Observations on how ransomware has evolved from being ‘annoying’ for consumers to almost an existential threat for enterprises…:
[…] Late 2018 – present day. The plummeting price of Bitcoin in 2018, combined with the growth of users’ overall security awareness and better protection practices, caused ransomware operators to rethink their strategies. Instead of using the “spray and pray” technique, they started zeroing in on enterprise networks.
The big names that pioneered in these targeted attacks are Sodinokibi (aka REvil) and Ryuk. The logic of the raid mainly comes down to using unsecured RDP ports or spear-phishing to infiltrate networks and gain a foothold in them. In many cases, the crooks hack managed service providers (MSPs) first and then use this access to compromise the partnering organizations.
Local governments, small and medium-sized businesses, large international corporations, healthcare facilities, and educational institutions are the common targets. Depending on the number of infected computers, ransoms can reach millions of dollars. The most disgusting part of this activity is that some perpetrators continue to infect hospitals during the COVID-19 pandemic.
In November 2019, the criminals behind a ransomware species called Maze started a new trend that is currently gaining momentum on the dark web. They added data theft to the classic encryption scenario. This tactic enhances the blackmail as the attackers threaten to leak the stolen files via publicly accessible sources such as hacker forums if the victim refuses to cough up the ransom.
In early 2020, several cybercriminals groups followed suit. To top it off, some of them have created special websites for data dumps. Aside from the Maze ransomware, this extortion quirk has become the norm for such lineages as DoppelPaymer, Sodinokibi, Nemty, Nefilim, and Clop. The latter hit the headlines in late April 2020, when its operators leaked sensitive files stolen from the U.S. pharma giant ExecuPharm.