number of incidents across APAC.
Stats of Ransomware in 2020
The year 2020 compared to 2019, witnessed a 12.39% increase in total ransomware submissions. Emsisoft and ID Ransomware received 506,185 ransomware submissions between January 1 and December 31, 2000.
Emsisoft Security Researcher Michael Gillespie created the ID Ramsomware service. It enables organisations and individuals to identify which ransomware strain has encrypted their files and provides a free decryptor should one be available.
The stats of ransomware in 2020 are only 25% of victims that make a submission to Emsisoft or ID Ransomware, so the actual number of ransomware incidents is likely to be far more.
STOP/Djvu was the most frequently submitted ransomware strain in 2020, accounting for 71.20% of all submissions. In total 587 ransomware variants were submitted last year and STOP/Djvu was by far the most common.
Surprisingly, Emsisoft data indicates that India topped among 10 nations that accounted for the most ransomware submissions, with STOP submissions included.
Among the ransomware submissions nations, India accounted for 27.40%, followed by Indonesia and the USA with15.10% and 10.90% respectively. Also, India had the most ransomware submissions in each quarter this year and was responsible for 14.40% of all submissions in 2020.
However, more than half of all submissions (52.60%) in 2020 came from just 10 countries. Although ransomware is a truly global threat, Emsisoft data indicates Asia as the most commonly targeted in 2020. With six nations in the top 10 (including transcontinental Turkey), Asia accounted for more than a third (35.70%) of all ransomware submissions in 2020.
The Cost and Consequence of Ransomware
The cost and consequences of ransomware attacks are more far-reaching and when all those damages put together and calculated it could run into billions of dollars as Emsisoft data estimated for 2020.
During the COVID-19 pandemic crisis last year, Emsisoft notes that ransomware gangs thrived, with the increased adoption of data exfiltration, helping create a lucrative year for the criminals – and a costly and extremely disruptive year for victims.
The average ransom demand grew by more than 80% according to Emsisoft data with a minimum of $18 billion paid in ransoms globally in 2020. But with the cost of downtime in the private and public sectors added the overall financial costs of ransomware would be billions more.
Among the 10 top countries with the highest number of ransomware submissions and ransom demand cost last year, the USA topped the chart followed by France and Spain.
For instance, USA made total 15,672 ransomware submissions in 2020 and the minimum ransom demand cost was $4,893,699,209 and the overall estimated costs that combines the ransom demand costs and downtime costs stood at whooping $19,574,796,838.
France made 4,476 submissions and the minimum ransom demand cost was $1,387,058,087, while the overall estimated costs stood at $5,548,232,346.
Spain on the third spot had 4,088 submissions and the minimum ransom demand cost was $1,272,238,829 and the overall estimate costs came down to $5,088,955,314. The numbers are staggering in terms of economic damages caused by ransomware in 2020.
Along with the huge financial indemnity, the consequences of ransomware attacks on businesses and organisations certainly explains the severity such incidents. In terms of consequences – it could range from shutting down business operations, downsizing staff to changing business strategy and offerings.
The French multinational insurance firm AXA with operations in 52 countries is probably the first insurer to take business decision under rising ransomware attacks and its demands.
Last week, insurer AXA reportedly decided to stop writing cyber insurance policies cover ransomware attacks in France. AXA said it will not reimburse customers for extortion payments made to ransomware criminals.
However, the global insurer said that it will continue to offer ransomware cover in other countries except in France. France is second to USA among the top 10 nations in terms of the overall estimated costs of ransomware in 2020, as per Emsisoft data.
Probably this could be among many reasons why AXA decided to halt the underwriting of ransomware policies in France.
However, insurance industry experts believed that more corporate customers are willing to pay ransom demands. Because the insurer is paying that money and not the corporates. Going ahead this could cost more to insurance companies than its corporate customers.
But AXA is not alone that impacted by the challenges posed by ransomware attacks and ransom demands. US-based Colonial Pipeline – a major pipeline system operator on the East Coast, reportedly has halted some of its operations after a ransomware attack last week.
Although the company hasn’t revealed that hackers have made any ransom demands but Colonial Pipeline did admit that ransomware hit some of its information systems, forcing some operations to shut down.
Security experts opined that the cyberattack on Colonial Pipeline is a planned act by hackers after the US imposed new sanctions on Russia.
In March this year, the Australian Channel Nine TV network went off-air after a cyber attack. The severe cyberattack as per the report had knocked down Channel Nine’s IT systems and was unable to broadcast its shows for some days.
Damages caused by ransomware attacks on the critical infrastructure of private organisations or key installations and facilities of any country can several disruptive the economy.
Remember the WannaCry ransomware attack in mid-May 2017 that severely impacted the supply chains and disrupted the productions and operations of many global companies.
Incidents of ransomware in 2020 seams to have already started to repeat this year. And possibilities of more such incidents can’t be ruled out.
Globally, organisations and businesses along with governments will have to stay alert and guard against cyberattacks. And they will help to avert as well minimise the damages and impact, in case of cyberattacks.
(Image credit – Kaspersky)