In Q1 2020, ransomware attacks focused on large companies through unsecured RDP. Pandemic or no, the healthcare sector was still a major target.
In April 2020, the operators of the Shade ransomware shut down their operations, released over 750,000 decryption keys, and went so far as to apologize to their victims. Whatever the real story is behind the move, most other ransomware operators have clearly failed to develop consciences. In many ways, just as you thought things couldn’t get worse, they did.
The latest Coveware ransomware marketplace report is filled with disturbing numbers. It is based on ransomware events in enterprises handled by the Coveware Incident Response team in the first quarter of 2020. Therefore, it includes the beginning period of the coronavirus lockdown, but even that didn’t seem to slow down the criminals.
The Microsoft Threat Protection Intelligence Team also reported recently on healthcare organizations targeted by ransomware. There isn’t anything particular to the healthcare industry in Microsoft’s analysis or advice. But much of its analysis parallels Coveware’s, and the report, along with a follow-up report, is filled with good advice on how to thwart the current generations of ransomware.
Who are the victims?
The average ransom payment in the first quarter of 2020 was $111,605, a 33 per cent increase over the previous quarter. Coveware reports that attackers focused more on larger companies compared with the final quarter of 2019, but that the majority of targeted companies are small. This can be seen from the fact that the average size of targets was 625 employees, but the median was only 62. This indicates the distribution-skewing presence of very large companies among Coveware’s clients, but it’s reasonable to assume the effect is more general to the market.
How did the healthcare sector fare? Healthcare providers have been a favorite target of ransomware gangs, as the patient data they hold is especially sensitive. Whole medical practices have gone out of business for failure to recover from ransomware incidents. Coveware says some ransomware groups continued to target healthcare organizations, while others refused to do so. In early March, several ransomware gangs said they would not attack healthcare organizations.
When broken down by industry sector, the largest grouping, at 18.1 per cent of targets, were professional services, including law firms, accounting firms, and IT management businesses. Healthcare organizations comprised 13.8 per cent, and public sector came in at 12 per cent. The remaining groups were all below 10 per cent of the total. While these numbers are interesting and informative, it’s important to remember that they are a percentage of total incidents and do not reflect the size of the target.
Apparently, there is some element of seasonality to these attacks. According to Coveware, school systems are typically targeted in the summer, to put pressure on them to pay up before school starts. But the rapid switch to remote learning put schools in an unfamiliar and vulnerable position. Sensing an opportunity, ransomware gangs increased attacks on schools in the first quarter.
Which attacks predominate?
A fairly small number of “families” of ransomware dominate these days and are generally associated with specific gangs. The biggest, in Coveware’s data, is Sodinokibi (also known as REvil), at 26.7 per cent of all incidents. No. 2 is Ryuk, a variant of the Hermes ransomware, at 19.6 per cent. Then there is a drop to Phobos and Dharma, at 7.8 per cent apiece.
Below that, the percentages are all below 5, but there has been a great deal of shifting among the players. The Mamba and GlobeImposter ransomware shot up four and five spots, respectively, in the rankings. Mamba is a variant of Petya, which, in 2017, was used in a global cyberattack that caused $10 billion in damage.
The average ransom for each ransomware family is partly a function of the types of targets they pursue. The average Phobos-targeted company had 81 employees and a $15,761 ransom. The average Sodinokibi target had 374 employees and a $327,931 ransom. The average Ryuk target had 1,035 employees and a $1,339,878 ransom.
There are three methods by which almost all ransomware attacks gain access to the victim’s networks: No. 1, through which over 50 per cent of all attacks are perpetrated, is unsecured RDP (Remote Desktop Protocol) connections. Email phishing was used in just over 25 per cent of cases, and exploits of software vulnerabilities in about 12 per cent.
All of Phobos’s attacks and the majority of Sodinokibi’s were committed through RDP, indicating that it is not a major avenue of entry in large companies. Almost all of Ryuk’s attacks used email phishing, indicating that targeted spear-phishing is the method of choice in attacks against large companies, which may have better technical protections against an external RDP attack. Sodinokibi attackers used all methods, but mostly RDP, with a large minority of vulnerability exploits.
What happened to the data?
Suffering a ransomware attack is bad. Having to pay the ransom is embarrassing, but paying and not getting your data back is devastating. Coveware’s data is especially interesting in this regard. In 99 per cent of cases (up from 98 per cent in the fourth quarter) in which the victim paid the ransom, they received a decryption tool from the attacker.
Coveware argues that these numbers may not reflect the average among all ransomware victims. Some ransomware gangs are more reliable about following through than others, and so the specific attacker involved in a specific case will affect whether Coveware would recommend paying the ransom.
Receiving the tool isn’t the end of the story, though. The data recovery rate this past quarter was 96 per cent, meaning that the tool failed 4 per cent of the time. They attribute these problems to ransomware variants, which have a tendency to corrupt data upon encryption, apparently a bug in the encryption software.
Some ransomware variants also exfiltrate data, meaning they copy it off the victim’s network in addition to encrypting it in place. Attackers threaten to release the data, which could be embarrassing to the company and its customers and expose the company to legal problems. Coveware observed exfiltration in 8.7 percent of all attacks and 99 percent of Maze attacks.
The new ransomware normal?
As noted above, the average ransom paid in the first quarter was $111,605. Of those ransoms, 99 per cent were paid in Bitcoin, but the money trail is more complicated. Attackers are often converting their payments into cryptocurrencies, and then back to Bitcoin, and then to conventional money to make it harder to trace. Some are asking for other currencies, such as Monero, at the outset.
But that amount may be dwarfed by the cost of downtime caused by the incident. Victims suffered an average of 15 days of downtime in the same quarter, which is why so many pays the ransom.
It’s hard to say, at this point, what will happen to ransomware attackers when the victims have had their business already devasted by quarantine restrictions. It’s often possible to negotiate with the attackers, and it’s better for the attacker to get some money rather than none.
The first quarter had a good deal of time before the lockdown, and so it’s hard to see the effect it had on attacks. If ransomware attackers really are shifting their targets, at least with respect to healthcare, we will see that in the second-quarter numbers. In the meantime, Coveware and other ransomware incident response firms are offering free help to healthcare providers under attack.
2020 ransomware attacks: Lessons for leaders
- Consider hiring a penetration testing firm to look for vulnerabilities to the main avenues of a ransomware attack: RDP, phishing, and vulnerability exploit.
- Create good backups of all your data and protect them from attack.
- Have an incident response plan in place for a ransomware attack and check that it would still work under quarantine restrictions.
By Larry Seltzer