Ransomware attacks go through the roof

The daily volume of ransomware attacks worldwide has jumped by 50% in the past three months compared to the first half of 2020, and as the Covid-19 pandemic rages on, attacks against healthcare targets have doubled, according to Check Point cyber security researchers.

The geographies most affected by ransomware attacks are the US, which has seen a 98% jump in attack volume, India, Sri Lanka, Russia and Turkey. The most targeted sectors were communications, education and research, government and military, software suppliers, and utilities.

Check Point’s observers, led by threat intelligence head Lotem Finkelsteen, said the most widely seen ransomwares in the wild at present are Maze and Ryuk.

“Ransomware is breaking records in 2020. The increase in ransomware attacks began with the advent of the coronavirus pandemic, as organisations scrambled to enact remote workforces, leaving significant gaps in their IT systems,” said Finkelsteen.

“However, the past three months alone have shown alarming surges in ransomware attacks, and I suspect the ransomware threat to get far worse as we approach the new year. I strongly urge organisations everywhere to be extra vigilant.”

Finkelsteen posited three main drivers behind the current surge in ransomware attacks. First, the increased sophistication of double extortion attacks, which pile additional pressure on victims by stealing and threatening to leak data as well as encrypting it, may be making successful ransomware attacks more profitable and increasing the incentive to carry them out.

Second, in many cases ransomware operators appear to be now deliberately setting their ransoms at a level that their victims are more willing to pay. By making the cost of paying up less of a headache than dealing with the time and effort needed to recover their systems, targets are incentivised to pay up and this, in turn, incentivises further attacks. Finkelsteen suggested this may be linked, in part, to the global economic slump caused by Covid-19.

Third, the recent resurgence of Emotet after a five-month absence may be having an impact. Initially designed as a simply banking trojan, Emotet is more frequently used today to distribute malware and other malicious campaigns, and its operators seem to be selling their victims’ details to ransomware operators. Because the target is clearly already vulnerable, this further incentivises ransomware attacks.

As ever, the best options for protecting an organisation against ransomware are to conduct effective education and training of end users – this needs to be more than simply making them sit through a PowerPoint presentation, and includes continuously backing up data and patching systems as soon as vulnerabilities are disclosed.

Earlier this week, a report produced by Europol revealed that ransomware is now ranked as a top priority threat by a clear majority of law enforcement bodies across Europe.

In its newly published Internet organised crime threat assessment, Europol said ransomware operators now posed a significant and growing threat to organisations by targeting supply chains and third-party service providers to access their victims’ systems, and noted the rise in double extortion attacks as a clear problem.

Europol also said it was seeing an issue with victims appearing reluctant to come forward to police or the public when they have fallen victim to ransomware attacks, which it said made it harder to identify and investigate such attacks.

The report said that many victims fear excessive focus on their cases, particularly in media reporting, which they worry may lead to re-victimisation, or blame being cast on them, which can damage investigations, and reputation.

It urged law enforcement in particular to adopt a more collaborative approach to disclosure, leaning on “the receptive nature” of media outlets to raise awareness of all forms of cyber crime with a clearer and more accurate narrative.