Cognyte CTI Research Group
March 23, 2021

2020 was the year ransomware evolved – key findings from Cognyte’s Cyber Threat Intelligence report

Ransom payouts leaped by 178% between Q4 2019 to Q3 2020. We decided to investigate the possible reasons for the increase and found a major change in the ransomware threat landscape, which is likely fueling this shift.

2020 will be marked as the year ransomware groups adopted a new “double extortion” tactic, where alongside encrypting victims’ files, they also exfiltrate their data and threaten to leak it online.

In a new report, Cognyte’s CTI Research Group analyzes 1,112 ransomware attacks carried out by 21 ransomware groups, that involved data exfiltration and leakage of victims’ data to increase ransomware payouts. The report is based on our analysis of:

The main topics covered by Cognyte’s analyst teams for the report include new ransomware trends, most targeted countries and industries, origin and motives of ransomware groups, regional analysis, state-sponsored ransomware attacks and the top exploited vulnerabilities.

Targeted and state-sponsored ransomware attacks

Until 2020, data exfiltration was perceived as a tactic associated with nation-state attackers conducting cyber-espionage campaigns and banking Trojans operators who steal financial data. Its adoption by ransomware groups is the most significant trend in ransomware activities during 2020.

Another trend that has emerged in recent years, is that ransomware attacks are becoming less indiscriminate and more focused and targeted on high-value and high-profile enterprises and entities. This reminded us of nation-state actors, whose attacks are very focused and targeted in nature, so we used this analysis to check if ransomware gangs are becoming more similar to state-sponsored actors in other aspects.

Our methodology

The research for this report was based on Cognyte’s Luminar threat intelligence analytics, used for monitoring and analysis of global security threats. We based the research on our Dark Web monitoring capabilities and selected the groups based on the frequency of cyber threat intelligence published, as well as on updated links to websites of current and new active groups.

Following the collection of all the victims’ details from the ransomware groups’ websites, we analyzed the data by checking each victim and verifying the accuracy of the information published by the cybercriminals. We took the analysis a step further by classifying each victim by country and industry (we used 18 key industries). In addition, as some groups published their activity online, we were able to build a timeline of publication dates that helped us shed some light on the timings of the attacks.

Here are the key findings of our research:

  • 21 ransomware groups were prominent in data exfiltration attacks during 2020.
  • The top six groups – Maze, Conti, Egregor, DoppelPaymer, NetWalker and REvil – are responsible for attacks against 80% of the total victims.
  • Top 10 targeted countries constitute 87% of the total victims.
  • The US was the most targeted country, with 56% of the victims. More than half of the victims were American. The second most targeted country was Canada, with 8% of the victims. This huge gap emphasizes even further the focus on the US.
  • Almost all of the top 10 targeted countries are Western countries, while there are no former Soviet Union republics (FSU), including Russia, in the list of targeted countries.
  • The top six industries, manufacturing, financial services, transportation, technology, retail and government & defense constitute 70% of the total targeted victims.
  • Manufacturing is the leading industry with over 30% of the total targeted victims.
  • While ransomware gangs are becoming more sophisticated, it is important to note that nation-sponsored actors have also been observed to increasingly use ransomware in their attacks.

The operators behind prominent ransomware attacks in 2020 commonly exploited two notable vulnerabilities: CVE-2019-19781 and CVE-2019-11510, both were also popular among state-sponsored groups.

Download the full report to get detailed insights on ransomware groups and their activities in 2020

Cognyte CTI Research Group

Cognyte's Cyber Threat Intelligence (CTI) research team (formerly SenseCy) is comprised of handpicked expert analysts, many of whom are ex-military intelligence, with years of experience in cyber threat intelligence and analysis. Our research team monitors, analyzes and validates threat actors’ malicious activities on platforms such as social networks, mobile applications, Deep Web sites, Dark Web marketplaces, hacker forums, IRC channels, global CVEs and external threat intelligence generated by leading security providers. The Research group regularly produces threat alerts and intelligence reports based on region, industry and organization-specific threats, including in-depth analysis, actionable recommendations, IoCs and more, to proactively identify and mitigate threats before they materialize, to enhance resilience and prevent future attacks.
See more from this author

Let's Empower Security Analytics