Ransomware: state of play and trends in 2020 | Stormshield

Since early 2020, ransomware attacks have increased in number and made front-page headlines. All professionals – large companies and small operations alike – seem vulnerable in the face of this evolving threat. And the number of cases of attacks – with varying degrees of success for the attackers – is becoming a concern. We take a dive into troubled waters to examine the No.1 cybercrime phenomenon of 2020.

“Organised cybercrime is now using cyber tools to hold its victims to ransom,” noted Guillaume Poupard, Director-General of France's ANSSI cybersecurity agency, addressing French senators in November. And whether in France, Europe or worldwide, the effects of ransomware continue to reverberate. From the SAOG insurance company in the Sultanate of Oman to the Campari spirits group, and taking in Bouygues Construction and the Brazilian court of justice along the way, it seems that no-one is immune. Furthermore, the trend in ransomware is towards an increasingly professional approach, with a well-developed economic ecosystem between the creators and operators of malware, operating as a fully-fledged business featuring partnership levels and discounts, etc. 2020 has confirmed the rise of the ransomware threat, with increasingly well-prepared and organised attacks employing a more technical approach. This fundamental trend is prompting companies to rethink their defence measures and improve their ability to counter-attack.


Encryption techniques, propagation methods... how is ransomware evolving?

For as long as ransomware has existed, its end goal has remained unchanged: to exact a ransom payment. And the same is true on a technical level, where very little has changed. Indeed, the modus operandi of malware remains essentially the same: scan through a disk, search for files by extension type and encrypt whatever is likely to have the most impact on the target’s business activity. The choice of data to be encrypted will depend on the cybercriminals’ strategy: having access to the computer without access to the file is sometimes worse than having a computer that won’t even start. For this reason, cybercriminals are careful to encrypt only certain extension types. On the other hand, it is clear that ransomware is changing in terms of how it propagates and infects systems.

Ransomware operators are constantly monitoring news of the latest vulnerabilities in information systems to enable them to bypass protection mechanisms

Thomas Gendron, Malware Research Engineer, Vade Secure

The actual mechanics of extortion have also changed significantly since the early days. Ransom demands via PayPal are no longer the flavour of the month for attackers, as they are too easily traceable; most cybercriminals demand ransom payments in Bitcoin. It is a payment method that appears to be more stable for ransomware operators, and also makes it more complex to track the ransom through mixing platforms (Smartmixer, BitcoinMix, etc.). In addition, in early 2020, the FBI stated that between 2013 and 2019, ransomware-related extortion operations amounted to a value of no less than 144.35 million dollars in Bitcoin.

In terms of propagation, “ransomware operators are constantly monitoring news of the latest vulnerabilities in information systems to enable them to bypass protection mechanisms”, explains Thomas Gendron, Malware Research Engineer at Vade Secure. Since mid-2019, several VPNs have been exposed to a number of key vulnerabilities which have attracted the attention of several groups of cybercriminals, who have seized the opportunity to launch waves of ransomware.

Although emails with infected files remain popular, other forms of infection have been observed in recent months. Leaks of passwords used on VPNs, VPN flaws, distribution by botnet, etc.; ransomware operators today seem to have a substantial arsenal of resources for propagating ransomware.  Once an infection has succeeded, cybercriminals will attempt to extend the attack laterally and detonate the ransomware payload on as many computers and devices as possible. A recent example has been the Zerologon vulnerability, which has been heavily exploited by operators of the Ryuk ransomware. Operators can use this flaw to gain quick admin access to the Active Directory before extending the attack laterally across the IT infrastructure and obtaining access to privileged accounts. Infection, lateral movement, privilege escalation: all the cybercriminal then needs to do is to implement their “action on objective.”


Opportunistic vs. targeted attacks

Of course, the main ransomware trend to be borne in mind relates to the current extraordinary health crisis. Although phishing campaigns generally show little evidence of careful planning, experts have noted increased efforts by cybercriminals in the social engineering approach. Anxiety-provoking health and economic news has proved to be the perfect lever for playing on fears, such as false orders for masks, false redundancy notices, etc. “Companies have invested heavily in protecting their perimeters with workstation protection solutions, IS security configurations, etc.,” explains Adrien Gendre, Chief Solution Architect at Vade Secure. “Ransomware operators are therefore looking for ways to circumvent this protection and gain internal access to companies. Phishing is a means by which mailboxes can be compromised, thus enabling ransomware and even spear phishing attacks to be launched from within the company.”

And there has been a proliferation in the methods used to force victims to pay ransoms, too. In October 2020, for example, a group of cybercriminals published a set of health data on the dark web that they had stolen from a Finnish company that controlled a chain of psychotherapy centres… in 2018! When the health company refused to pay the ransom, the cybercriminals first turned to patients’ families before deciding to sell the precious data to the highest bidder… Another recent example was the attackers who used the Facebook social network to publish malicious fake advertising intended to force an Italian spirits group to pay a ransom.

However, these attacks seem to be mainly opportunistic in nature. And we should not allow them to obscure the main trend in 2020: ransomware is becoming increasingly professional.


Increasingly professional ransomware

The trend towards ransomware-as-a-service (RaaS), following its first emergence in 2016, is gaining strength in 2020. “You can now actually buy ransomware, and even tutorials teaching you how to use it,” says Edouard Simpère, Technical Leader at Stormshield. “It's all sold as a service, in the same way that malware is sold in the form of ready-made tools that have long been available on the dark web.” Ransomware or extortion applications are sold on the dark or deep web, and are becoming products in their own right, with their own market rules (competition, etc.). For example, a number of cybercriminal operations have formed structures in which each majors in a particular task. But that's not all: “As they have become more professional, attackers have each developed their own speciality: ransomware developer, phishing specialist, payload deployment operator, etc.”, Gendron explains.  By forming a complex, more dynamic, more efficient ecosystem, these cybercriminals also protect themselves against disturbances to their important operations in the event that one link in the chain is arrested.

You can now actually buy ransomware, and tutorials teaching you how to use it, how to launch it from an interface, etc. It’s all sold as a service

Edouard Simpère, Technical Leader Stormshield

This increasingly professional approach by attackers goes hand in hand with the rise in targeted attacks against large companies and organisations. “The current trend in ransomware attacks is towards an improvement in the infection methods employed. The use of tools to deliver the ransomware to the most appropriate place is more akin to the technical level one would associate with some APT or FIN groups, and shows a sharper operational intelligence than before,” explains Grégory Baudeau, Technical Leader, Cyber Threat Intelligence at Airbus CyberSecurity. Working alongside associate researcher Frédéric Boissel and analyst Quentin Michaud, Baudeau recently produced a model of an operation to deliver a Sodinokibi (also known as REvil or Sodin) payload that was discovered when responding to an incident. This RaaS – which has been available since April 2019 – has targeted a multitude of sectors such as energy, finance, construction, biomedical, aeronautics and even the telecommunications sector. One of the specific characteristics of this ransomware is also that it publishes exfiltrated data on dark web forums, and even holds auctions. This is what happened in the USA in June: the group behind Sodinokibi is said to have auctioned off 50Gb and 1.2Tb of data belonging to two US legal practices. In addition to data theft and extortion, therefore, new ways are emerging for cybercriminals to make financial profit from their attacks.

Lastly, in an age in which smart objects are part of our daily personal and business lives, questions must be raised over the attack surfaces of such devices. Whether the threats are proven cyberattacks against cash registers in supermarkets or printers, or even proof-of-concept attacks against smart coffee machines, the surface is expanding with the advent of devices offering low levels of security. “This attack surface provides accessible gateways: attackers scout around, waiting for the right time, the right target, the right place to deploy their ransomware. It's just the thin end of the wedge,” Simpere maintains.

The world of ransomware is becoming more professional and attacks are becoming ever more sophisticated and precise. And that makes them increasingly complex to detect for companies who, in turn, must be ruthlessly organised if they are to fight this cybercriminal trend.


Ransom payments, backups... what are the best anti-ransomware strategies?

Has it become acceptable to pay ransomware demands? The answer is no. However, the “to pay or not to pay?” question remains, especially for infrastructure such as hospitals. They are critical infrastructures which, when they fall victim to ransomware, become unable to carry out their vitally important activities. Because from an operational point of view, attempting to circumvent ransomware is a complex process that takes time – a luxury such organisations cannot afford. In addition, from a moral point of view, it should be remembered that ransomware is blackmail. Paying the blackmailer will indicate a weakness that is hard (or even impossible) to defend in media terms, as well as ethically. Lastly, from a strategic point of view, there is no guarantee of a return to normal following a payment, whether in terms of actual data restoration or the continued existence of a back door left behind by the attacker. “Paying ransomware means providing oxygen to the business behind it, and on principle, that is never acceptable. So what you need to do is to set up alternatives to avoid ever being in that position,” Gendre warns. In the United States, for example, the US Treasury is seeking to prevent the payment of ransoms by companies by imposing civil penalties on third-party companies (such as cyber-insurance, cybersecurity companies, etc.) who assist victim organisations in paying their ransoms. The goal that organisations should strive for is never to be in a position that forces them to decide whether or not to pay a ransom.

At the same time, publishers and cyber players are also stepping up to counter the increase in attack surfaces and the propagation of ransomware by developing appropriate cyber solutions that provide support for such organisations. There seems therefore to be an increase in awareness, making it possible to implement the best protection against this type of malware.

A number of mechanisms are possible to fight against attacks that deliver ransomware payloads, including training employees in good digital hygiene, implementing appropriate patch management policies, adopting a rigorous rights and authorisations management policy (compulsory password changes every 90 days for privileged accounts, use of two-factor authentication, etc.). “One way you can protect yourself against ransomware right now is to implement protection and digital hygiene standards that are high enough to deter potential attackers,” Baudeau adds. “It is important to have employees who are sufficiently well trained in phishing techniques and monitoring security events on VPNs, ADs and equipment that has experienced critical vulnerabilities providing access to networks or central equipment of the company in the last six to nine months. It is also important to train security teams to detect suspicious behaviour. All companies and organisations need to have incident response teams, and the ability to shut down services and restore them again to provide a rapid response to an intrusion, avoid delivery of the payload wherever possible, and ensure that services can be restored as quickly as possible. ”

In addition to these available means, there is a solution that provides an effective defence against such ransomware: the backup. Every organisation and company – even the smallest – needs to implement a backup policy, and all systems in all organisational structures must be equipped with solutions of this type. The backup is the cornerstone of an effective anti-ransomware policy, and this includes the implementation of offline backup systems that cannot be encrypted, and also a system of regular backup control procedures. In April 2019, agri-food business Fleury Michon fell victim to a ransomware attack, halting production for three days. However, the company was able to restart its operations fairly quickly thanks to its backup systems, which enabled it to recover the data it needed to recommence production and thus avoid paying the ransom demand. Fleury Michon was also involved in the creation of the Attaques par rançongiciels, tous concernés ransomware guide published this year by the ANSSI cybersecurity agency, intended to support local authorities and companies in understanding the issue of ransomware and actions to be taken to protect themselves.


The outlook for ransomware may still be bright for now, but companies are far from beaten, and should be able to keep strengthening their defensive postures and rejecting ransom demands as often as possible. If this is in fact the case, will cybercriminals perhaps be seeking, in the next few years, to switch to new and more lucrative activities?

Share on

[juiz_sps buttons="facebook, twitter, linkedin, mail"]
Ransomware attacks are on the rise, threatening the economic stability and sustainability of many companies and organisations. Not a week goes by without a company or government body being attacked and receiving a ransom demand. This Stormshield whitepaper looks at the evolution of ransomware and the actors who make it a major threat. It deciphers how this malware works and proposes best practices to avoid the consequences. This does not obscure the central question pondered by many organisations faced with the problem of whether to pay or not to pay? Should you give in?
All too often, ransomware attacks still start with malware sent by email. What if you had access to a free tool that let you test suspicious files? That’s the promise of Breach Fighter, our sandboxing analysis service that detects malicious behaviour in scanned files.
About the author
Sébastien Viou Cybersecurity Product Director & Cyber-Evangelist, Stormshield

Fan of fighting sports (ju-jitsu, kick-boxing, ice hockey), Sébastien also has a passion for mechanics. The real thing, the one where all the parts are dismantled and reassembled until all the mechanisms are understood. An obvious parallel with his missions at Stormshield, where he is in charge of shedding light on developments, innovations and trends in the cyber-threats.