Ransom payouts leaped by 178% between Q4 2019 to Q3 2020. We decided to investigate the possible reasons for the increase and found a major change in the ransomware threat landscape, which is likely fueling this shift.
2020 will be marked as the year ransomware groups adopted a new “double extortion” tactic, where alongside encrypting victims’ files, they also exfiltrate their data and threaten to leak it online.
In a new report, Cognyte’s CTI Research Group analyzes 1,112 ransomware attacks carried out by 21 ransomware groups, that involved data exfiltration and leakage of victims’ data to increase ransomware payouts. The report is based on our analysis of:
The main topics covered by Cognyte’s analyst teams for the report include new ransomware trends, most targeted countries and industries, origin and motives of ransomware groups, regional analysis, state-sponsored ransomware attacks and the top exploited vulnerabilities.
Targeted and state-sponsored ransomware attacks
Until 2020, data exfiltration was perceived as a tactic associated with nation-state attackers conducting cyber-espionage campaigns and banking Trojans operators who steal financial data. Its adoption by ransomware groups is the most significant trend in ransomware activities during 2020.
Another trend that has emerged in recent years, is that ransomware attacks are becoming less indiscriminate and more focused and targeted on high-value and high-profile enterprises and entities. This reminded us of nation-state actors, whose attacks are very focused and targeted in nature, so we used this analysis to check if ransomware gangs are becoming more similar to state-sponsored actors in other aspects.
The research for this report was based on Cognyte’s Luminar threat intelligence analytics, used for monitoring and analysis of global security threats. We based the research on our Dark Web monitoring capabilities and selected the groups based on the frequency of cyber threat intelligence published, as well as on updated links to websites of current and new active groups.
Following the collection of all the victims’ details from the ransomware groups’ websites, we analyzed the data by checking each victim and verifying the accuracy of the information published by the cybercriminals. We took the analysis a step further by classifying each victim by country and industry (we used 18 key industries). In addition, as some groups published their activity online, we were able to build a timeline of publication dates that helped us shed some light on the timings of the attacks.
Here are the key findings of our research:
- 21 ransomware groups were prominent in data exfiltration attacks during 2020.
- The top six groups – Maze, Conti, Egregor, DoppelPaymer, NetWalker and REvil – are responsible for attacks against 80% of the total victims.
- Top 10 targeted countries constitute 87% of the total victims.
- The US was the most targeted country, with 56% of the victims. More than half of the victims were American. The second most targeted country was Canada, with 8% of the victims. This huge gap emphasizes even further the focus on the US.
- Almost all of the top 10 targeted countries are Western countries, while there are no former Soviet Union republics (FSU), including Russia, in the list of targeted countries.
- The top six industries, manufacturing, financial services, transportation, technology, retail and government & defense constitute 70% of the total targeted victims.
- Manufacturing is the leading industry with over 30% of the total targeted victims.
- While ransomware gangs are becoming more sophisticated, it is important to note that nation-sponsored actors have also been observed to increasingly use ransomware in their attacks.
The operators behind prominent ransomware attacks in 2020 commonly exploited two notable vulnerabilities: CVE-2019-19781 and CVE-2019-11510, both were also popular among state-sponsored groups.
Download the full report to get detailed insights on ransomware groups and their activities in 2020