In 2019, ransomware was still a major type of threats that haunted people around the world. The most prominent families were GlobeImposter, GandCrab, and WannaCry, which were extremely active and had far more variants than others. According to NSFOCUS Security Labs’ observation, the number of ransomware families and variants increased sharply in four months from May to August 2019, which was somewhat attributable to the soaring prices of major cryptocurrency types. These families used diverse compromise methods to attack a wide variety of sectors, posing a severe threat to organizations’ and individuals’ data. Through ongoing monitoring, NSFOCUS Security Labs finds that the following trends of ransomware took shape in 2019:
1. Victimizing targets across a wide range of sectors
In 2019, ransomware victims were distributed in various industries, including finance (23.8%), telecom (16.6%), governments (14.3%), real estate, chemicals, tobacco, healthcare, and IT. Obviously, ransomware attackers were most interested in finance, telecom, and real estate, all of which are lucrative sectors and capable of paying high amounts of ransom.
2. Enabling hackers to rake in high returns
Ransomware enables hackers to make a killing. Take the GandCrab family as an example. First spotted in 2018, the ransomware stopped operation in June 2019 upon the operator’s declaration. According to the organization, in only 18 months, they raked in up to USD 2 billion of ransom and, abominably, legalized this income.
3. Moving faster towards industrialization
Ransomware as a Service (RaaS) is maturing, enabling cyber criminals to do evil at an increasingly low cost.
Moreover, inspired by their predecessors who have been successful in getting rich quick, more people are attracted to this lucrative business, giving birth to more diversified ransomware. The brazen behavior of the organization behind GandCrab is not only a blatant provocation to cybersecurity law enforcement and professionals but also an effective move to invite more copycats to this line of trade.
Sodinokibi, another ransomware family, bears resemblance to GandCrab in many an aspect and is so regarded as the inheritor of the latter. After a successful ransomware attack, a ransom note will be displayed, instructing users to access specified websites. These websites provide multiple channels for purchasing Bitcoins as well as a 24/7 customer support platform for both parties to negotiate the ransom amount, exhibiting a high level of industrialization.
4. Boasting a variety of compromise and spreading methods
In 2019, ransomware families were found to use a variety of methods to spread themselves, including weak password cracking, remote exploit, phishing, URL redirection, and bank trojans. Specifically, EternalBlue stood out from other remote exploits. Vulnerabilities in such cross-platform components as Adobe Flash, WebLogic, and Confluence were also targeted, but related exploits were not so popular as EternalBlue because of the limited usage of these components. Moreover, some ransomware families
were spread via notorious bank trojans like Emotet and TrickBot for targeted ransom demands.
In view of the diverse compromise methods of ransomware, IT managers should back up data more frequently in a regular manner besides properly maintaining and upgrading systems.
To be continued.