Ransomware Outbreak Threatens All Industries

As if 2020 wasn’t already challenging enough, organizations now have one more outbreak to worry about: a surge in ransomware. During the first half of the year, a rising number of ransomware attacks plagued organizations across many different sectors—including manufacturing, healthcare, government, education, and professional services.[1]

One tally estimated the total cost of the 11 largest successful ransomware attacks in the first six months at more than $144 million, a number that already approaches the 2019 total of $176 million for the whole year.[2] The cost includes investigation and remediation expenses as well as the ransoms paid by some of the targeted organizations.

As noted in an earlier post, criminals are increasing the pressure on victims by threatening to sell or publish sensitive information unless the ransom is paid. Some are also attacking industries that are particularly critical during the pandemic. “The threat of selling or releasing stolen data has massively increased the potential impact of a ransomware attack, due to loss of intellectual property and increased brand damage,” said Dr. Kiri Addison, Mimecast Head of Data Science for Threat Intelligence & Overwatch. “Healthcare and manufacturing are vitally important at the moment, and so those organizations may be more likely to pay the ransom in order to minimize disruption.”

The ransomware outbreak is expected to continue, according to the Mimecast Threat Intelligence Report: Black Hat USA Edition, January - June 2020. “It is highly likely that U.S. businesses are at risk of ransomware attack, due to threat actors’ efforts towards the high volume, opportunistic attack of multiple verticals,” according to the report.

Emotet Likely Paved the Way for Ransomware

One early indicator foreshadowing the current wave of ransomware was an increase in email-borne attacks using Emotet, which continued until February this year. Emotet is a Trojan used to deliver other malware, including ransomware. Though Emotet activity subsequently paused, Mimecast’s Threat Intelligence Report warns that the respite is probably only temporary. “Emotet will almost certainly resume activity in the short- to medium-term and organizations need to be prepared for this,” according to the report.

Key 2020 Ransomware Attacks

The year kicked off with a New Year’s Day breach at Travelex Corp, which reportedly forced the currency exchange company to pay a $2.3 million ransom.[3] In February, Danish facilities-management company ISS World was also hit with a large ransomware breach.[4] ISS estimated that total costs could exceed $100 million, called off a planned dividend payment and announced that the combination of the pandemic and the breach was delaying “a number of key priorities.”[5]

Similar troubles hit Cognizant in the early days of the COVID-19 pandemic. The IT services firm was hit with a ransomware attack that management estimated will cost the company $50 million to $70 million.[6]

Manufacturing companies targeted by ransomware included Honda Corp, which suffered an attack that halted production at several facilities. Appliance manufacturer Fisher and Paykel[7], LG and Mitsubishi were also reported to have been targeted.[8] But ransomware attacks have hit organizations in all sectors, from retail (Australian sporting-goods chain InSport)[9] to religion (Temple Har Shalom in Warren, N.J.)[10]

Attacks have continued in the second half of the year: In July, DXC Technology acknowledged hackers had breached Xchanging, its insurance managed services subsidiary.[11]

Regulations May Contribute to Increased Reporting

One factor contributing to the increase in reported ransomware attacks may be that organizations are required to report certain types of breaches under regulations such as the EU General Data Protection Regulation and the California Consumer Protection Act). “Since GDPR was enforced there has been a rise in reported data breaches,” Addison said, “so there is an element of us finding out more often.”

The shift to remote working, driven by the COVID-19 pandemic, has also come with an acknowledgement that security may be more easily compromised if organizations don’t apply appropriate security measures for employees working at home.

Cryptocurrencies Enable Untraceable Ransom Payments

Several companies have reportedly paid ransoms, despite the fact that the FBI and other authorities strongly discourage doing so. Some criminals have started demanding ransoms cryptocurrencies like Monero, which are specifically designed to make payments hard to trace. Addison noted that the operators of the Sodinokibi ransomware switched to Monero earlier in the year, and have continued to attack high-profile targets and demand large ransoms since then. “Ransomware operators will likely feel more confident in their ability to remain anonymous and therefore more comfortable increasing the frequency of attacks and going after larger targets,” Addison said.

“The more sophisticated ransomware operators will assess their targets and set the ransom accordingly—they want to maximize profit, but it needs to be realistic and less than the cost of repairing the damage for the company should they decide to not pay the ransom,” she added.

Recent Threats

The U.S. Cybersecurity and Infrastructure Security Agency recently warned businesses that “sophisticated foreign cyber actors” are increasingly targeting companies that had to switch quickly to work from home during the pandemic. The CISA report singled out state security hackers from China, Iran, North Korea, and Russia, but a number of criminal gangs have also become well-known.[12]

Some of the most notorious recent ransomware threats include Maze, which was reportedly responsible for the attacks on Cognizant and several other organizations; Sodinokibi, (also known as Sodin and REvil), used in the Travelex attack; and EKANS (or SNAKE), designed to attack industrial control systems and used in the attack on Honda Corp.

Protecting the Organization Against Ransomware

Although attackers continually evolve new malware code variants as they attempt to evade defenses, they still generally use the same attack vectors, including email.

Preventive measures include basic security practices, such as establishing secure remote working practices, enforcing a strict password regime, using security awareness training, requiring multifactor authentication, regular backups, and limiting access to sensitive data.

The Bottom Line

The growing number of reported ransomware attacks underlines the threat to all organizations.

As Mimecast’s Threat Intelligence Report notes, organizations whose operations are already challenged by the pandemic may find it harder to prevent ransomware attacks and to recover from those that occur. That makes it even more important to implement effective security controls for all employees, including people working home, and to reduce the chance of unsafe employee behavior through security awareness training.

[1] “The State of Ransomware in 2020” BlackFog

[2] “11 Biggest Ransomware Attacks of 2020 (So Far)” CRN Magazine

[3] “Travelex Paid Hackers Multimillion-Dollar Ransom Before Hitting New Obstacles,” The Wall Street Journal

[4] ISS World Press release

[5] ISS World Press Release

[6] Cognizant Technology Solutions, Analyst call transcript

[7] “Fisher and Paykel Appliances Struck by Nefilim Ransomware,” IT News

[8] “LG and Mitsubishi Hit by Ransomware Attack, Data Leak Coming ‘Soon,’” Cointelegraph

[9] “Retailer InSport’s Head Office Hit by Ransomware” IT News

[10] “New Jersey Synagogue Suffer Sodinokibi Ransomware Attack” Bleeping Computer

[11] DXC Technology Press Release, DXC Technology

[12] CISA Alert, CISA