With attacks increasing by 140 percent between 2018 and 2019, the threat from ransomware was growing long before the COVID-19 pandemic began. Last year, however, thanks to a perfect storm of unfortunate circumstances, the trend line for ransomware growth has gone vertical.
Lockdowns and suddenly remote workers rocked the threat landscape, creating new opportunities for threat actors to target vulnerable employees that created a brand-new and dramatically larger attack surface. These operating conditions challenged organizations and stretched defenses to such a breaking point that ransomware attacks increased by 715 percent in 2020.
With the pandemic widening the scope of potential targets, threat actors took full advantage of everyone else's misery. Already a growing trend, ransomware attacks became the go-to tool for extracting financial gain from vulnerable companies with almost half of all cyber incidents involving ransomware in 2020. In fact, some sectors saw ransomware account for 80 percent of all financially motivated cyberattacks. To say that in 2020 ransomware saw explosive advance is not an overstatement.
While the frequency of ransomware attacks increased dramatically over the last twelve months, the recent past has also seen threat actors diversify their targets for ransomware attacks. The COVID-19 pandemic that forced the world to go digital created a golden opportunity for cybercriminals to widen their net beyond traditional corporate targets. For example, as the operational strains of the pandemic pushed both their networks and IT teams to the limit, vulnerable public sector organizations became some of the most lucrative victims.
Educational institutions face a similar burden. Due to their valuable student and staff data, low tolerance for downtime, and greatly overstretched IT departments, educational institutions at every level are now under severe threat from ransomware. Since teaching went remote, the education sector rose to become the most targeted sector for cybercriminals globally. This changing threat landscape meant that while universities dealt with a wave of ransomware infections, thousands of K-12 students lost educational opportunities as ransomware attacks shut school districts.
Once considered off-limits by some threat groups early in the pandemic, medical institutions quickly found themselves barraged with waves of devastating ransomware attacks. In one example, six U.S. hospitals experienced significant service interruptions that left them scrambling to pay ransoms to their attackers. The threat to medical institutions from ransomware continues to grow. Recently, the CIA, FBI, and HHS released a joint advisory statement warning healthcare providers about the risk of ransomware attacks.
As they leverage new and exacerbated organizational weaknesses, threat actors have also geared up their ransomware demands. Increasing by more than 150 percent, the average ransomware payment jumped from $84,116 at the end of 2019 to $233,817 by Q3 of 2020.
However, where cybercriminals judge an organization's willingness to pay exceptionally high, ransoms can be far greater than the average. Travel services firm CWT paid cybercriminals $4.5 million following a ransomware attack, a sum judged to be less painful than the alternatives. After falling victim to one of the year's most reported cyberattacks, Garmin reportedly paid a $10 million ransom to their attackers.
With 58 percent of ransomware victims paying a ransom in 2020 compared to 39 percent in 2018, the dramatic inflation in ransom demands has happened for a clear reason — victims often have no option but to pay. This is especially true for organizations mentioned in the previous section that have low or no tolerance for downtime: K-12 schools, state and local governments, and healthcare providers.
Another legacy of 2020 is the proliferation of more potent types of ransomware. Strains such as DoppelPaymer and Maze now allow cybercriminals to extract a "double ransom" by paralyzing victims' operations and exfiltrating data for use in later blackmail. With ransomware attacks now likely to lead to data breaches, the stakes for organizations have naturally become higher.
While just six ransomware types—Maze, Egregor, Conti, Sodinokibi, DoppelPaymer, and NetWalker—made up 84 percent of attacks last year, new strains are continually being reported. A parallel trend, the advent of ransomware as a service, has also made high-end ransomware available to less technically competent threat actors. Now, rather than developing their own ransomware, cybercriminals can purchase a preconfigured strain in return for a cut of any ransom paid out.
The end result here is that low-skilled threat groups have access to advanced attacks that are more successful and more profitable. The RaaS groups also increase their earnings through deploying these “affiliate” networks of groups wishing to license their ransomware strain.
Since spring 2020, the world has been rocked with a devastating pandemic, global political instability, and challenging economic circumstances. However, while there has been no shortage of negative headlines, the transformation of ransomware into an unavoidable global threat is noteworthy.
This year cybercrime is estimated to cost the world over $1 trillion—a large part of which will be caused by the cost of remediating devastating ransomware attacks. As organizations continue to adapt to the new normal, cybercriminals are only increasing the scope and sophistication of their attacks. This means that alongside everything else that made last year remarkable, in the future, 2020 may also be remembered as the year that ransomware "took off."