Ransomware surged by 150% in 2020 with the average extortion amount doubling, according to a new report from Group-IB.
The Singapore-based security firm analyzed over 500 attacks last year to compile its Ransomware Uncovered 2020-2021 report, which maps for the first time the most common tactics, techniques and procedures (TTPs) to the MITRE ATT&CK framework.
The average ransom demand stood at $170,000 last year, but groups like Maze, DoppelPaymer, and RagnarLocker averaged between $1 million and $2 million, it claimed.
This is because of their focus on “big-game hunting” — going after large and usually privately held organizations that are judged rich enough to pay large sums to avoid downtime. In fact, the average ransomware victim suffered 18 days of outages last year, which could have a chilling effect on revenue and reputation.
This is also why most of the attacks Group-IB studied were targeted at North America and Europe, where most Fortune 500 firms are located.
Even nation state groups like North Korea’s Lazarus and China’s APT27 have been getting involved, the report claimed.
However it was the Maze (20%), Egregor (15%) and Conti (15%) groups that accounted for most of the attacks analyzed by Group-IB.
The Ransomware-as-a-Service (RaaS) model accounted for the majority (64%) of attacks studied for this paper, and 15 new affiliate programs appeared in 2020.
Although the Maze group appeared to bow out in late 2020 while police managed to disrupt variants such as Egregor and Netwalker, new entrants to the market like Conti and DarkSide were also quick to appear during the year.
In a reflection of the shift to mass remote working during the pandemic, over half (52%) of attacks studied in the report used publicly accessible RDP servers to gain initial access, followed by phishing (29%) and exploitation of public-facing applications (17%).
Oleg Skulkin, senior digital forensics analyst at Group-IB, argued that going forward RaaS programs would continue to grow, with more cyber-criminals focusing their efforts on specific niches such as initial network access for resale and data exfiltration.
“The pandemic has catapulted ransomware into the threat landscape of every organization and has made it the face of cybercrime in 2020,” said Oleg Skulkin, senior digital forensics analyst at Group-IB. “From what used to be a rare practice and an end-user concern, ransomware has evolved last year into an organized multi-billion industry with competition within, market leaders, strategic alliances and various business models. This successful venture is only going to get bigger from here.”