taa22 - stock.adobe.com

IBM: Ransomware attacks surged in Q2, ransom demands rising

IBM Security examined several concerning ransomware for this year, as well as an exponential increase in ransom demands and massive spike in attacks during the spring.

This spring was an especially gloomy season for ransomware, according to new research from IBM.

In a blog post Monday, IBM Security X-Force said the number of ransomware attacks it remediated in second quarter more than tripled compared to the previous quarter. The report, titled "Ransomware 2020: Attack Trends Affecting Organizations Worldwide," noted a particularly dramatic increase in late spring.

"Ransomware incidents appeared to explode in June 2020. That month saw one-third of all the ransomware attacks IBM Security X-Force has remediated so far this year," wrote Camille Singleton, threat analyst at IBM Security and author of the report.

Finalized in September, the report determined that Asia and North America together accounted for more than 60% of observed incidents by IBM Security this year.

Other takeaways included a sharp increase in ransom demands, adoption of new attacks techniques and a shift in the types of organizations threat actors are targeting this year.

According to the report, ransom demands are increasing exponentially from an average of $1,200 per attack just a few years ago to the over $40 million IBM observed today.

One reason for the increase is the shift to "big game hunting" techniques, Singleton said. Over the past year, IBM Security has observed multiple groups shift targets to large corporations rather than small or medium-sized businesses to collect a larger ransom.

"Groups such as Sodinokibi and Maze appear to be calculating that large corporations are more able and willing to pay a large ransom to restore data or ensure sensitive data is not leaked," she said. "In fact, we have been able to identify that Sodinokibi's ransom asking amount is closely related to a company's annual revenue. This trend is pushing ransom asking demands higher, as cybercriminals test the limits of how much revenue they can bring in."

Sodinokibi success

The report revealed that Sodinokibi ransomware attacks account for one in three ransomware incidents IBM has responded to in 2020 so far. In addition, it estimates that Sodinokibi profits this year are more than $81 million. The estimate is derived from multiple factors, including X-Force Threat Intelligence and OSINT.

One reason behind their success, said Christopher Kiefer, IBM Security threat analyst, is that the group uses a very careful approach when choosing threat actors to deliver its malware to victims.

"The Sodinokibi group looks for experienced, highly skilled hackers that know how best to quickly infiltrate corporations and keep a low profile until a ransomware attack is executed," he said. "This approach has allowed the group to target victims that are likely to yield a high, fast payout relative to the hackers' investment. The group also has a public-facing blog on which it advertises victims, ransom asking amounts, stolen information, and data available for sell at auction."

Sodinokibi is not the only group using a public, data leak site to extort victims. One of the most concerning trends in ransomware attack techniques, according to the report, is the new emphasis on blended extortion-ransomware attacks where threat actors steal sensitive company information before encrypting it. Sodinokibi accounted for 29% of top ransomware families per attack volume with Maze, which pioneered the name-and-shame technique, coming in second at 12%.

IBM has seen instances where the ransomware infection is unsuccessful, but the victim pays the threat actors to prevent stolen corporate data from being made public, Singleton said.

"This is a very common and concerning trend that ransomware attackers are finding ways to make a profit even when an organization is able to independently recover from a ransomware attack," she said.

Manufacturing mayhem

A shift in targets is yet another way ransomware gangs look to capitalize on attacks. In a report from 2019, financial services were the most targeted sector.

However, in 2020 manufacturing companies were hit hardest by ransomware, accounting for nearly a quarter of all incidents IBM responded to so far this year. The professional services sector was the second most targeted industry, experiencing 17% of ransomware attacks, with government organizations in third place at 13% of attacks. In addition, the report also cites an uptick in ransomware attacks on academic institutions throughout 2020.

IBM isn't the only vendor to observe these trends.

"I think you're going to see manufacturing, a lot of schools and municipalities -- those are probably the biggest targets you'll see throughout the year," said Jared Phipps, vice president of Worldwide sales engineering at SentinelOne. "While it is reasonable to expect companies and schools to provide a security posture, the level of attacks is increasing at a dramatic level."

According to the report, 41% of all ransomware attacks analyzed in 2020 targeted organizations with operation technology (OT) networks. That data is based on the percentage of victim organizations IBM identified in the manufacturing, oil and gas, transportation, utilities, construction or mining industries.

"We assess that many ransomware attacks against these industries have the potential to affect OT infrastructure -- even through indirect effects such as manual shutdowns of OT systems to prevent the malware's spread. Given that nearly one-quarter of the ransomware attacks we observed targeted manufacturing, more than half of this 41% comes from attacks on the manufacturing sector," Singleton said.

The report said EKANS, or Snake ransomware, was "one of more concerning strains of ransomware" observed this year because of its ability to kill critical processes within OT and industrial control systems. However, OT-related ransomware attacks are not necessarily more successful than attacks on traditional IT environments, she said. "Ransomware attackers are probably targeting companies with OT-connected networks because they judge that these organizations will have low tolerance for downtime and therefore will be more likely to pay ransom. For a manufacturing company, it is true that one hour of downtime can lead to millions of dollars in losses. Yet multiple manufacturing companies have refused to pay a ransom and have been able to recover from the attack."

In response to ransomware attacks, Phipps recommended that organizations examine their security posture now. "Cybercrime is operating with a high degree of impunity and victimizing organizations who have not modernized their security posture."

Trends from the new research suggest that the criminal business model of stealing sensitive information is paying off for the attackers, suggesting it will not only continue but get worse, Kiefer said.

"Ransomware attacks aren't going anywhere as they're proving to be highly profitable to the attackers behind them. In terms of the techniques employed by ransomware attackers, we generally observe attackers' techniques shift over time in response to enhanced security measures, law enforcement crackdowns and changing technologies. As these evolve, so will attackers [who will] adjust their tactics," he said.

Dig Deeper on Threats and vulnerabilities