Ransomware Attacks Most Commonly Start with Phishing and 70% Involve Data Exfiltration

The Q4, 2020 Quarterly Ransomware Report from Coveware shows there has been a marked decline in the number of companies paying ransoms to recover data stolen in ransomware attacks and prevent the public release of stolen data.

The fall is seen as a response to the erosion of trust. There have been several recent attacks where stolen data has been released publicly even when a ransom has been paid. If companies have a viable backup that can be used to recover data, it is now more common for the ransom not to be paid, even when the attackers threaten to release the stolen data.

Data theft prior to file encryption is now commonplace, with Emsisoft previously reporting that at least 17 ransomware gangs have adopted this double extortion tactic. Coveware’s figures show the number of attacks where data was exfiltrated prior to file encryption increased from 50% in Q3, 2020 to 70% in Q4, 2020. The percentage of companies paying ransoms when they received threats to release stolen data decreased from 74.8% on Q3, 2020 to 59.6% in Q4, 2020. In Q4, 2020 the average ransom payment was $154,108 and the median ransom payment was $49,450, which represents a 34% and 55% fall respectively from the previous quarter.

Even with a higher percentage of companies opting not to pay ransoms, conducting ransomware attacks remains highly profitable and since there is a low risk of being caught, it is unlikely that the attacks will slow in the short term. However, if this trend continues and more companies do not pay ransoms, it will eventually lead to a reduction in attacks. While the attacks remain profitable they will continue.

It is now more common for stolen data not to be deleted if the ransom is paid. Coveware saw several attacks in Q4, 2020 where ransomware gangs provided fake evidence of stolen data being deleted to reassure victims that they have made good on their promise, when that was not the case.

There has been a rise in attacks where ransomware gangs have permanently deleted data. “In Q4, Coveware received multiple reports from victims that entire clusters of servers and data shares had been permanently wiped out, with no recourse for retrieving the data even with the purchase of the decryption key,” explained Coveware in the report.

Coveware identified three types of ransomware threat actor that are now conducting attacks. There are “lone wolves”, where threat actors conduct their own attacks and keep all of the ransom payments they generate, often using off-the-shelf file encryption tools in the attacks. Then there are two types of ransomware-as-a-service (RaaS) operation. The first is essentially open to anyone who wants to start distributing ransomware, such as the Dharma ransomware operation. These attacks are most commonly conducted on small- to medium-sized businesses, with 71% of attacks on companies with fewer than 1,000 employees.

Closed RaaS operations may use dozens of affiliates to conduct attacks, but they are very selective about who they recruit to distribute the ransomware. The Sodinokibi (REvil), Egregor, and Conti ransomware operations fall into this category. They are also the 1st, 2nd, and 4th most prolific operations in terms of the number of attacks conducted. This group is much more likely to attack large enterprises and the affiliates often exfiltrate data prior to file encryption.

The most common method for conducting attacks has changed significantly over time. In Q4, 2018, around 80% of attacks involved RDP compromise, with low levels of vulnerability exploitation to gain network access. RDP compromise dropped to under 30% in Q4, 2020, with a slight uptick in the exploitation of vulnerabilities. Email phishing has long been used to gain access to networks to deploy ransomware, rising from around 15% of attacks in Q4, 2018 to between 25% and 30% of attacks until Q4, 2020, when the percentage of attacks increased sharply.

Phishing is now used in more than 50% of ransomware attacks. Phishing attacks may deliver ransomware directly, but it is far more common for the ransomware payload to be delivered by other malware variants such as Emotet or Trickbot. It will be interesting to see how the takedown of the Emotet botnet affects ransomware distribution tactics in Q1, 2021 and beyond.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news