In this article, we’re going to touch on the most visible ransomware-related trends that have impacted the threat landscape recently. Among them are attacks involving RDP (remote desktop), RAT (remote-access Trojan), threats faced by the health-care system, attacks on remote workers and other things.
There’s no question that the most serious cyber threat in 2021 is ransomware. There are two main reasons for this:
- The results of ransomware attacks are visible to everyone, and
- this area of malicious activity brings cybercriminals really significant income.
For example, only one criminal group that launched just several attacks managed to collect about 190 bitcoins, which at the current exchange rate is about $11 million. Being able to bring such big sums, it is highly likely that the number of ransomware attacks will grow.
The damage caused by ransomware already exceeds the results of the actions of APT (advanced persistent threat) groups. In both cases, attackers access the organizations’ online resources using administrator rights and software vulnerabilities. They use various mechanisms to hide their activity and often steal valuable information. However, a ransomware attack also knocks out the entire infrastructure and causes disruption or even stoppage of business processes.
Ransomware attacks in numbers
- 51% of companies faced ransomware attacks.
- 26% of companies paid the ransom to cybercriminals.
- The average ransom amount in 2020 was $180,000 for big companies.
- The average ransom amount in 2020 for small businesses was $6,000.
- A set of software tools needed to launch a ransomware attack costs about $50 on the darknet.
- A new ransomware attack is detected every 11 seconds.
The income of APT groups that target financial institutions declined as money mules are unable to fully operate due to the pandemic. Therefore, these hacker teams began to partner with the owners of the ransomware, selling them the ability to access the networks of compromised companies.
Another trend in 2021 is disclosing or selling sensitive data stolen from victims who refused to pay the ransom. Maze ransomware operators were the first to use this method. Later, it was picked up by other cybercriminal teams.
One more trend that I continue to observe in 2021 is a decrease in the number of attacks aimed at home users. This happens because the effectiveness of ransomware in this segment is falling. For communication, home users now use mostly instant messengers. They steadily move away from emails, which is the main channel of ransomware infections. In addition, their important data is backed up in the cloud automatically. Overall, the number of desktop PCs is decreasing while the number of mobile devices is increasing.
Small and big businesses look much more attractive to ransomware authors. The income from attacking them is much higher. It is important to note that for many companies, the ransom payment is just one more expense that can also be covered by insurance. And hackers know the budgets of their victims very well. Pure business needs dictate the decision to pay the ransom. This decision does not carry an emotional connotation. So, all these factors cause the number of ransomware attacks against organizations to grow.
One of the most active ransomware families now is the Maze ransomware, which has become a trend-setter in its field. These malicious program owners devoted much time to their reputation and actively interacted with the media, commenting on rumors and refuting false information, thus achieving increased publicity. The group formed a pseudo-positive image, calling victims “clients” and offering them technical support. These cybercriminals also pledged not to attack medical institutions and organizations affected by the economic crisis.
At the same time, Maze operators have created a kind of cartel with operators of other ransomware viruses, exchanging attack tactics and data stolen from victims. They spread their viruses through exploit kits, phishing emails, exploiting vulnerabilities in Adobe Flash, VPNs, and web browsers.
Other notable ransomware families: Phobos, Sodinokibi, Dharma, Ryuk, DoppelPaymer.
Remote access Trojans
Although phishing emails remain the main distribution channel, experts note an increase in the number of attacks using the RDP protocol and remote-access trojans (RAT).
RAT programs are not talked about as much as ransomware, since their activity is usually not so visible. The key task of the Trojan is to secretly infiltrate the victim’s computer. Modern RAT programs have a modular architecture–a kind of “Swiss army knife” of a hacker. They are able to secretly transfer gigabytes of data to C&C servers, collect passwords, intercept keyboard strokes, record audio and video, as well as download and install other malicious programs on the infected devices.
There are known cases when the RAT program consisted of more than 70 modules intended to solve different problems. However, this is rather an exception; usually, such Trojans contain about 10-15 functional modules.
Remote Desktop Protocol
COVID-19 dictates us to employ remote access more and more. One of the tools here is Microsoft’s RDP (remote desktop). This is not a new tool, but COVID-19 made it tremendously popular. RDP is part of the Windows operating system. Due to its accessibility and simplicity, many companies have begun to use it to connect home employees to work computers.
Consequently, RDP started to attract cybercriminals too. Many vulnerabilities have been found in it. One of the key flaws in this protocol was the BlueKeep vulnerability. It has been actively exploited recently. According to the specialized search engine Shodan, there are about 4 million systems on the internet with an open RDP port. Attempts to scan ports used by this service are ranked seventh, ahead of other protocols such as SMB or POP3. Cisco Systems reported that about a third of organizations have RDP-related security alerts every month.
Working from home
The cybercrooks quickly responded to the transfer of a large number of employees to the remote work mode. More than half of companies have transferred from 50% to 100% of their employees to home offices. The security perimeter became blurred. Experts recorded an explosive growth in the number of malicious sites with the words like “covid” or “coronavirus” in their domain names. Attackers reorient their existing infrastructure to host websites that exploit relevant, newsworthy topics. Many of these rogue websites host ransomware and other malware.
Looking for passwords
A significant part of malicious operations is devoted to obtaining passwords. This is the second-most popular activity used by ransomware gangs after phishing. Legitimate accounts allow cybercriminals to remain undetected in a compromised system and leave no traces, unlike attacks involving Trojans or exploitation of vulnerabilities. Often, a hacked user account can only be identified using behavioral analysis tools.
Logins and passwords are processed in browsers, as well as other places in the system where cached information is stored. Attackers use special tools to steal this data. One of the most popular tools used in such attacks is the Mimikatz utility. This program, originally created for pentests (penetration testing), has been adopted and is actively used by cybercriminals.
Attacks on health-care institutions
Although some ransomware groups loudly proclaim that they do not target the health-care sector, researchers observe an increase in attacks against such organizations. Cybercriminals are interested in both research institutions and ordinary clinics. In the first case, the goal of the cybercriminals is classified information that could be sold on the dark market; in the second, the ransom. Medical institutions pay money faster than other organizations, since equipment failure can entail a threat to the life and health of patients.
In 2021, I expect a massive surge in the number of ransomware threats, the reasons for which could be both the acceleration of digital transformation in all industries and the widespread transition to remote work. During the course of the year, the number of cyberattacks will grow, their complexity should increase, and it will become increasingly difficult to protect them.