December 28, 2020
Ransomware Facts and Trends That Dominated 2020
Ransomware is a dangerous type of malware and viruses, and ransomware attacks are, unfortunately, on the rise now. These attacks cause significant financial losses and reputational damage. Ransomware virus news is making the headlines more frequently than ever before. Last week a large company in the USA was attacked with ransomware that caused loss of USD 10 million, and just recently a cyberattack on a nuclear power plant was detected. The ransomware news we hear is scary, and the threat of a ransomware attack is always looming. This article covers top ransomware facts and trends, including latest ransomware threats, to familiarize you with the newest tactics used by attackers. I hope that these facts and figures will help you keep new ransomware at bay.
The Number of New Ransomware Attacks Is Growing
The increase rate of ransomware attacks in 2020 is the highest in history. As of October 2020, September was the month with the highest number of ransomware attacks in 2020. New ransomware attacks are also becoming more sophisticated, with attacks on servers rising in popularity. By taking control of servers, attackers can infect more computers connected to an enterprise network and cause more damage.
Microsoft reports that incident response related to ransomware is the most common since October 2019. According to the 2020 Microsoft Digital Defense Report, 13 billion malicious and suspicious mails were blocked by Microsoft between January and October 2019. Blocked emails contained more than one million malicious links that could have started an attack.
Ransom Fees Are Growing
The ransom amounts demanded by attackers are growing year by year. Comparing with 2018, the average ransom payment demanded by attackers has doubled according to the figures presented in the blog post Ransomware e-Statistics on safetydetectives.com.
The average requested ransom amount:
2018 – $4300
2019 – $5900
2020 – $8100
Analyzing recent ransomware attacks, Cybersecurity Ventures predicted that the damage caused by ransomware would be more than USD 20 billion in 2021.
When it comes to ransomware statistics, attackers have been targeting North America, Asia and Europe more or less equally. North America is in the first position with about 33% of attacks, Asia is in second with 30% and Europe is in third with 27%. As for the number of ransomware attacks in different countries, the ranking presented in the State of Ransomware 2020 (BlackFog) is as follows (from highest number of attacks to lowest):
Nevertheless, new ransomware attacks strike in almost all countries. If your country is not included in the top chart, that doesn’t mean that you and your company can feel safe. Attackers prefer to attack targets in developed countries rather than ones in developing countries. Some countries hire state-sponsored hackers to launch attacks against organizations (including organizations related to critical infrastructure) and competitors in other countries.
Operating Systems That Are Under Attack
As for ransomware statistics of the most attacked operating systems, in the same Ransomware e-Statistics blog post, the figures are:
Windows – 85%
macOS – 7%
iOS – 7%
Android – 5%
Traditionally, Windows has been attacked more frequently. However, MacOS users shouldn’t feel safe because macOS is being now targeted by ransomware creators too. Detection of malware on Mac devices has doubled since 2018 and continues to rise. Popular operating systems on mobile devices are attacked too.
Data Leaks and Encryption
Hackers always try to modify new ransomware versions to cause more damage and get more money. In many cases new ransomware is developed to steal data from a victim and then encrypt files on infected computers by using strong encryption algorithms. The fact that data is stolen by hackers is an additional point of pressure on a victim. Attackers publish a portion of stolen data on the dark web and demand that the victim pays or they will release what they’ve got.
Cybercriminals hope that the threat of publishing stolen data will force the victim to pay. This happens regardless of whether the victim has backups to recover their data and thus don’t need to decrypt encrypted files. If an attacked company operates with customer data, for example, and these customers are EU citizens, the company may incur hefty fines if this data is leaked and made public. The Maze ransomware was one of the first that sent stolen files to attackers before starting encryption. This approach used by cybercriminals is known as double extortion.
Methods of Ransomware Infection
The methods of infecting with ransomware have remained almost the same in 2020. Here are some figures from Ransomware Detectives (some companies were targeted by several methods):
- Spam and fishing email remain in leading positions among attack vectors – 67%
- Human factor when users are not trained well enough – 36%
- Weak passwords and insufficient access management – 30%
- Gullibility of users and poor user practices – 25%
- Malicious websites and advertising – 16%
- Other – 16%
Social engineering is widely used for phishing campaigns and unpatched vulnerabilities are favored by attackers as well. Latest ransomware news and trends confirm that phishing has become even more sophisticated. Many of the latest ransomware attacks were started by targeting web browsers. Remote attacks on servers are also common. According to 2020 ransomware statistics, the popular ways to infect computers and infiltrate networks remain almost the same as in the past year:
- Remote Desktop Protocol
- Misconfigured public cloud instances
- USB flash drive and other removable mediums
Attacking Organizations that Are Intolerant to Downtime
Ransomware statistics demonstrate which types of organizations are most attacked. Organizations with a low tolerance for downtime are in the leading positions (according the same BlackFog report):
- Manufacturing companies
- Professional services sector
- Government organizations
Hackers launch ransomware attacks against organizations that cannot afford significant downtime. In addition, organizations that may incur regulatory fines because they handle customer data are targeted too. Attackers hope that this factor increases the likelihood that a victim pays the ransom. Attacks on healthcare organizations and educational organizations were also popular in 2020. According to the facts and trends for 2021 by Cybersecurity Ventures, critical infrastructures will be targeted even more frequently in 2021.
Attacking Home Users
The COVID-19 pandemic affected the whole globe since the beginning of 2020. The dangerous coronavirus (SARS-CoV-2) spreads easily and leads to devastating health outcomes for many people. To prevent the spread of this infection and a collapse of the healthcare system, many organizations switched to the remote work model. Sometimes users working from home are not well protected and become a target for ransomware attackers. Generally, attackers go for larger organizations to get more money. But cybercriminals have also been attacking home users since the beginning of the pandemic in the hope of accessing enterprise networks.
Masquerading Using the COVID-19 Theme
The COVID-19 pandemic was one of the top themes in 2020 because of the unpredictable health outcomes for many people and the negative impact on economies. Ransomware attackers take advantage of this fact and have started using the COVID-19 topic in their phishing emails. An example of such email is a message containing important update information about coronavirus and asking a user to open an attachment that contains more information or open a link. A harmful attachment can be a Word or Excel document with macros that are run for installing ransomware. A malicious link is an alternative to downloading and running ransomware on a target computer. Latest ransomware and malware trends reveal that the number of coronavirus phishing emails has shot up.
Ransomware as a Service
While the popularity of cloud services, like PaaS (platform as a service), IaaS (infrastructure as a service) and SaaS (software as a service) is growing, cybercriminals are also providing ransomware as a service (RaaS) and the demand is growing. With RaaS, ransomware developers provide a highly customizable kit that is ready to launch ransomware attacks. This kit is offered to other cybercriminals, that is, partners, for a fee and is used to launch ransomware attacks. Such RaaS ransomware schemes offer different types of partner programs and offers. These partners are also known as affiliates. Ransomware creators provide a web portal for affiliates and release updated versions of ransomware kits. The RaaS model has greatly contributed to the number of attackers and ransomware attacks. One of the latest examples of ransomware attacks using the RaaS model is Netwalker.
Here are some statistics that may be of interest from the Sophos white paper on the State of Ransomware 2020.
About 73% of ransomware attacks against organizations have encrypted data.
More than 56% of victims (organizations) have restored their data from a backup.
Average costs spent to remediate a ransomware attack is about $761,000.
Average cost to remediate a ransomware attack:
- By paying a ransom approx. $1,448,000
- By restoring from a backup without paying a ransom approx. $733,000
Organizations that pay a ransom need to do a lot of work to recover data manually if they get the decryptor tool. Organizations that restore data from backups by following a disaster recovery plan spend less time and need less effort to recover data.
How to Protect Your Data Against New Ransomware
Each home or enterprise user should follow online safety rules and their company’s security policy even when working remotely. If users receive the appropriate training and are aware of the latest ransomware threats and infecting methods are less likely to be infected with new ransomware. Teach users about phishing, social engineering and other methods used to infect with ransomware.
Some of the main online safety rules are:
- Don’t open links from unknown sources
- Install anti-virus software on all computers and make sure that the anti-virus is updated regularly.
- Configure a firewall on routers and computers.
- Install security patches and software updates regularly to reduce the number of software vulnerabilities.
- Configure email filters on email servers or email gateways to prevent receiving suspicious email messages by users.
- Back up your data regularly and follow the 3-2-1 backup rule. Restoring data from a backup is the most effective method to recover data and continue normal operation. Use NAKIVO Backup & Replication to back up your data. Download the product from the official website.
- Test backups periodically to make sure that you can recover data in case of a ransomware attack.
- Create a disaster recovery plan. Don’t forget to test your disaster recovery plan and different disaster recovery scenarios.
- Monitor your servers. Configure a monitoring system to monitor which services on which servers are online and which are offline. Configure notifications that are sent to administrators via email, Skype or SMS. Ransomware usually kills running processes such as Oracle, MS SQL and others to disable write protection for files opened by processes. Configuring a monitoring system with automatic notifications helps you detect a ransomware attack even if you are out of your office (for example on a weekend, on vacation, on holidays, etc.), power off computers and terminate the attack before all files are encrypted. You may need somebody to power off equipment in your office or data center in this case.
If your computers do get compromised by ransomware after all, it is recommended that you don’t pay the ransom. If you pay a ransom, you sponsor cybercriminals and encourage them to increase activity and stage more new ransomware attacks. In addition, there is no guarantee that you will be able to decrypt files after paying a ransom. Neither is there a guarantee that after paying the ransom your stolen data will not be sold to competitors or other criminals. Plan how to mitigate the negative impact of a data leak if your data is stolen or encrypted.
This article has covered the facts and trends in ransomware. Recent ransomware attacks have are growing in virulence, and attackers have been taking advantage of remote work vulnerabilities. These facts and trends demonstrate that new ransomware can steal users’ data before encrypting files to extort a victim. Data loss is a concern for both companies and individual users. Ransomware news tell us that that attacks on large organizations is a current trend, but attacks on individual users are also taking place as companies shifted to remote work during the pandemic. Be responsible and implement security measures in your organization and at home to prevent being attacked by new ransomware. However, unfortunately, there is no reason to think that ransomware will be completely defeated any time soon.