14,932
edits
Changes
mLine 4:
Line 4: − + − In 2020...<br/> − + − + + + + Line 27:
Line 29: − + − + − + + + Line 47:
Line 51: + + + + + + + + + + Line 86:
Line 100: + + + + Line 91:
Line 109: − + + + + + + + +
added Category:Featured using HotCat
[[as-a-Service Model#Ransomware-as-a-Service|RaaS]] is a subscription for ransomware tools. RaaS allows cybercrime groups to extend their reach and decentralizes attacks, complicating efforts to disrupt them. The RaaS creators take a percentage of each successful ransom payment.<ref>[https://www.varonis.com/blog/ransomware-statistics-2021/ Ransomware Stats 2021, Varonis blog]</ref>
[[as-a-Service Model#Ransomware-as-a-Service|RaaS]] is a subscription for ransomware tools. RaaS allows cybercrime groups to extend their reach and decentralizes attacks, complicating efforts to disrupt them. The RaaS creators take a percentage of each successful ransom payment.<ref>[https://www.varonis.com/blog/ransomware-statistics-2021/ Ransomware Stats 2021, Varonis blog]</ref>
==Recent Statistics==
==Recent Statistics and History-Making Events==
:Average downtime due to ransomware: 21 days<ref>[https://www.coveware.com/blog/ransomware-marketplace-report-q4-2020C Ransomware Payments Fall as Fewer Companies Pay Data Exfiltration Extortion Demands, Feb 1, 2021]</ref><br/>
:Average downtime due to ransomware: 21 days<ref>[https://www.coveware.com/blog/ransomware-marketplace-report-q4-2020C Ransomware Payments Fall as Fewer Companies Pay Data Exfiltration Extortion Demands, Feb 1, 2021]</ref><br/>
:Average recovery time for organizations: 287 days<ref>[https://blog.emsisoft.com/en/37314/the-state-of-ransomware-in-the-us-report-and-statistics-2020/ The State of Ransomware in the US: Report and Statistics 2020, Emisoft Blog, Jan 18, 2021]</ref><br/>
:Average recovery time for organizations: 287 days<ref>[https://blog.emsisoft.com/en/37314/the-state-of-ransomware-in-the-us-report-and-statistics-2020/ The State of Ransomware in the US: Report and Statistics 2020, Emisoft Blog, Jan 18, 2021]</ref><br/>
:Total victims paid to decrypt their data: US$350 million<ref>[https://blog.chainalysis.com/reports/ransomwareecosystem-crypto-crime-2021Chainalysis 2021 Crypto Crime Report]</ref><br/>
:Total victims paid to decrypt their data: US$350 million<ref>[https://blog.chainalysis.com/reports/ransomwareecosystem-crypto-crime-2021Chainalysis 2021 Crypto Crime Report]</ref><br/>
:Change in payout from 2019 to 2020: 311% increase</ref><br/>
:Change in payout from 2019 to 2020: 311% increase<ref>[https://blog.chainalysis.com/reports/ransomwareecosystem-crypto-crime-2021Chainalysis 2021 Crypto Crime Report]</ref><br/>
:Total victims paid to decrypt their data: US$350 million<ref>[https://blog.chainalysis.com/reports/ransomwareecosystem-crypto-crime-2021Chainalysis 2021 Crypto Crime Report]</ref><br/>
:Total victims paid to decrypt their data: US$350 million<ref>[https://blog.chainalysis.com/reports/ransomwareecosystem-crypto-crime-2021Chainalysis 2021 Crypto Crime Report]</ref><br/>
:Average individual payment:US$312,493<ref>[https://unit42.paloaltonetworks.com/ransomware-threat-assessments Ransomware Threat Assessments, Unit 42, Palo Alto Networks March 17, 2021]</ref><br/>
:Average individual payment: US$312,493<ref>[https://unit42.paloaltonetworks.com/ransomware-threat-assessments Ransomware Threat Assessments, Unit 42, Palo Alto Networks March 17, 2021]</ref><br/>
:Year-over-year difference from 2019: 171% increase <ref>[https://unit42.paloaltonetworks.com/ransomware-threat-assessments Ransomware Threat Assessments, Unit 42, Palo Alto Networks March 17, 2021]</ref><br/>
:Year-over-year difference from 2019: 171% increase <ref>[https://unit42.paloaltonetworks.com/ransomware-threat-assessments Ransomware Threat Assessments, Unit 42, Palo Alto Networks March 17, 2021]</ref><br/>
:Number of U.S.-based governments, healthcare facilities, and schools attacked: 2,400<ref>[https://securityandtechnology.org/wp-content/uploads/2021/04/IST-Ransomware-Task-Force-Report.pdf RTF Report 2021, pg. 7]</ref><br/>
:Number of U.S.-based governments, healthcare facilities, and schools attacked: 2,400<ref>[https://securityandtechnology.org/wp-content/uploads/2021/04/IST-Ransomware-Task-Force-Report.pdf RTF Report 2021, pg. 7]</ref><br/>
:The [[CISA|critical infrastructure sector]] that experienced more ransomware attacks than any other industry: Healthcare<ref>[https://purplesec.us/resources/cyber-security-statistics/#Healthcare%20Providers 2021 Cyber Security Stats, PurpleSec]</ref><br/>
:On September 10, 2020, ransomware contributed to the first reported death related to a cyber attack, after an emergent patient had to be re-directed from a ransomware victim hospital in Germany.<ref>[https://www.zdnet.com/article/first-death-reported-following-a-ransomware-attack-on-a-german-hospital/ First Death from Ransomware, ZDNet]</ref>
:On April 29, 2021, [[CISA|DHS Secretary Alejandro Mayorkas]] declared ransomware a national security threat.<ref>[https://breakingdefense.com/2021/04/ransomware-a-national-security-issue-new-report-argues-yes/ Breaking Defense]</ref>
==Mitigation==
==Mitigation==
# Configure firewalls to block access to known malicious [[IP Address]]es.<ref>[https://www.cisa.gov/stopransomware/ransomware-faqs Ransomware FAQs, CISA]</ref>
# Configure firewalls to block access to known malicious [[IP Address]]es.<ref>[https://www.cisa.gov/stopransomware/ransomware-faqs Ransomware FAQs, CISA]</ref>
* On April 29, 2021, the Institute for Security and Technology launched the [[Ransomware Task Force]] (RTF).<ref>[https://securityandtechnology.org/ransomwaretaskforce/ RTF, IST]</ref>
* On April 29, 2021, the Institute for Security and Technology launched the [[Ransomware Task Force]] (RTF), which released a comprehensive framework outlining 48 actions and their timelines for governments and industry leaders to undertake to disrupt the ransomware business model and mitigate attacks' impacts.<ref>[https://securityandtechnology.org/ransomwaretaskforce/ RTF, IST]</ref>
* Alternatives to payment include:
* Alternatives to payment include:
:* working with the [[No More Ransom Project]], which helps victims decrypt data without paying attackers;
:* working with the [[No More Ransom Project]], which helps victims decrypt data without paying attackers;
:* working with law enforcement immediately after noticing the attack
:* working with law enforcement, such as the [[FBI]], immediately after noticing the attack
* To manage the fallout, an industry has grown up around cyberattack recovery. Cyber insurance (aka [[cybersecurity]] insurance, cyber risk insurance, data breach insurance, or cyber liability insurance) protects against some of the financial and legal consequences of cyber risks and attacks. This industry is focused on mitigating the side effects of cyber attacks and data breaches.<ref>[https://www.zeguro.com/cyberinsurance Cyber insurance, Zeguro]</ref>
* To manage the fallout, an industry has grown up around cyberattack recovery. Cyber insurance (aka [[cybersecurity]] insurance, cyber risk insurance, data breach insurance, or cyber liability insurance) protects against some of the financial and legal consequences of cyber risks and attacks. This industry is focused on mitigating the side effects of cyber attacks and data breaches.<ref>[https://www.zeguro.com/cyberinsurance Cyber insurance, Zeguro]</ref> The backstop support of insurance may encourage ransomware attackers, as insured victims may be more likely to pay.<ref>[https://www.propublica.org/article/the-extortion-economy-how-insurance-companies-are-fueling-a-rise-in-ransomware-attacks Extortion Economy, ProPublica]</ref> However, insurance providers generally require that clients adhere to baseline security practices, connect victims to recovery experts and law enforcement, and leverage market tools to incentivize security standards and discourage organizations from paying ransom.<ref>[https://securityandtechnology.org/wp-content/uploads/2021/04/IST-Ransomware-Task-Force-Report.pdf RTF Report, IST, pg 13]</ref>
* [[Zero Trust]] architecture limits lateral movement and contains the blast radius or ransomware attacks.<ref>[https://venturebeat.com/2021/05/14/adopting-zero-trust-architecture-can-limit-ransomwares-damage/ Adopting zero trust architecture can limit ransomware’s damage, VentureBeat]</ref>
==Debates==
==Debates==
: [[Ed Cabrera]], CCO at [[Trend Micro]], said that criminalizing ransom payments will lead hackers to make more lethal attacks and increase the pain.<ref>[https://www.forbes.com/sites/edwardsegal/2021/06/08/banning-ransomware-payments-could-create-new-crisis-situations/?sh=30ff48829828 Banning Ransomware payments could lead to new crises, Forbes]</ref><br/>
: [[Ed Cabrera]], CCO at [[Trend Micro]], said that criminalizing ransom payments will lead hackers to make more lethal attacks and increase the pain.<ref>[https://www.forbes.com/sites/edwardsegal/2021/06/08/banning-ransomware-payments-could-create-new-crisis-situations/?sh=30ff48829828 Banning Ransomware payments could lead to new crises, Forbes]</ref><br/>
: In the ''Harvard Business Review'', [[Rahul Telang]] opined that in attacking companies rather than consumers, ransomware is forcing organizations to pay a steep, direct price for lax security and ultimately focusing organizations' attention on improving their cybersecurity and protecting their networks.<ref>[https://hbr.org/2021/08/could-ransomware-attacks-ultimately-benefit-consumers Could Ransomware Attacks Ultimately Benefit Consumers? HBR, August 02, 2021 ]</ref>
: In the ''Harvard Business Review'', [[Rahul Telang]] opined that in attacking companies rather than consumers, ransomware is forcing organizations to pay a steep, direct price for lax security and ultimately focusing organizations' attention on improving their cybersecurity and protecting their networks.<ref>[https://hbr.org/2021/08/could-ransomware-attacks-ultimately-benefit-consumers Could Ransomware Attacks Ultimately Benefit Consumers? HBR, August 02, 2021 ]</ref>
: [[Coveware]]'s core business model is negotiating ransomware sums.<ref>[https://www.coveware.com/blog/2021/7/23/q2-ransom-payment-amounts-decline-as-ransomware-becomes-a-national-security-priority Q2 Ransom Payments Decline, Coveware]</ref>
==Notorious Cases==
==Notorious Cases==
===Cobalt Strike===
Cobalt Strike is the legitimate, commercially available tool used by network penetration testers that has been co-opted by threat actors.<ref>[https://threatpost.com/cobalt-strike-cybercrooks/167368/ Cobalt Strike Usage Explodes Among Cybercrooks]</ref> It is also known as Agentemis, BEACON, and CobaltStrike, and the threat actors that have used it include APT 29, APT32, APT41, Anunak, Cobalt, Codoso, CopyKittens, DarkHydrus, FIN6, Leviathan, Mustang Panda, Shell Crew, Stone Panda, UNC1878, UNC2452, and Winnti Umbrella.<ref>[https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike Cobalt Strike, Malpedia]</ref>
===Maze Cartel===
[[File:Maze Cartel.png|500px|thumbnail|right|[https://analyst1.com/blog/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel Analyst1 Cartel Breadown]]]
In June 2020, the Maze Cartel publically announced that TWISTED SPIDER, VIKING SPIDER, and LockBite were running a collaborative business arrangement.<ref>[https://www.crowdstrike.com/cybersecurity-101/ransomware/history-of-ransomware/ History of Ransomware, CrowdStrike]</ref> In November 2020, Twisted Spider announced they were shutting down the cartel operations.<ref>https://chaslescorp.com/the-rise-and-fall-of-maze-cartel/ The rise and fall of Maze Cartel, ChaslesCorp]</ref>
The people who comprise the cartel originate from eastern Europe, primarily speak Russian, and ensure that their payloads do not execute on Russian victims. Twisted Spider used Maze ransomware from May 2019 to November 2020 and Egregor beginning in September 2020, each using its own malware, infrastructure, and online personas. The operators are very communicative with media, cybersecurity firms, and other cybercriminals.<ref>[https://analyst1.com/blog/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel Ransom Mafia, Analyst1]</ref> Viking Spider began its ransom operations in December 2019. Wizard Spider has multiple teams and has been participating in attacks since 2016. The Lockbit Gang was the first to automate attacks. SunCrypt was the first gang to introduce [[DoS Attack|denial of service attacks]] to extort victims.<ref>[https://analyst1.com/blog/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel Ransom Mafia, Analyst1]</ref>
===Darkside===
===Darkside===
Darkside is a group of hackers that carried out a significant ransomware attack in May 2021.
Darkside is a group of hackers that carried out a significant ransomware attack in May 2021.
===REvil===
===REvil===
Aka Sodin aka Sodinokibi, REvil has a reputation for extorting larger ransom payments than their competitors and promoting cybercrime forums.<ref>[https://www.varonis.com/blog/ransomware-statistics-2021/ 2021 Ransomware Stats, Varonis blog]</ref>
Aka Sodin aka Sodinokibi, REvil has a reputation for extorting larger ransom payments than their competitors and promoting cybercrime forums.<ref>[https://www.varonis.com/blog/ransomware-statistics-2021/ 2021 Ransomware Stats, Varonis blog]</ref>
The [[FBI]] accused REvil of orchestrating a ransomware attack on the world's largest meat processing company, JBS, in June 2021. JBS paid US$11 million in ransom to decrypt their files.<ref>[https://www.npr.org/2021/06/03/1002819883/revil-a-notorious-ransomware-gang-was-behind-jbs-cyberattack-the-fbi-says REvil behind JBS attack]</ref>
====REvil Suddenly Goes Offline====
On July 13, 2021, Monitors discovered that a payment website and a blog run by the REvil group suddenly became unreachable, leading many to speculate that U.S. or Russian officials may be behind the disappearance.<ref>[https://www.bbc.com/news/technology-57826851 REvil: Ransomware gang websites disappear from the internet, BBC]</ref>
===Ryuk===
===Ryuk===
===SamSam===
===SamSam===
From 20-15 to 2018, SamSam infected the municipal/state services of Atlanta, Colorado, and San Diego and 200 public institutions/organizations.<ref>[https://gatefy.com/blog/real-and-famous-cases-ransomware-attacks/ Real and Famous Ransomware Cases, Gatefy]</ref>
From 2015 to 2018, SamSam infected the municipal/state services of Atlanta, Colorado, and San Diego and 200 public institutions/organizations.<ref>[https://gatefy.com/blog/real-and-famous-cases-ransomware-attacks/ Real and Famous Ransomware Cases, Gatefy]</ref>
===CryptoLocker===
In 2013, a new type of ransomware, also known as Gameover Zeus, used the advent of Bitcoin transactions and the latest in encryption, using 2048-bit RSA key pairs generated from a command-and-control server. Only computers running a version of Windows are susceptible to Cryptolocker (it does not target Macs).<ref>[https://usa.kaspersky.com/resource-center/definitions/cryptolocker Cryptolocker, Kaspersky]</ref>
===AIDS Trojan===
In 1989, one of the first ransomware attacks ever documented, also known as the PC Cyborg Virus, was released via floppy disk. Victims sent US$189 to a P.O. box in Panama to restore access to their systems.<ref>[https://www.crowdstrike.com/cybersecurity-101/ransomware/history-of-ransomware/ History of Ransomware, CrowdStrike]</ref>
==References==
==References==
[[Category:DNS Abuse]]
[[Category:DNS Abuse]]
[[Category:Featured]]