Ransomware Trends and What They Mean to You

Ransomware is the new kid on the block in the cyber threat landscape, and it has taken the spotlight in an ongoing stream of breaking news articles and headlines. While ZeroFox Threat Research predicted 2021 would see a rise in ransomware trends, it’s clear it was certainly not a risk most expected or adequately prepared for to this degree. We have seen organizations and entire industries racing to learn more, calculate what vulnerabilities might be exposed and adjust their security posture. 

There has been a sharp increase in attacks, rise in ransom demands, shifts to larger-scale targets, severe security vulnerabilities and legislation quickly glued together in hopes of addressing ransomware challenges. However, increased takedowns and law enforcement intervention are also on the rise and there are positive signs ransomware operators are feeling the pressure. Evidence points to significant disruptions within some of the most prominent threat actor groups, but cybersecurity defenders must stay vigilant as new tactics and tools pivot as well.

In this post, ZeroFox Threat Research provides a brief overview of related ransomware trends that impacted the global threat landscape in the first half of 2021, as well as recommendations to prepare for what’s coming.

Major Ransomware Trends and Takedowns

In the first half of 2021, several major ransomware attacks were executed at an unprecedented scale. In May, the ransomware group Darkside encrypted key segments of the network at Colonial Pipeline, including the systems that managed the gasoline and jet fuel transportation lines. Even after quickly paying the USD 4.4M ransom, gas shortages affected large segments of the country, exposing dangerous vulnerabilities in critical components of the US infrastructure. The attack appeared to exceed the attacker's intentions, and the severity of the attack sent shockwaves through the nation and was enough to cause many in the hacker community to express frustration with the attack, worrying that it drew too much unwanted attention to their activities.

Likewise, in what was possibly the largest-scale single ransomware attack ever, managed services provider Kaseya was attacked by REvil, who first penetrated Kaseya’s systems and then reportedly leveraged that access to cascade their attack on Kaseya’s customers. It is estimated that the attack compromised between 800 and 1,500 companies and, according to the attacker, affected one million systems. Unlike Darkside, who immediately attempted to mitigate the international scrutiny their attack had drawn, REvil publicly basked in their achievement, allegedly demanding a USD 70M ransom payment initially. However, reports also state that they later revised that demand to USD 50M.

These attacks illustrate the potential scale and impact that ransomware can have beyond the targeted companies and their customers. It will likely take quite some time before attacks of this magnitude are more common. However, it’s essential to consider the fact that they have already occurred and proven successful. Security professionals must assume that attackers will continue to push the boundaries unless action is taken to stop them.

To that end, increased takedowns and law enforcement intervention is an ongoing trend as well. Authorities have seized servers, arrested members or otherwise disrupted operations for TrickBot, Emotet, Egregor and NetWalker. These teams represent some of the most prominent players in malware and ransomware. During the first half of 2021, an affiliate of Darkside (although not Darkside themselves) was arrested and taken offline in May. In June, the prolific ransomware actor Avaddon shut down their operation and sent thousands of decryption keys for their current victims to BleepingComputer. Authorities in Ukraine also arrested six members of the Cl0p ransomware group and seized several servers.

Disrupting Ransomware At Scale

There is clear evidence that significant disruptions occurred among some of the biggest threat actors. After the Colonial Pipeline attack, Darkside and several other actors took very public steps to draw back their operations and promised to exclude entire industries in addition to working harder to vet the work of their affiliates, then shut down completely. Avaddon was an active and prolific attacker before they shut down their operation. As was mentioned earlier, several members of the Cl0p team in Ukraine were arrested, and their local systems were seized. All three of these actors were among those who attacked the greatest number of ransomware victims within the first half of 2021.

ZeroFox Threat Research also observed additional disruptions, such as:

• Law enforcement officials seized one of the most popular “bulletproof” VPN services, DoubleVPN, a favorite amongst threat actors.
• A similar seizure was performed in December against common bulletproof providers insorg[.]org, safe-inet[.]com and safe-inet[.]net. 
• A free file decryptor for victims of Lorenz ransomware was released by researchers in June.
• The source code for Paradise ransomware was leaked in May.
•  A central distributor for Gozi, a Romanian by the name of Mihai Ionut Paunescu, was arrested in Columbia on charges in the US.

Despite all these actions and more, both the sheer number of ransomware attacks and the rate at which the ransoms are paid continually grow. Month over month, ZeroFox Threat Research observed numbers above 235 ransomware attacks on average per month within the first half of 2021, based on data leak website exposure. 

Two ransom demands against personal computer manufacturers Acer and Quanta, a supplier for Apple computers, have reached USD 50M. The average ransom payment has scaled to over USD 220,000, according to ransom researchers. The partial takedown against Cl0p was a short-lived victory, with the actor advertising a successful attack against a new victim the following week. Even with these disruptions, 75 percent of the attacks that ZeroFox Threat Research monitored were performed by ten actors. 

Additionally, the ransomware tools themselves are becoming pivot points. A builder for Babuk ransomware was leaked in June. An unknown actor appears to have edited REvil’s binaries in a hex editor and leveraged them for their own attacks. Trickbot, a group that sees their tool leveraged by a large number of attackers and that has been targeted in multiple large takedown efforts, changed direction slightly in July 2021. The group released a new banking module, possibly signaling a need to redirect their business back into more familiar territory.

Attention from law enforcement and security researchers on underground marketplace networks may push threat actors to use new methods of communication and collaboration to avoid monitoring of their activities. The bottom line is the battle against ransomware has just begun.

Ransomware Trends and Mitigating Risks

The evolving nature of cyber threats and ransomware trends continues to illustrate just how transient the global threat landscape is. Security researchers will continue to disclose new vulnerabilities that directly affect enterprise organizations and their cohorts. However, it is of utmost importance that security teams routinely patch and update vulnerable systems and strategize regarding additional ways to defend against such security vulnerabilities. The first half of 2021 proved that taking the minimum amount of recommended security precautions is insufficient in today’s threat landscape. The second half of 2021 will require defenders to be even more well-equipped to handle the changing landscape.

The ZeroFox Threat Research team has released a detailed report on ransomware trends and ways you can start preparing for what’s to come. If you need a refresher on just a few of the costs and impacts of these attacks, download the related infographic. Leverage these free resources today and reach out to our team to learn more.