October 30, 2020 Update

The FBI, CISA and HHS recently released an advisory regarding an “imminent cybercrime threat to U.S. hospitals and healthcare providers.” Watch the webinar, “Protecting Healthcare Organizations from Recent Malware Attacks,” on demand to learn more about how to respond.
Watch on demand

Ransomware is one of the most intractable — and common — threats facing organizations across all industries and geographies. And, incidents of ransomware attacks continue to rise. Meanwhile, ransomware threat actors are adjusting their attack model to adapt to improvements that organizations are making to recover from these attacks.

As of September 2020, one in four attacks IBM Security X-Force Incident Response has remediated this year have been caused by ransomware. Ransomware incidents appeared to explode in June 2020. That month saw one-third of all the ransomware attacks IBM Security X-Force has remediated so far this year.

Figure 1: Relative monthly volume of ransomware attacks analyzed by X-Force in 2020 (Source: IBM Security X-Force)

For IBM Security X-Force, the importance of ransomware in 2020 is underscored by the heavy toll this attack type is taking on corporations worldwide. This toll is made heavier by increasing ransom demands and attacks that blend ransomware with data theft and extortion techniques.

Top Takeaways

  • Ransom demands are increasing exponentially. In some cases, IBM Security X-Force is seeing ransom demands of more than $40 million.
  • Sodinokibi ransomware attacks account for one in three ransomware incidents IBM Security X-Force has responded to in 2020 so far.
  • Attackers are finding schools and universities to be an even more attractive target for ransomware attacks, especially as they begin classes virtually or are experimenting with hybrid environments due to COVID-19.
  • 41% of all ransomware attacks IBM Security X-Force analyzed in 2020 targeted organizations with operational technology (OT) networks.

This post will highlight the ransomware types IBM Security X-Force has observed most frequently. It will also touch on some of the more concerning trends in ransomware attack techniques — such as blended extortion-ransomware attacks — and what companies can do to combat this new onslaught from what could be a devastating threat to their operations.

Watch the webinar

Ransomware Attack Trends

Looking at data from Q2 2020, the number of ransomware attacks IBM Security X-Force Incident Response remediated more than tripled compared to the previous quarter. They represent 32% of the incidents our team responded to between April and June 2020.

Targets

In terms of targets, IBM Security X-Force has observed a general shift in ransomware attacks. Ransomware hits manufacturing companies hardest. These account for nearly a quarter of all the incidents responded to so far this year. The professional services sector is the second most targeted industry and has experienced 17% of ransomware attacks. Government organizations follow in third place at 13% of attacks.

Attacks on these three industries suggest that ransomware threat actors are seeking out victims with a low tolerance for downtime, such as manufacturing networks. Organizations that require high uptime can lose millions of dollars each day due to a halt in operations. Therefore, they may be more likely to pay a ransom to regain access to data and resume operations.

In addition to these sectors, IBM Security X-Force has also noted an uptick in ransomware attacks on academic institutions throughout 2020. Particularly as schools and universities begin classes virtually or are experimenting with hybrid environments due to COVID-19, attackers are finding them to be an attractive target for ransomware attacks.

A cluster of universities attacked in May and June 2020 has expanded to additional academic institutions in August and September, with universities paying ransoms ranging from $400,000 to over $1 million in the hope that sensitive information on faculty, students and research is not publicly released.

Geo Reach

While ransomware attacks continue to reach all corners of the world, Asia and North America are the hardest hit so far this year. They account for 33% and 30%, respectively of ransomware engagements that IBM Security X-Force has responded to in 2020.

Europe, too, has experienced significant ransomware activity over recent months, representing 27% of attacks IBM Security X-Force’s incident response team remediated. These numbers suggest that ransomware attacks, while generally geography-agnostic, tend to focus on regions more densely populated by businesses they can target.

Evolving Ransomware Tactics in 2020

In the engagements IBM Security X-Force has remediated, several concerning trends have arisen in ransomware attack techniques and methodology. Of these, most concerning is a new emphasis on blended extortion-ransomware attacks — where threat actors steal sensitive company information before encrypting it. If victims chose not to pay for a decryption key, attackers will then threaten to release stolen information publicly.

This tactic places many victims in a catch-22 situation. Even if they are able to restore encrypted files from backup, they may suffer a data breach, loss of data and customer records and have to pay regulatory fines, not to mention repair a damaged reputation. In some cases, attackers were suspected to name their ransom according to the regulatory fines organizations would have to pay, using that as another pressure tactic to make them consider paying.

With attackers actually stealing company data, ransomware attacks are also becoming data breaches, with the relevant risk and implications that these types of incidents entail. This trend forces security management to re-assess risk and adjust incident response, disaster recovery and business continuity plans accordingly.

Sodinokibi: Linked to Organized Crime Group ITG14

The ransomware strain IBM Security X-Force has seen most frequently in 2020 is Sodinokibi (also known as REvil) — a ransomware-as-a-service (RaaS) attack model that has been capitalizing on blended ransomware and extortion attacks this year.

This malware has been involved in ransomware and data theft attacks and in some cases, its operators stole and auctioned off sensitive data on the internet when they were not able to coerce victims to pay up.

Sodinokibi also makes up 29% of all IBM Security X-Force ransomware engagements in 2020, suggesting that Sodinokibi actors are more skilled at gaining access to victim networks when compared to other ransomware strains.

Figure 2: Top attacking ransomware families per IBM Security X-Force engagements in 2020 (Source: IBM Security X-Force)

From our analysis, Sodinokibi has claimed at least 140 victim organizations since its emergence in April 2019, with the top industries targeted, including the wholesale sector (19%), manufacturing (18%) and professional services (16%). U.S. organizations have been hardest hit by Sodinokibi, making up approximately 60% of those to suffer its attacks, followed distantly by the U.K., Australia, and Canada.

By IBM Security X-Force’s estimation, more than 36% of Sodinokibi victims have paid the ransom, and 12% of victims have had their sensitive data sold in an auction on the dark web. Prices for data range from $5,000 to over $20 million in these auctions. In addition, we assess at least 32% of Sodinokibi ransomware victims have had their data leaked by those operating this ransomware.

Our research also indicates Sodinokibi attackers consider a victim organization’s annual revenue when determining a ransom request, with known requests ranging from 0.08% to 9.1% of the victim company’s yearly revenue. The group appears to tailor its requested ransom amount to a victim organization, with the highest Sodinokibi requested known ransom amount being $42 million and the lowest around $1,500. Our conservative estimate for Sodinokibi ransomware profits in 2020 is at least $81 million.

During our research of Sodinokibi ransomware, we identified evidence suggesting that ITG14 — which shares campaign overlap with FIN7 — is at least one affiliate group connected to these attacks. After investigating a Carbanak backdoor associated with a Sodinokibi ransomware attack, we discovered this Carbanak sample was similar to new Carbanak 64-bit variants, which have been connected to ITG14 tools and techniques. We also assess this sample is used exclusively by the group. This leads us to conclude that ITG14 is at least one affiliate group that contracts with Sodinokibi RaaS providers to deliver these attacks.

Maze: Using the Buer Loader

IBM Security X-Force has also observed continued Maze ransomware attacks in 2020, which made up 12% of the ransomware attacks observed so far this year. Maze is also using the RaaS and blended extortion-ransomware models and advertises its victims on a publicly available blog — techniques similar to those of Sodinokibi. Maze has heavily targeted victims in the professional services sector, mostly hitting organizations in North America and Europe.

Under the RaaS model, multiple threat groups are delivering Maze ransomware to organizations, creating a wide variety of tactics, techniques and procedures (TTPs) that can be associated with Maze ransomware, as highlighted by several security vendors. Of these TTPs, IBM Security X-Force has observed one potentially newly discovered tactic: the use of a code-signed Buer Loader to maintain a foothold. Buer Loaders first appeared for sale on the dark web in late 2019 and has received several updates. It is capable of downloading and executing additional payloads, establishing persistence and communicating over the HTTPS protocol. The attacker also probably used the Buer Loader to download and install Cobalt Strike — a very common tool used in Maze attacks in 2020.

Figure 3: Buer Loader version released in May 2020

SNAKE/EKANS: A New Threat to Industrial Controls

One of the more concerning ransomware strains in 2020 is EKANS — or SNAKE (EKANS spelled backwards) — which was first identified in mid-December 2019 and makes up 6% of the ransomware attacks IBM Security X-Force has observed so far in 2020.

EKANS ransomware is able to kill several critical processes on a victim device, including some processes directly related to industrial control system (ICS) operations. This feature has significant implications for ICS and operational technology (OT)-connected systems, given that this ransomware has the potential to have a greater effect on physical processes when compared to other ransomware strains. Since 41% of all ransomware attacks observed by IBM Security X-Force in 2020 targeted OT-connected industries, the implications of potential EKANS attacks are significant.

IBM Security X-Force analysis of EKANS ransomware samples indicates it was written in the Go programming language, an open-source project. As a first step, the ransomware attempts to resolve a victim’s internal domain name. If the ransomware is unable to resolve the domain name, it uses this step as a kill switch and terminates. In addition, the malware searches for several hardcoded ICS-related processes to terminate before the encryption process takes place. This aspect of the malware is similar to MegaCortex, for which IBM Security X-Force has analyzed several modifications. In fact, the twelve hard-coded processes EKANS is designed to kill can be found in the MegaCortex ransomware in addition to dozens more.

Combating the Ransomware Onslaught

Ransomware attack methods in 2020 have in many ways put victims in a more difficult position than we have observed previously. Those using ransomware to extort victims have, over time, increased demands, rising to over $40 million in some cases. Blending attacks with extortion techniques, some ransomware targets companies’ most critical systems and processes.

If attackers are able to gain entry into a network, encrypt files and threaten to leak stolen data, some organizations may be tempted to pay the ransom. Many factors play into a decision to pay, and no single calculus will be applicable to all organizations.

“The FBI does not support paying a ransom in response to a ransomware attack. Paying a ransom doesn’t guarantee you or your organization will get any data back. It also encourages perpetrators to target more victims and offers an incentive for others to get involved in this type of illegal activity.”

If your organization has been a victim of ransomware, we recommend seeking a solution where data can be restored and reputational loss mitigated, rather than paying the attackers. In some instances of ransomware attacks, IBM Security X-Force malware reverse engineers have been able to create a custom decryptor to restore encrypted files. While this solution tends to be the exception rather than the rule, it underscores the importance of exploring a variety of options before resorting to paying a ransom.

Ransom payments encourage attackers to continue their activity, validate their business model and incentivize additional cybercriminals to participate in this type of attack activity. Yet, even in these difficult situations, there are actions companies can take that can help mitigate risks and minimize damage.

  • Establish and maintain offline backups. Ensure you have files safely stored from attacker accessibility with read-only access. Availability of backup files is a significant differentiator for organizations that can help recover from a ransomware attack.
  • Implement a strategy to prevent unauthorized data theft, especially as it applies to uploading large amounts of data to legitimate cloud storage platforms that attackers can abuse.
  • Employ user behavior analytics to identify potential security incidents. When triggered, assume a breach has taken place. Audit, monitor and quickly act on suspected abuse related to privileged accounts and groups.
  • Employ multifactor authentication on all remote access points into an enterprise network — with particular care given to secure or disable remote desktop protocol (RDP) access. Multiple ransomware attacks have been known to exploit weak RDP access to gain initial entry into a network.
  • Use penetration testing to identify weak points in enterprise networks and vulnerabilities that should be prioritized for patching. In particular, we recommend implementing mitigations for CVE-2019-19781, which multiple threat actors have used to gain initial entry into enterprises in 2020 — including for ransomware attacks. In addition, consider prioritizing the immediate remediation, as applicable, of the following frequently exploited software vulnerabilities:
    • CVE-2019-2725
    • CVE-2020-2021
    • CVE-2020-5902
    • CVE-2018-8453
  • VPN-related CVEs
    • CVE-2019-11510
    • CVE-2019-11539
    • CVE-2018-13379
    • CVE-2019-18935

To learn more about X-Force threat intelligence on ransomware attacks, watch our webinar, Combatting Ransomware: How Threat Intelligence Enhances Defense for the City of L.A., on demand.

If you have experienced a ransomware attack and would like immediate assistance from IBM Security X-Force incident response, please call our hotline at 1-888-241-9812 (US) or +001-312-212-8034 (Global). Learn more about X-Force’s threat intelligence and incident response services.

More from Advanced Threats

GootBot – Gootloader’s new approach to post-exploitation

8 min read - IBM X-Force discovered a new variant of Gootloader — the "GootBot" implant — which facilitates stealthy lateral movement and makes detection and blocking of Gootloader campaigns more difficult within enterprise environments. X-Force observed these campaigns leveraging SEO poisoning, wagering on unsuspecting victims' search activity, which we analyze further in the blog. The Gootloader group’s introduction of their own custom bot into the late stages of their attack chain is an attempt to avoid detections when using off-the-shelf tools for C2…

Black Hat 2022 Sneak Peek: How to Build a Threat Hunting Program

4 min read - You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team. The post highlighted why threat hunting should be a baseline activity in any environment. Before you can embark on a threat hunting exercise, however, it’s important to understand how to build, implement and mature a repeatable, internal threat hunting program. What are the components…

Top-ranking banking trojan Ramnit out to steal payment card data

4 min read - Shopping online is an increasingly popular endeavor, and it has accelerated since the COVID-19 pandemic. Online sales during the 2021 holiday season rose nearly 9% to a record $204.5 billion. Mastercard says that shopping jumped 8.5% this year compared to 2020 and 61.4% compared to pre-pandemic levels. Cyber criminals are not missing this trend. The Ramnit Trojan, in particular, is out for a shopping spree that’s designed to take over people’s online accounts and steal their payment card data. IBM…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today