There was a massive 288% surge in ransomware attacks between the first and second quarters of 2021, according to research recently published by NCC Group. The Conti ransomware gang was the biggest threat in this period, having conducted 22% of the attacks. The Avaddon ransomware gang was also particularly active and was behind 17% of the attacks.
The Avaddon ransomware-as-a-service (RaaS) operation is believed to have been shut down, but the threat actors could return with a new ransomware variant as is often the case when RaaS operations close down. Even if there has been a permanent shut down, affiliates of the programs are likely to simply migrate to another RaaS operation and continue their attacks using a different ransomware variant.
Even though Avaddon is no more and other threat groups such as Sodinokibi/REvil and DarkSide have also shut down, ransomware attacks are likely to continue to occur at high rates. Several new ransomware variants have recently been identified that could well take the place of Avaddon and Sodinokibi.
Since the start of 2020, data exfiltration prior to the use of ransomware has been a growing trend. Ransomware actors used to just encrypt files to prevent data access and would issue ransom demands to obtain the keys to decrypt files.
The ante was upped in early 2020 when ransomware gangs started to exfiltrate sensitive data prior to file encryption and conduct a double extortion attack, where the victim is required to pay for the keys to decrypt files as well as make a payment to prevent the sale or publication of the stolen data. Many victims have ended up paying the ransom when they have been able to recover their data from backups, solely to prevent sensitive information from being exposed.
While only a few ransomware operations had the capability of exfiltrating data initially, more and more gangs have now adopted this tactic and it is fast becoming the norm. The researchers explained that 49% of victims in the United States suffered ransomware attacks involving double extortion tactics in the past 3 months, including the attack on Colonial Pipeline in June 2021. The attack resulted in the shutdown of the fuel pipeline to the Eastern Seaboard of the United States. The company paid a $4.4 million ransom for the keys to decrypt files and to prevent the release of sensitive data stolen in the attack.
“Over the years, ransomware has become a significant threat to organizations and governments alike. We’ve seen targets range from IT companies and suppliers to financial institutions and critical infrastructure providers, with ransomware-as-a-service increasingly being sold by ransomware gangs in a subscription mode,” said Christo Butcher, NCC Group global lead for threat intelligence. “It’s therefore crucial for organizations to be proactive about their resilience. This should include proactive remediation of security issues and operating a least privilege model, which mean that if a user’s account is compromised, the attacker will only be able to access and/or destroy a limited amount of information”