Report reveals which industries are most vulnerable to new ransomware attacks
Cloud security company Zscaler has announced its new Ransomware Report highlighting the most prolific ransomware actors, their attack tactics, and the industries being targeted.
Zscaler's ThreatLabz research team has analysed over 150 billion platform transactions and 36.5 billion blocked attacks between November 2019 and January 2021, in an attempt to identify emerging ransomware variants and how to stop them.
The report also outlines a growing risk from double-extortion attacks, which are being increasingly used to disrupt businesses and hold data hostage for ransom.
“In recent years' ransomware has become increasingly dangerous, with new methods like double extortion and DDoS attacks making it easy for cybercriminals to sabotage organisations and do long-term damage to their reputation,” says Zscaler's CISO and VP of security research, Deepen Desai.
“Our team expects ransomware attacks to become increasingly targeted in nature where the cybercriminals hit organisations with a higher likelihood of ransom payout. We analysed recent ransomware attacks where cybercriminals had the knowledge of things like the victim's cyber insurance coverage as well as critical supply-chain vendors, bringing them in the crosshairs of these attacks.
“As such, it is critical for businesses to better understand the risk ransomware represents and take proper precautions to avoid an attack. Always patch vulnerabilities, educate employees on spotting suspicious emails, back up data regularly, implement data loss prevention strategy, and use zero trust architecture to minimise the attack surface and prevent lateral movement,” he says.
According to the World Economic Forum 2020 Global Risk Report, ransomware was the third most common, and second most damaging type of malware attack recorded in 2020. With payouts averaging $1.45M USD per incident.
ThreatLabz found in late 2019 there was a growing preference for double-extortion attacks in some of the more active ransomware families. These attacks are defined by a combination of unwanted encryption of sensitive data by malicious actors and the extraction of sensitive files to hold for ransom.
Organisations affected by these attacks, even if they are able to recover the data from backups, are then threatened with public exposure of their stolen data by criminal groups demanding ransom. In late 2020, the ThreatLabz team noticed this tactic was further augmented with synchronised DDoS attacks, overloading victims websites and putting additional pressure on organisations to cooperate.
According to Zscaler, a diverse range of industries were targeted over the past two years by double-extortion ransomware attacks. With the most targeted industries being: manufacturing (12.7%), services (8.9%), transportation (8.8%), retail - wholesale (8.3%), and technology (8%).
During the previous year, ThreatLabz identified seven families of ransomware that were encountered the most. The report discusses the origins and tactics of the following top five groups:
- Maze/Egregor: From May 2019 Maze was the most commonly used ransomware for double-extortion attacks accounting for 273 attacks, until it seemingly ceased operations in November 2020. The top three industries targeted were high-tech (11.9%), manufacturing (10.7%), and services (9.6%). Mase notably pledged to not target healthcare companies during the COVID-19 pandemic.
- Conti: First noticed in February 2020 and the second most common attack family accounting for 190 attacks, Conti shares code with the Ryuk ransomware and appears to be its successor. The top three industries most impacted are manufacturing (12.4%), services (9.6%), and transportation services (9.0%).
- Doppelpaymer: Active from July 2019 with 153 documented attacks, Doppelpaymer targets a range of industries and often demands large payouts in the six and seven figures. It's top three most targeted organisations were manufacturing (15.1%), retail - wholesale (9.9%), and government (8.6%).
- Sodinokibi: Also known as REvil and Sodin, it was first spotted in April 2019, and has been encountered with increasing frequency with 125 attacks. Sodinokibi started using double-extortion tactics in January 2020 and had the greatest impact on transportation (11.4%), manufacturing (11.4%), and retail/wholesale (10.6%).
- DarkSide: Active from August 2020 after putting out a press release advertising its services. Using a Ransomware-as-a-Service model, DarkSide deploys double-extortion methods to steal and encrypt information. The group is public about its targeting manifesto, writing that it does not attack healthcare organisations, funeral services, education facilities, non-profit organisations, or government entities on its website. Instead, the primary targets are services (16.7%), manufacturing (13.9%), and transportation services (13.9%).