Global and Local Ransomware Trends 2020 Q1-Q3

CyberSense is a monthly bulletin by CSA that spotlights salient cybersecurity topics, trends and technologies, based on curated articles and commentaries. CSA provides periodic updates to these bulletins when there are new developments.

OVERVIEW

Ransomware is a perennial and constantly evolving global threat in the cyber security landscape. In the first half of 2020, researchers observed a marked seven-fold jump in the number of ransomware attacks reported globally[1], while ransomware accounted for almost half of all cyber-insurance claims filed in North America[2]. Ransomware operators were also seen leveraging the COVID-19 pandemic to target remote workforces and formed extortion cartels to exchange tactics and intelligence.

Likewise, in Singapore, the number of ransomware cases reported to CSA also increased. CyberSense had previously looked at the emerging trend of more sophisticated and targeted ransomware attacks, especially against large organisations. With the rise in ransomware attacks observed globally and locally in 2020, this edition of CyberSense delves into the key trends possibly fuelling this increase and the implications for Singapore.

GLOBAL RANSOMWARE TRENDS

Trend 1: Big Game Hunting (BGH)

Since 2019, cybercriminals have shifted from indiscriminate, opportunistic attacks, to more targeted Big Game Hunting (BGH), i.e. targeting large businesses with high value data or assets in hope of a higher ransom pay-out. Based on research by BlackFog[3], a data privacy and cyber security company that tracks publicised ransomware attacks globally, ransomware attacks saw spikes in May, June, August and September 2020, including a number of high-profile attacks on large organisations such as Fresenius (Europe’s largest private hospital operator), Conduent (IT services giant), CMA CGA (French shipping giant) and most notably, Duesseldorf University Hospital, which resulted in the death of a patient as the ambulance she was transported in got rerouted to another hospital.

Trend 2: “Leak-and-Shame” tactics

Besides encrypting victims’ data, ransomware operators have evolved their tactics to also exfiltrate data from affected systems and networks. The “Leak-and-Shame” moniker comes from these ransomware operators applying pressure on victims by threatening to publicise the stolen data if the ransom demands are not met.  In June 2020, researchers detected up to 13 active ransomware gangs known to leak stolen data if not paid. Pioneered by the Mazeransomware gang – described as one of the most prolific threat actors of 2020 - since late-2019, the tactic is fast becoming the norm in targeted ransomware attacks against organisations across a range of industries around the world.

Trend 3: Ransomware-as-a-Service (RaaS)

In April 2020, researchers concluded with high confidence that the Maze ransomware gang was also operating an affiliate scheme based on the frequency of incidents and the analysis of their Tactics, Techniques and Procedures (TTPs). The Ransomware-as-a-Service (RaaS) model (i.e. where ransomware developers maintain the malware code and affiliates utilise them for attacks) has also proven highly profitable for Netwalker’s ransomware operators who have reportedly earned more than USD$25 million from ransom payments since March 2020.

SINGAPORE RANSOMWARE TRENDS

In line with the global rise in ransomware incidents, CSA received 61 reports of ransomware from January – October 2020, a near 75% increase in cases over the whole of 2019 (figure 1). This number represents a sharp uptick in cases reported to CSA. Affected entities were mostly Small Medium Enterprises (SMEs) and hailed from a number of sectors, including manufacturing, retail and healthcare. The ransomware detected included older ones such as Dharma/CrySIS, CryptoLocker and GlobeImposter, as well as newer ones such as Netwalker and REvil/Sodinokibi, both of which have been observed to be particularly active globally in 2020.

Figure 1: Ransomware cases reported to CSA (2016 – Oct 2020)

Local cases were seen increasing, beginning in April 2020 (figure 2), with ransomware operators simultaneously targeting bigger enterprises (i.e. Big Game Hunting) from May to August. While most of the cases reported were from SMEs, ransomware operators were observed to be gunning for bigger fish in the manufacturing, retail and healthcare sectors.

Figure 2: Ransomware cases reported to CSA (Jan – Oct 2020)

Three of the ransomware detected in the reported local cases are also known to operate “Leak Sites” (Table 1), an observation that corresponds with the global trend of “Leak-and-Shame”.

Several of the ransomware identified also operate under the Ransomware-as-a-Service (RaaS) model (Table 1), the prevalence of which could be due to lower barriers of entry and costs of the RaaS business model, making it easier for less skilled cybercriminals to utilise ransomware.

Table 1: Ransomware observed in local cases under the RaaS model and/or have leak sites

Based on observations, local ransomware attacks are likely a consequence of, or at least strongly influenced by major global trends. The ‘Big Game Hunting’ trend means that all organisations of a certain scale – including Singapore entities, have become potential targets. The presence of recent and advanced ransomware in Singapore cyberspace, some of which operate under RaaS and operate leak sites, suggests that as these trends gain further traction, Singapore organisations need to be increasingly vigilant against cyber threats.

While the rise in local cases reported coincided with the start of Singapore’s Circuit Breaker (CB) period in April, the number of incidents were still seen increasing, even after ‘safe re-opening’ in June. That said,  it is still plausible that the increase in telecommuters and the adoption of insecure practices to get work done during the CB and post-CB periods contributed to the spike in ransomware cases as threat actors take advantage of the expanded attack surface due to poorly implemented IT infrastructure and the poor cyber hygiene of telecommuting employees.

KEY TAKEAWAYS

Given the way ransomware tactics have become more sophisticated, and with the swift entry of new malware, smaller businesses and individuals need to guard against opportunistic cybercriminals utilising lower cost ransomware affiliate models. Similarly, larger enterprises need to put in place strong preventive measures beyond just having regular offline backups to defend against the Big Game Hunting trend, as ransomware no longer entails the mere denial of access to one’s data and systems but are more akin to data breaches. For more information on guarding against ransomware attacks, organisations may wish to refer to CSA’s advisory on Protecting Your Organisation From Evolving Ransomware Attacks.

CSA adopts a whole-of-government approach, together with the cooperation of private sector partners, to deal with ransomware attacks. CSA also works actively with international partners and CERT* networks to share information and coordinate cross-boundary responses and is a supporting partner of the “No More Ransom” international project. For victims of ransomware, the “No More Ransom” international initiative offers free decryption tools on its online portal to help in the decryption of encrypted data and provides ransomware prevention advice.

*Computer Emergency Response Team (CERT) refers to a group of information security experts responsible for the protection against, detection of and response to cybersecurity incidents.