CarderPlanet
Professional
- Messages
- 2,549
- Reaction score
- 746
- Points
- 113
During 2021, we are seeing an increase in ransomware activity. This is facilitated both by the emergence of new proposals from the ransomware-as-a-service series and by the expansion of the toolkit for such attacks. The criminals have focused on maximizing their profits, so their attacks have become even more targeted, and they choose the most vulnerable and solvent ones as victims. In this post, we'll tell you who attacked whom and how in 2021.
The number of ransomware attacks by sectors of the economy in 2021
The largest number of ransomware attacks fell on countries in the Americas.
Distribution of ransomware attacks by country in 2021
We associate the reason for this distribution with the fact that it is on the American continent that multinational companies are located and the business interests of many participants in global economic processes are concentrated.
The great and terrible WannaCry remains in first place in terms of the number of detections. This is because the number of unpatched devices around the world is still high, which provides the ransomware worm with an ample feed base. We hope that this figure will decline as older systems are updated, but so far the speed of this process is slow.
Among modern malware, the most common attacks we recorded were attacks by REvil, Sodinokibi, and Ryuk.
Number of detections of malware families in 2021.
Banks, government agencies and transport by their nature have unique characteristics that create an almost immense attack perimeter:
Trend Micro solutions have recorded over 130,000 ransomware attacks on banks. Most often, extortionists attacked banks in North, Central and South America.
Number of ransomware attacks on banks in 2021
The lucrative business of banks makes them an attractive target for professional attackers who profile and conduct financial research of organizations to determine the following potential targets.
The most active modern families that attacked banks this year are REvil and Crysis (aka Dharma).
The families of ransomware that attacked banks in 2021
According to statistics, a bank client has an average of five accounts, and an average bank branch has about 9000 clients. Thus, an attack on an employee or the infrastructure of just one branch can affect more than 45 thousand accounts.
Small and medium banks can be used to attack more organizations in the financial industry and beyond through a variety of service platforms. The shutdown or closure of local offices can significantly impact other critical sectors.
Banks' ransomware payments are also tricky: transferring money to cybercriminals potentially violates various legal regulations such as You're your Customer (KYC) procedures, anti-money laundering and terrorist financing laws.
The attractiveness of government agencies for extortionists is explained by the following reasons:
Ransomware attacks on the government sector in 2021
The main characters in the attacks on the government were "veterans" Stop and Cerber, but newcomers in the person of REvil and Crysis also noted in this game.
Ransomware that attacked government agencies in 2021
Disruption to the normal functioning of the transport industry has a massive impact on business, human well-being, and even national security. Realizing this, the ransomware operators are asking for huge ransom amounts.
The peculiarity of this sector of the economy is also in the fact that in addition to the own IT systems of ships, trains or airplanes, backend systems and devices in data centers and offices from which transportation is controlled can be infected.
Trend Micro solutions detected over 32,000 ransomware attacks against transportation companies. Most attacks were in Asia and the Middle East.
Ransomware attacks against transportation businesses in 2021
One major attack in the US rail freight sector was reported in January 2021: US rail freight company OmniTRAX confirmed that it had been attacked by Conti ransomware. The attackers published the stolen data. This is a common double-extortion tactic used by modern-day factions.
Another attack on the transport industry involved the Death Kitty program and nearly brought South African ports to a complete halt.
The ransomware attacking transport companies are counting on organizations desperate to get back to work in the event of a disruption. Since the trucking company's priority is to minimize potential downtime during incidents, it's likely to pay the ransom to get back to work as soon as possible.
The modern ransomware families most common in this sector are REvil, Ryuk, Conti and DarkSide.
Ransomware that attacked the transport sector in 2021
REvil operators usually gain initial access to an organization's IT environment through:
Given that not all companies report attacks, the number of victims and the ransoms paid may be higher than the official reports. According to Coveware, in the second quarter of 2021, the average buyout payout for organizations reached $ 136,576.
And while large businesses can afford cyber insurance, a single attack could be enough for small and medium-sized businesses to shut down operations altogether. According to Palo Alto Networks, the average ransomware required by modern ransomware attacks exceeds $ 5 million. Potential regulatory fines and litigation also increase disbursement and recovery costs.
The Coweware report also found that the average downtime for each attack increased to 23 days, up from 16 days in 2020 and 12 days in 2019, and restoring the system, files and, in some cases, infrastructure further increases the loss.
In Cybereason's “Ransomware: The True Cost To Business” study of the impact of ransomware attacks on business, 53% of companies surveyed said they not only lost revenue, but experienced also unplanned layoffs and brand damage.
Even loyal customers can also go to competitors after cyber incidents. Accenture's consumer loyalty survey has shown that the share of such customers reaches 77%.
Some statistics
In 2021, we recorded over 3.6 million ransomware attacks against businesses and organizations around the world. Banking, government and transportation sectors were most often targeted. Other industries have come close, especially those that have become increasingly critical to business continuity in recent months due to their involvement in serving the public during the pandemic.
The number of ransomware attacks by sectors of the economy in 2021
The largest number of ransomware attacks fell on countries in the Americas.
Distribution of ransomware attacks by country in 2021
We associate the reason for this distribution with the fact that it is on the American continent that multinational companies are located and the business interests of many participants in global economic processes are concentrated.
The great and terrible WannaCry remains in first place in terms of the number of detections. This is because the number of unpatched devices around the world is still high, which provides the ransomware worm with an ample feed base. We hope that this figure will decline as older systems are updated, but so far the speed of this process is slow.
Among modern malware, the most common attacks we recorded were attacks by REvil, Sodinokibi, and Ryuk.
Number of detections of malware families in 2021.
Banks, government agencies and transport by their nature have unique characteristics that create an almost immense attack perimeter:
- a geographically distributed network of offices in different parts of the country or even the world;
- a large number of partners and suppliers;
- scattered remote employees;
- restrictions preventing the implementation of strong cybersecurity measures;
- requirements for the level and quality of services that they are obliged to fulfill;
- the victim is more likely to pay the ransom to protect customer data and restore systems faster.
Banking sector
Banks have been one of the favorite targets of cybercriminals of all time, and ransomware operators are no exception. The bait is not only money that can be stolen from accounts, but also the very information about customer accounts and transactions, extensive supply chains, customer personal data and much more. It is data that becomes a double argument in the hands of ransomware cybercriminals: they block access to them, encrypting all systems they could reach, and the data itself “leaks” and threatened publication in the public domain.Trend Micro solutions have recorded over 130,000 ransomware attacks on banks. Most often, extortionists attacked banks in North, Central and South America.
Number of ransomware attacks on banks in 2021
The lucrative business of banks makes them an attractive target for professional attackers who profile and conduct financial research of organizations to determine the following potential targets.
The most active modern families that attacked banks this year are REvil and Crysis (aka Dharma).
The families of ransomware that attacked banks in 2021
According to statistics, a bank client has an average of five accounts, and an average bank branch has about 9000 clients. Thus, an attack on an employee or the infrastructure of just one branch can affect more than 45 thousand accounts.
Small and medium banks can be used to attack more organizations in the financial industry and beyond through a variety of service platforms. The shutdown or closure of local offices can significantly impact other critical sectors.
Banks' ransomware payments are also tricky: transferring money to cybercriminals potentially violates various legal regulations such as You're your Customer (KYC) procedures, anti-money laundering and terrorist financing laws.
Government agencies
The Clearinghouse and Analysis Center (MS-ISAC), a division of the Center for Internet Security (CIS), a US-based non-profit crowdsourcing organization operating internationally, reported that 11,000 of its members recorded 75 ransomware attacks on US government agencies during from January to June this year. In turn, a global Sophos study conducted at the beginning of the year showed that governments and non-departmental government bodies are more likely to be subjected to double extortion attacks.The attractiveness of government agencies for extortionists is explained by the following reasons:
- they store personal and financial data of citizens, which can be profitably sold to other criminal groups;
- the functioning of government is critical to society and national security.
Ransomware attacks on the government sector in 2021
The main characters in the attacks on the government were "veterans" Stop and Cerber, but newcomers in the person of REvil and Crysis also noted in this game.
Ransomware that attacked government agencies in 2021
Transport
Ransomware attacks on the transport industry in 2019-2021 showed an increase of 186%. The most likely reason is the critical importance of the industry to the global economy and the close interconnection of different modes of transport.Disruption to the normal functioning of the transport industry has a massive impact on business, human well-being, and even national security. Realizing this, the ransomware operators are asking for huge ransom amounts.
The peculiarity of this sector of the economy is also in the fact that in addition to the own IT systems of ships, trains or airplanes, backend systems and devices in data centers and offices from which transportation is controlled can be infected.
Trend Micro solutions detected over 32,000 ransomware attacks against transportation companies. Most attacks were in Asia and the Middle East.
Ransomware attacks against transportation businesses in 2021
One major attack in the US rail freight sector was reported in January 2021: US rail freight company OmniTRAX confirmed that it had been attacked by Conti ransomware. The attackers published the stolen data. This is a common double-extortion tactic used by modern-day factions.
Another attack on the transport industry involved the Death Kitty program and nearly brought South African ports to a complete halt.
The ransomware attacking transport companies are counting on organizations desperate to get back to work in the event of a disruption. Since the trucking company's priority is to minimize potential downtime during incidents, it's likely to pay the ransom to get back to work as soon as possible.
The modern ransomware families most common in this sector are REvil, Ryuk, Conti and DarkSide.
Ransomware that attacked the transport sector in 2021
REvil ransomware tactics
REvil is one of the modern ransomware families that are constantly found in banks, government agencies, transport companies). The decentralized nature of the group and its affiliates allows for simultaneous penetration and deployment using a variety of techniques and tools.REvil operators usually gain initial access to an organization's IT environment through:
- phishing emails,
- Remote Desktop Protocol (RDP) or stolen accounts, compromised websites
- uncooked vulnerabilities.
The real cost of the ransomware attack
The problem with ransomware attacks isn't just downtime and ransom payments. Recovering with "purchased" decryption keys does not guarantee a return to normal operation, so the damage from the incident is significantly greater than the ransom cost, as it adds the cost of recovery, financial and reputational losses, fines from regulators, losses from contract termination and loss of customers.Given that not all companies report attacks, the number of victims and the ransoms paid may be higher than the official reports. According to Coveware, in the second quarter of 2021, the average buyout payout for organizations reached $ 136,576.
And while large businesses can afford cyber insurance, a single attack could be enough for small and medium-sized businesses to shut down operations altogether. According to Palo Alto Networks, the average ransomware required by modern ransomware attacks exceeds $ 5 million. Potential regulatory fines and litigation also increase disbursement and recovery costs.
The Coweware report also found that the average downtime for each attack increased to 23 days, up from 16 days in 2020 and 12 days in 2019, and restoring the system, files and, in some cases, infrastructure further increases the loss.
In Cybereason's “Ransomware: The True Cost To Business” study of the impact of ransomware attacks on business, 53% of companies surveyed said they not only lost revenue, but experienced also unplanned layoffs and brand damage.
Even loyal customers can also go to competitors after cyber incidents. Accenture's consumer loyalty survey has shown that the share of such customers reaches 77%.
Countermeasures recommendations
The following measures can help protect against ransomware:- continuous training and awareness raising for employees and partners of the organization;
- implementation of multi-layered solutions for detection and response to threats;
- establishing incident response teams and action programs to prevent and recover from cyberattacks;
- comprehensive update management;
- carrying out simulated attacks to train employees' safe behavior skills.
