The State of Ransomware in 2021
The cost of ransomware attacks is expected to hit $20 billion by the end of 2021, 57 times more than it was in 2015. So significant is the problem that experts expect businesses to be attacked by cybercriminals every 11 seconds in 2021, up from 40 seconds in 2015. Furthermore, studies reveal ransomware will attack a business, consumer, or device every two seconds by 2031, resulting in losses exceeding $265 billion. This effectively makes ransomware one of the fastest growing and most profitable types of cybercrime.
Whether you are a small business or a big corporation in New Jersey, you are increasingly at risk of these attacks that can negatively affect your productivity, financial performance and reputation. To stay up to date on the cyber crimes that can impact your operations, Baroan Technologies has compiled key ransomware attack trends in 2021.
Read on for more insights:
What Is a Ransomware Attack?
Ransomware is malware that infects computers and mobile devices and restricts access to files while threatening destruction or unwarranted publication if you don’t pay the ransom. Ransomware can enter a company’s systems via a successful phishing email or contact with an infected website, among many other things.
In most cases, cyber criminals infiltrate into a target business system long before deploying the ransomware. They first take time to do reconnaissance on the company’s IT infrastructure to maximize their attack.
Primarily, criminals target commercially sensitive information, personal information, or privileged documents. Once they breach the systems, the malicious actors encrypt them or infiltrate critical files before demanding ransom payment. The new trend in ransomware is a demand for payment in crypto, mainly Bitcoins, to restore the stolen files or decryption key.
The Common Types of Ransomware in 2021
The following are some of the most active ransomware operations in the first two fiscal quarters of 2021:
Conti is arguably the most prominent ransomware in 2021. According to a recent Conti DFIR ransomware report, this ransomware targets companies and businesses in the technology, public sector, finance and consumables. Conti operators leverage phishing attacks to install TrickBot and BazarLoader Trojans, which effectively enable remote access to your systems and steal credentials and harvest unencrypted data stored on your workstations and servers.
A notable ransomware attack directed by the Conti group in the past is that of the Scottish Environment Protection Agency (SEPA) that led to the publishing of 1.2 GB of stolen data on Conti’s dark web leak site. Notably, the Conti News site has published data stolen from more than 180 victims up to date.
REvil or Sodinokibi has been around since 2019. The malware is distributed chiefly via exploit kits and back door software installers. REvil has been linked to the GOLD SOUTHFIELD group and is designed to operate as a ransomware-as-a-service (RaaS).
The malware is highly configurable and can gather a host’s information, including username, computer name, and workgroup. It also has other capabilities that enable it to exploit vulnerabilities to elevate privileges and encrypt non-whitelist files and folders on local storage devices and network shares.
Recent studies on the geolocation of targets reveal organizations within South America, South-East Asia, Europe and North America are at a higher risk of a REvil attack. As of May 2021, the malware has been noted to frequently target companies in the food production niche, including dairy farms and Bakker Logistiek.
Companies in the technological niche are also at a higher risk of a REvil ransomware attack, as demonstrated in the recent attack on MSP Stanley Systems, Acer Computers, and Quanta Computers. The malware also targets court systems, lawyers, insurance agencies and healthcare.
The operators of Avaddon Ransomware officially began their operations in June 2020 with massive attacks on the manufactured consumable and technology industries. The group uses a double extortion technique to threaten victims into paying a ransom to prevent publishing stolen sets of highly sensitive data.
The malware is initially delivered by mail via malicious attachment with a message body that features a smiley emoji with a set of statements designed to nudge would-be victims into taking some action. Some of the commonly utilized statements include “look at this photo!”, “photo just for you” or “you look good here.” Once you open the emoji, the malware is executed via PowerShell commands to encrypt your files on Microsoft Exchange Server and Microsoft SQL Server.
Avaddon will then proceed to delete all your backup copies of system restore files. Surprisingly, the malware is designed to terminate itself if it sees the keyboard layout language is of a Slavic language such as Russian, Ukrainian, and Tartar.
CLOP is a new variant of the crypto mix family first discovered in February 2019. CLOP’s first victim was Software AG, a German tech firm hit in October 2020.
CLOP is tied to the threat actor group TA505, which has been active since 2014. In 2020, the group used CLOP to target ExecuPharm, Inc., a U.S-based pharmaceutical research company; Carestream Dental LLC, a U.S.-based provider of dental equipment, and Carestream Dental LLC and Nova Biomedical, a U.S.-based medical device manufacturer.
Other notable targets and victims include Shell, Stanford University, University of California, Bombardier, Jonesday, among many others. The malware is often delivered through phishing campaigns via zip files and Docx files utilizing malicious macros. Countries targeted mainly by these threat actors are Canada, Germany, the Netherlands, Great Britain, the United States, Belgium, etc.
Darkside ransomware has been active since 2020. It is a human-operated “double-extortion” ransomware operation that first targeted the North American land developer Brookfield Residential in 2020.
Darkside was also responsible for the May 10, 2021, attack on the Colonial Pipeline, resulting in a three-day shutdown of the most extensive refined oil pipeline system in North America. Colonial Pipeline had to pay USD 4.4M ransomware to Darkside in exchange for the decryption key for their network.
In the last six months of 2021, Darkside ransomware has also leaked crucial data belonging to at least 13 legal firms in North America and Europe. Elsewhere, the ransomware has also leaked data belonging to GUESS clothing, Exim Bank Indonesia, The Leavitt Group.
Victims, who choose not to pay the ransom, could have their exfiltrated files freely available on Darkside’s data leak site for at least six months before they are removed. Darkside group claims they only target organizations that can afford to pay their requested ransom based on an analysis of the company’s net income and insurance coverage.
Other significant ransomware to watch out for in 2021 include:
- Doppelpaymer ransomware
- Babu Ransomware
- Netwalker ransomware
In Figures: The Victims of Ransomware Attacks in 2021
The victims of data-leak ransomware operations in the first half of 2021 include:
- Manufactured Goods at 39 percent
- Technology & Technology Service Providers at 18 percent
- Public sector and legal services at 16 percent
- Finance at 11 percent
- Health care at 6 percent
- Entertainment and energy at 3 percent each
Baroan Technologies Can Help Reduce Your Exposure
A big mistake that most entities make is to assume malicious actors use ransomware to target only larger corporations and businesses. However, from the above analysis, cybercriminals target all sizes across many niches and industries. Even the slightest disruption in your operations through a denial of access to a critical IT system can result in massive losses running into thousands of millions.
If you are a law firm, healthcare entity, insurance provider, state municipality, technological company, and more in New Jersey, leveraging the solutions provided by Baroan Technologies is the surest way to reduce or eliminate the risk of a ransomware attack. Our highly experienced team of cyber-crime experts implements top-notch proactive resources to wade off attacks and ensure you are one step ahead of cybercriminals. We will also step in and respond most effectively and efficiently during an active infection to minimize exposure and losses. Contact us today to learn more.