Ransomware now accounts for 69% of all attacks that use malware

The most common targets of ransomware in the second quarter of 2021 were governmental, medical and industrial companies along with scientific and educational institutions, says Positive Technologies.

Young Asian male frustrated by ransomware cyber attack

Image: Getty Images/iStockphoto

Ransomware attacks have hit "stratospheric" levels, according to a report released Wednesday by cybersecurity firm Positive Technologies. In the second quarter of 2021, ransomware accounted for 69% of all attacks involving malware, a 30% jump from the same quarter in 2020. The most popular targets for ransomware were governmental, medical and industrial companies along with scientific and educational institutions.

SEE: Security Awareness and Training policy (TechRepublic)  

The overall percentage of attacks against government agencies climbed to 20% in the second quarter from 12% in the first quarter. Ransomware distributors were involved in 73% of all of these malware-related attacks. Tomiris, a new malware loader discovered by Positive Technologies, was able to send encrypted information about a victimized computer to a server controlled by the attacker.

For the quarter, the industrial sector was involved in 80% of overall malware attacks. Citing one specific incident, Positive Technologies said it found a new type of remote administration tool (RAT) called B-JDUN, which was used to target an energy company.

ransomware-attacks-by-industry-positive-technologies.jpg

Ransomware attacks by industry.

Image: Positive Technologies

But ransomware purveyors also targeted individuals, with NitroRansomware as one example. In this type of attack, the criminals deploy malware masquerading as a tool for generating free gift codes for Nitro, an add-on for Discord, a community-based chat app. After launching, the malware gathers data via the browser and then encrypts files on the user's computer. To receive a tool to decrypt the files, the victim must buy a gift code for activating Nitro and give it to the criminals.

The volume of ransomware attacks had already been surging in April 2021, but in early May, attacks targeted Colonial Pipeline and the police department of the District of Columbia. Such attacks revealed the boldness and audacity of today's ransomware gangs. But they also triggered unwanted publicity, catching the attention of law enforcement agencies and eventually the U.S. government, leading to efforts to crack down on ransomware attacks.

Cybercriminals have started to change their methods, relying less on partners to carry out attacks and more closely supervising their distributors. Some have also vowed to leave alone certain industries, such as those involved in critical operations or infrastructure.

As a result of the bad publicity and law enforcement efforts, disputes have flared up on Dark Web forums questioning the nature of ransomware. Several forums have since banned posts related to ransomware partner programs. Some forum users have even said that ransomware gangs should stop what they're doing and find a different way to make money.

Does this mean that ransomware operators will turn a new leaf and see the error of their ways? Hardly, according to Positive Technologies.

"We think that ransomware operators responsible for high-profile attacks will find it hard to quit such a profitable business, and will instead wait for things to blow over before developing a new concept," the firm said in its report.

With ransomware likely to remain a threat, Positive Technologies offers several tips on how organizations can protect themselves.

  • Install security updates. Be sure to install security updates in a timely manner.
  • Fully investigate any major attack. Conduct thorough investigations of all major incidents to discover the points of compromise and uncover any vulnerabilities exploited by the attackers. Further, make sure the hackers didn't leave behind any backdoors for themselves to return.
  • Beef up perimeter security. You can strengthen security at the corporate perimeter by using modern security tools, such as web application firewalls for protecting web resources. To prevent malware infections, use sandboxes that analyze file behavior in a virtual environment as a way to find malicious activity.

Ekaterina Kilyusheva, head of the Information Security Analytics Research Group at Positive Technologies, shared additional recommendations to protect your organization against ransomware.

"To protect against ransomware, scan all received attachments in a special isolated environment (sandbox), since phishing remains the main method of distribution," Kilyusheva said. "The second most popular infection method is the exploitation of vulnerabilities on the network perimeter, which means that an effective vulnerability management process should be built, and the security of the perimeter should be regularly assessed. And ensure correct network segmentation to hinder the propagation of the ransomware in the infrastructure."

SEE: Network security policy (TechRepublic Premium)

What should an organization do if it is hit by a ransomware attack?

"First of all, it is important to stop the spread of ransomware on the network, so isolate the infected computers," Kilyusheva said. "Be sure to ask the experts for help and report the incident to the authorities. Identify the ransomware family and, if possible, the grouping that you are facing–there is a possibility that data recovery tools or ways of removal are already known for this malware.

"However, in the case of a ransomware attack, a complete reinstallation of all systems is most reliable. To make decisions on further actions and ways to return to normal operation, determine the degree of damage caused, check the availability of backup systems, and estimate the time required for recovery.

"And remember that by agreeing to pay the ransom, you motivate the attackers to continue their attacks, while no one guarantees you either non-disclosure of stolen data or full system recovery. If a company is the victim of a ransomware attack, it is important to conduct a thorough investigation to understand what the source of the infection was and make sure that attackers did not leave loopholes in the infrastructure that would help them come back."

Also see