Half of Ransomware Attacks Now Involve the Theft of Data Prior to Encryption

Coveware has released its Quarterly Ransomware report for Q3, 2020 highlighting the latest ransomware attack trends. The report confirms that data exfiltration prior to the use of ransomware continues to be a popular tactic, with around half of all ransomware attacks involving data theft. Attacks involving the theft of data doubled in Q3, 2020.

In cases where data are stolen prior to file encryption, victims are told that if they do not pay the ransom demand their data will be leaked online or sold to pressure victims into paying, but ransomware victims should carefully consider whether or not to pay. There are no guarantees that paying the ransom will prevent publication of stolen data.

Ransomware Gangs Renege on Promises to Delete Data

The Maze ransomware gang started the double-extortion trend in 2019 and many ransomware operators soon followed suit. In some cases, two ransomware demands are issued; one to return or delete stolen data and the other for the keys to unlock the encrypted files, The operators of the AKO and Ranzy ransomware variants have adopted this dual ransom demand tactic.

The Coveware report reveals that, in some cases, the attackers do not make good on their promise even when the victim pays the ransom in full. There have been several cases where stolen data were leaked or stolen after the ransom was paid, and one gang is known to re-extort victims.

The report lists four ransomware operations known not to delete data after the ransom has been paid. The operators of Sodinokibi ransomware have re-extorted some victims, the Netwalker and Mespinoza operators have subsequently leaked stolen data after the ransom was paid in full, while the operators of Conti ransomware have provided victims with proof that files have been deleted, but the proof was for the deletion of fake files. Maze, Sekhmet, and Egregor have similarly leaked data on occasion, although it is unclear whether the leaks after payment were intentional.

Coveware explains that some ransomware operations see data held by multiple parties, which means that even if the threat actor deletes data, there is no guarantee that all copies will be deleted. There have been cases where stolen data are posted in error on leak sites before the victim is even given the chance to make payment.

Coveware warns its customers that payment of the ransom does not guarantee stolen data will not be shared with other threat groups or be used in further extortion attempts. Coveware tells its customers to assume theft of data is a data breach and ensure all individuals impacted by the breach are notified to give them the opportunity to monitor their accounts and take steps to protect their identities, regardless of whether the ransom demand is paid.

Ransom Demands Continue to Increase

The report shows the average ransom demand has been steadily increasing over the past 8 quarters, although the quarterly increases have been more substantial each quarter since Q3, 2019. Ransom demands increased once again in Q3, 2020 with the average demand up 31% from Q2, 2020 at $233,817, with the median payment rising by $1,935 to $110,532. The increase in the average payment indicates ransomware gangs are conducting more attacks on large organizations, where the potential returns are much higher for a similar level of effort.

Biggest Ransomware Threats in Q3, 2020

The biggest ransomware threats in Q3, 2020 were Sodinokibi, Maze, Netwalker, Phobos, and DoppelPaymer, with the top two ransomware variants accounting for 16.2% and 13.6% of attacks respectively. Attacks with Maze ransomware peaked in Q3; however, the operators have now shut down their operation, with affiliates involved in the distribution of the ransomware mostly switching to the Sekhmet and Egregor ransomware-as-a-service operations. Attacks involving those ransomware variants increased in Q3 and are expected to continue to increase in Q4.

RDP and Phishing are the Main Attack Vectors

The most common attack vectors used to distribute ransomware have changed little over the past few quarters. Attacks on RDP are still the most common, accounting for more than 50% of infections. This is the attack vector favored by the most prolific ransomware groups such as Sodinokibi and Maze (Sekhmet/Egregor). Almost 30% of attacks see the ransomware distributed via phishing emails, with the number of phishing-related attacks having steadily increased since Q4, 2019. Software vulnerabilities and other forms of compromise are used in less than 10% of attacks.

There are worrying signs that the supply of stolen RDP credentials is now outstripping demand, which is seeing the price for those credentials falling. As the cost goes down it opens up this attack vector to other less technically sophisticated groups, who may choose this method to attack organizations. Coveware warns that this method of attack is the most cost-effective way to compromise organizations, and the importance of properly securing RDP connections cannot be overstated.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.