Cybercriminals are known to be opportunists. The COVID-19 pandemic made organizations and individuals increasingly vulnerable as they scrambled to deal with the fallout. That made the year 2020 huge for ransomware attacks. Cyber Insurance provider Coalition reported that ransomware attacks were responsible for 41% of all cyber insurance claims submitted in the first half of 2020.
Schools, businesses and healthcare organizations can’t afford to go offline due to ransomware, and attackers realize they are more likely to pay. According to the 2020 Crowdstrike Global Security Attitude Survey conducted in August and September of 2020, 27% of ransomware victims paid a ransom in the previous 12 months, on average a whopping $1.1 million.
Attackers have also shifted tactics recently while improving their encryption schemes, making them harder to crack. In addition to encrypting critical data, some hacking groups are now stealing sensitive data and threatening to release it on public “leak sites” if the ransom is not paid. One group known as the FIN11 group has shifted to this strategy.
The website Cloudflare has reported that some groups, including Fancy Bear, Cozy Bear and Lazarus, now conduct ransom-based distributed denial-of-service (DDoS) attacks. The hackers threaten to disrupt a victim’s network with a DDoS attack if a ransom is not paid, sometimes in concert with a “teaser” attack that causes a minor disruption.
The Sodinokibi ransomware gang has gained traction in cybercriminal circles as well. Sodinokibi operates in a typical ransomware fashion by infiltrating a victim’s computer, using a strong encryption algorithm to encrypt files, and then demanding payment for their restoration. An analysis of its underlying code shows that Sodinokibi is an entirely new malware strain and not an updated variant of an already existing ransomware strain.
Fancy Bear, Cozy Bear, Lazarus and Sodinokibi