Skip to content ↓ | Skip to navigation ↓

As if dealing with COVID-19 were not enough, 2020 turned out to be a banner year for another troublesome strain of virus— ransomware. Malicious actors grew more sophisticated, daring and brutal. They also hit a number of high-profile targets.

For those of you who didn’t keep up with all of the developments in the ransomware space, we’ve broken down some of the most important events and trends of the year here.

Growing in Scale and Scope, More Leakware

Unfortunately, ransomware has proven to be a very effective way for criminals to make money, so it’s not surprising that it’s gaining popularity. For example, the United States saw a 139% year-over-year jump in ransomware attacks by the end of Q3.

Leakware in particular is growing especially quickly. Unlike traditional ransomware, which only encrypts data, “leakware” also steals sensitive data in plaintext before it encrypts it. The ransomware actors then threaten to release the sensitive data to the public if the victims don’t pay up.

Some of the big names who fell victim to extortion this year include a New York law firm that represents celebrities like Lady Gaga, Madonna, and Elton John. After the firm refused to pay up, the attackers auctioned off sensitive data belonging to Madonna for $1 million USD.

Auctions are just one example of how ransomware gangs deployed new methods for blackmailing their victims. There was also increasing use of social media, blogs and the dark web to spread sensitive data. One gang even published Facebook ads advertising a leak to try to intimidate a victim into giving in to their demands.

Additionally, there’s a security dimension to the rising tide of data leaks. Defense contractor Westech International’s systems were compromised this year. This is alarming news since they produce intercontinental ballistic missiles designed for delivering nuclear weapons— not exactly the kind of data you want getting into the hands of criminals.

Furthermore, 2020 stood out for a rather grim milestone — the first ransomware-related murder investigation. A woman in need of critical care died when a hospital in Germany was paralyzed by a ransomware attack and her ambulance had to be routed to another hospital 30 km away.

Overall, attacks in 2020 not only became more numerous but also more damaging; the average ransom amount demanded increased from ~$110,000 in Q1 of 2020 to ~$170,000 in Q3.

Specialization and Franchises

One of the reasons ransomware attacks became so much more dangerous this year is due to different groups of nefarious individuals specializing in certain aspects of ransomware attacks. For example, 2020 saw an increase in so-called ransomware-as-a-service (RaaS) software.

This is a business model where a dedicated team of programmers works with teams of malicious actors who specialize in finding exploits or breaking into systems by phishing attacks.

The ransomware developers make their money by taking a percentage of the profit, and the affiliate that breaks into the system makes more money since the software has special features and updates that make it harder to detect. It’s a win-win — except for the victim, of course.

Sodinokibi was the most prolific RaaS gang in 2020, followed by the Phobos and Dharma groups.

Honor Among (Some) Thieves

A number of ransomware gangs, including DoppelPaymer and Maze, made promises not to shut down emergency services or healthcare facilities during the COVID pandemic. Others, however, made no such promises. Notably, the Ryuk gang continued to target healthcare facilities.

It’s unclear if those gangs that decided to spare healthcare services are doing so out of concern for people’s health or because they are aware that they might become a higher priority for law enforcement if they do.

In any case, healthcare facilities will continue to be attractive targets for those malicious actors who are willing to attack them, as the urgency of medical services means hospital administrations may be more willing to pay ransoms.

Increasing Use of Anonymous Cryptocurrencies

Bitcoin has long been the favorite currency for ransomware gangs, but it comes with some drawbacks. Bitcoin transactions are fully transparent, so it is possible to trace transactions and identify funds that were gained through digital crime.

The Sodinokibi ransomware gang made headlines early this year when they started to demand ransom payments in Monero, an alternative cryptocurrency with added privacy and anonymity features.

The use of Monero makes it considerably more difficult for law enforcement to investigate ransomware attacks, although there are efforts underway to crack Monero’s privacy features.

The U.S. firm Chainalysis has received a number of lucrative contracts with the U.S. government to assist in tracking cryptocurrency-related crime. The IRS also issued a $625,000 bounty to any researchers who can figure out a way to trace Monero transactions.

Sanctions Compliance: More for Ransomware Victims to Worry About

The United States’ Office for Foreign Asset Control (OFAC) announced a regulatory crackdown in October designed to prevent ransoms from being paid to groups on the “sanctioned entities” list.

This further increases the already complex and stressful process of dealing with a ransomware attack, which has led to the rise of a growing number of ransomware response specialists.

These specialists increasingly have to combine cybersecurity skills with legal and regulatory knowledge as well as negotiation skills in order to minimize damage for ransomware victims.

Ransomware Starts Targeting Linux Servers

Until this year, the vast majority of Ransomware attacks targeted systems running Windows. In June, however, a new strain of Ransomware emerged targeting Linux servers.

The vast majority of servers run on Linux, so this considerably increases the amount of damage a single ransomware attack can do both in terms of shutting down an organization’s operations and accessing sensitive data.

Phishing Attacks Becoming the Preferred Ransomware Delivery Method

Ransomware attacks are becoming increasingly targeted. In past years, many ransomware gangs searched the entire web for vulnerabilities and then preyed on anyone with weak cybersecurity practices.

As companies and organizations around the world have increased security in response to the threat, malicious actors have adapted by employing more phishing attacks.

To conduct an attack of this nature, these nefarious individuals identify potential targets and conduct extensive surveillance. They may then try to trick employees into clicking a malicious link or downloading a file containing the virus by impersonating a trusted organization or individual.

This means that it is no longer enough to just have solid cybersecurity practices— it’s also necessary to train staff in best practices for avoiding phishing attacks.

For example, employees may need to verify that the individual or organization that asks them to click a link or download a file is authentic before doing so.

This presents serious challenges; in high profile cases, the attackers may hack the email of a trusted person or organization in order to impersonate them and gain the victim’s trust.

The worsening ransomware situation has a lot of organizations nostalgic for the days when you could get away with lax cybersecurity. It doesn’t look like those days are going to return any time soon.

Most ransomware gangs operate in countries that are unwilling to prosecute or extradite them, so even if police track down the attackers, there is little they can do to stop them. This means a political solution is required.

This means that, for now, organizations of all shapes and sizes are settling into a “new normal” of higher vigilance against phishing and generally improved cybersecurity practices.


About the Author: Jeff Stout is Chief of Business Development and Marketing at BeforeCrypt. His focus is on educating companies and individuals on the increasing threat of ransomware attacks. Jeff helps companies in reviewing and developing their cybersecurity policy to minimize their chances of being compromised.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.