While 2020 presented many cybersecurity threats, the year's overriding theme was relentless and often highly destructive ransomware attacks. Ransomware is a form of malware that encrypts a victim's files. The attacker demands a ransom payment from the victim to restore access to their data via a decryption key. Ransoms range from a few hundred dollars to hundreds of thousands, and criminals often ask for payment in a cryptocurrency like Bitcoin.
This article discusses eight takeaways SilverSky’s cybersecurity experts believe encapsulate key ransomware attack defense lessons learned in 2020.
Increased Frequency of Ransomware Attacks
There is typically a decrease in cyberattacks after the first of the year, but this was not the case in 2020. Instead, we saw an increase in the volume of attacks across all vectors. Most notable was the dramatic rise in ransomware attacks. By the end of September 2020, the U.S. experienced a staggering 145.2 million ransomware attacks representing a 139% year over year increase.
Malware Attacks Leverage Current Events and Chaos
The pandemic, economic stabilization mechanisms like stimulus checks, social unrest, and a presidential election—there was no shortage of emotional, urgent, and volatile events offering perfect cover for malicious email campaigns. As just one point of reference, by mid-April, there were more than 1.2 million COVID-19/coronavirus-related registered domains.
Cybersecurity Vulnerabilities Created by a Disrupted Workforce
Due to COVID-19, millions of Americans began working from home and will continue to do so for many months ahead. Previously, a significant number of organizations did not allow employees to work from home, especially in highly regulated industries like banking and healthcare. Therefore, many of these organizations had few policies or remote capacity in place. They were forced to enable remote work virtually overnight, creating vulnerabilities that cybercriminals did not hesitate to exploit.
Protect Backups from Ransomware Infection
In January 2020, REvil hit Tillamook County, Oregon's network. Fortunately, the county’s security system rapidly detected and contained the ransomware attack. Rather than infecting their entire network, the attack was confined to 17 of 55 servers and 5 of the county's 285 workstations.
Also, the county had the foresight to maintain redundant backups to protect itself in the event of a disaster. Unfortunately, their backup configurations were designed for natural disaster types of emergencies but were not designed to withstand a cyberattack. Therefore, the county’s backup was also encrypted by the malware.
The county spent hundreds of hours trying to recover using its backups but ultimately concluded that the county’s operation could not be restored without the decryption fee. Officials determined it would have taken them one to two years to restore the systems, and doing so would cost up to one million dollars. Ultimately, officials decided to pay the $300,000 ransom.
Ransomware as a Service Offering Exploded
Although Ransomware as a Service offerings were not first introduced in 2020, there was a dramatic growth in these services' utilization. Until recently, if someone wanted to launch an attack, the level of required technical knowledge was significant, especially for launching advanced attacks like polymorphic malware, supply chain attacks, code compression packers, and fileless malware. Now criminals can go onto the dark web and purchase these kinds of attacks, sharply reducing the required technical skill.
Increase in Double Extortion Ransomware Attacks
Double extortion ransomware attacks first emerged in late 2019 and escalated in early 2020. These attacks demand a ransom to recuperate encrypted files and avoid the release of stolen sensitive data. To further pressure victims, ransomware criminals have created pages on the deep web where they post samples of stolen data letting victims know the types of data staged for release if payment is not received.
In June 2020, researchers detected as many as 13 ransomware crime syndicates known to leak stolen data if the demanded ransom is not paid. Developed by the Maze ransomware group, this attack style is increasingly the norm, particularly when targeting organizations with extremely sensitive data, like the healthcare industry.
Ryuk Ransomware Wreaked Havoc
By the end of the third quarter, 67.3 million Ryuk attacks had been detected, representing 33.7% of all 2020 ransomware attacks. Interestingly, Ryuk is relatively new—first discovered in 2018. However, its presence dramatically increased in 2020 and caused a massive amount of damage to the healthcare sector.
Ryuk is particularly concerning because it often follows a multi-stage attack preceded by Emotet and TrickBot malware. If a Ryuk succeeds within an organization, its systems are likely infected with several types of malware.
Rapid Detection and Response Is Essential in the Age of Ransomware
NRC Health is an organization that administers patient survey tools for 150 of the 200 largest hospital systems. A ransomware attack in February 2020 led to a shutdown of its entire network. However, proper processes and robust security monitoring allowed NCR Health to quickly identify the attack and shut down systems to lessen the damage. Additionally, NRC Health immediately reported the breach and took action, which ultimately reduced reputational damage.
NRC Heath's cybersecurity approach allowed them to rapidly detect the breach and quickly respond—only robust around-the-clock monitoring and strategic mitigation approaches can provide this level of protection.
The sophistication and relentlessness of ransomware attacks in 2020 added to an already challenging year. However, 2021 will nearly certainly be just as problematic. SilverSky’s new Managed Endpoint Detection and Response solutions are designed to provide comprehensive protection, detection, and remediation for all your endpoints. Contact us if we can help.