An increase in ransomware attacks is not news to us anymore. However, that number has risen dramatically in 2020, a trend that businesses and individuals alike must NOT ignore.
Back in 2019, a McAfee report confirmed that across all sectors, ransomware incidents increased by 118% during the first quarter of 2019. That number spiked significantly in 2020, where a Mid-Year Threat Landscape Report 2020 from Bitdefender shows a 715% year over year increase in detected and blocked ransomware attacks in 2020.
We believe ransomware attacks will only increase as schools go to distance learning and working-from-home becomes the norm. The results in Quorum’s 2020 disaster recovery survey, conducted in Q1 2020, show that external computer threats such as ransomware were the #4 most common circumstance where an IT Disaster Recovery Plan was executed. In 2021, we believe that it will take the #3 spot, overtaking user/employee errors.
Circumstances Where IT Disaster Recovery Plan was Executed. Source: How Businesses Approach IT Recovery in 2020 by Quorum
In 2021, we will not just be dealing with a growth in ransomware attacks, but also increased ransomware variants, extortion methods, and sophistication. Here, we listed the top 6 trends in ransomware to watch out for in 2021.
#1: Increased Attacks from Commodity Ransomware
According to Sophos, 2021 will be the year of commodity ransomware. Ransomware groups are now offering small-time cybercriminals ransomware-as-a-service (RaaS), where these small-timers pay for a ransomware tool like Dharma or Emotet to carry out ransomware attacks themselves.
In other words, offering ransomware has become a business model similar to a software company. ANYONE can easily start using these tools to carry out ransomware attacks – as long as he has a laptop computer. What’s more, they’re even broadening their reach by offering affiliate selling models. It’s also been reported that access to compromised system by these small-time attacks can be sold to the big-time ransomware groups that uses Ryuk or other variants.
#2: Increased Ransom Amount
The average ransom demand increased 100% from 2019 through Q1 of 2020. Due to the success of overall ransomware attacks this year, more companies have negotiated and paid ransoms to get their data back. This is especially true for industries who are in desperate need of their data, such as healthcare, where operational disruptions can lead to life and death situations.
Some notable attacks have resulted in ransom amounts greater than $10 million, such as the $14 million ransom demand from Brazilian utility Light SA and the $15 million demand that Telecom Argentina had to contend with.
#3: Not Just Encrypting Data, but Stealing Data to Extort
The common ransomware attack used to be focused on encrypting the victim’s data, then demanding a ransom to decrypt. Now, there is a good chance that the victim’s data is being exfiltrated and stolen as well, just like what happened in the Solarwinds hack.
Stealing data is another method used to extort victims into paying the ransom. They would use the stolen data as leverage by threatening to leak those data if the victim doesn’t pay. Organizations in the legal, healthcare, and financial sectors are among the most targeted by these campaigns, assuming they hold the most sensitive data. This release of sensitive data can be especially detrimental to a company’s image and brand. This may be another reason why we’re seeing an increased success rate and higher ransom demand from these attacks. This is likely to become a long-term extortion mechanism.
#4: Mobile Ransomware will Grow and Continue to Get More Advanced
As our reliance on our mobile device grows, so will ransomware attacks on these devices evolve and grow. In 2020, a screen overlay attack on Android devices emerged as a new type of threat. According to Microsoft, this malware doesn’t actually block access to files by encrypting them, but instead blocks access to devices by displaying a screen that appears over every other window, rending the device useless. On the screen is the ransom note.
There’s also another strain of Android ransomware called Filercoder.C, where it lured users to install an app to gain access to pornographic content. When the victim downloads and installs the app, the ransomware encrypts system files and sends an SMS text to the victim’s contact list, encouraging them to use download and install that app.
#5: A Well-Funded Ransomware Industry?
As mentioned in #1, Ransomware-as-a-Service are mirroring their business model after software companies. It seems they are also following software companies when it comes to raising capital to grow their business.
“Cybercriminals have discussed, in open forums, proposals to create a venture capital organization or stock market of sorts, where interested parties can finance the development of malware, tools, and frameworks without ever writing a line of code,” reads a report Booz Allen Hamilton.
If these criminals do get their funding, we can expect to see a substantial growth in ransomware attacks.
The Data Backup and Recovery System that Protects Against Ransomware
Ransomware protection can get extremely costly, especially if you invest in perimeter defenses via detection and prevention tools. For companies without those types of resources, a solid data backup and recovery solution can do the job.
But the problem is, most data backup and recovery solutions are at risk of being infected with ransomware. The attack wouldn’t just encrypt all files in the corporate network, but also all the files in the backup repository. Other solutions have a different type of problem – when they restore their files from the backup, the ransomware is still there because it has already infected the backup files.
Quorum’s data backup and recovery system (onQ) is free from all those problems. Other than sharing a “wire”, Quorum onQ is completely separate from your infrastructure. It does not use your production storage, DNS, or Active Directory. This architecture is just one of the reasons why so many Quorum customers have all successfully recovered from ransomware attacks with a click.