- Home >
- Services >
- Access to Knowledge >
- Trend Monitor >
- Domain of Application >
- Trend snippet: An increase and shift in ransomware attacks
Trends in Security Information
The HSD Trendmonitor is designed to provide access to relevant content on various subjects in the safety and security domain, to identify relevant developments and to connect knowledge and organisations. The safety and security domain encompasses a vast number of subjects. Four relevant taxonomies (type of threat or opportunity, victim, source of threat and domain of application) have been constructed in order to visualize all of these subjects. The taxonomies and related category descriptions have been carefully composed according to other taxonomies, European and international standards and our own expertise.
In order to identify safety and security related trends, relevant reports and HSD news articles are continuously scanned, analysed and classified by hand according to the four taxonomies. This results in a wide array of observations, which we call ‘Trend Snippets’. Multiple Trend Snippets combined can provide insights into safety and security trends. The size of the circles shows the relative weight of the topic, the filters can be used to further select the most relevant content for you. If you have an addition, question or remark, drop us a line at info@securitydelta.nl.
visible on larger screens only
Please expand your browser window.
Or enjoy this interactive application on your desktop or laptop.
An increase and shift in ransomware attacks
The emergence of ransomware affiliate programs
Ransomware developers often lacked the tools and capabilities to infiltrate corporate networks. As a way to get around this problem, they began setting up affiliate programs. The scheme works as follows: threat actors who specialize in penetrating corporate networks monetize their actions by distributing ransomware. After the victim pays the ransom, the ransomware authors send a cut to their affiliates.There are two types of affiliate programs: public and private. Public programs first emerged in mid-2019. Their distinctive feature is that the developers look for affiliates on underground forums. Private affiliate programs, on the other hand, are not advertised and are intended to bring together other types of threat actors (e.g. APT groups) and trusted users. Many affiliates prefer to keep their activities under the radar. However, analyzing their activity in the hacker community and information obtained during incident response procedures has made it possible to identify some of them. Some users who showed an interest in affiliate programs on underground forums were involved in either selling access or working with various malware (including stealers).
Stealing and publishing data
In the early days, cybercriminals only encrypted data and demanded ransoms from victims. since the end of 2019, however, many have started using a new technique: before encrypting all the information, they copy it to their servers for further blackmailing. They usually use the HTTP, HTTPs, and FTPprotocols and legitimate cloud storage services. On rare occasions, they use email and instant messengers.in such cases, if the victim fails to pay the ransom, then in addition to the data being stolen, the ransomware operators will publish them online. To do so they create special websites, usually in the Tor network. An example of such a web-site is shown below.
Attack statistics
Maze and REvil have been the most active ransomware since late 2019, accounting for over 50% of successful attacks. Ryuk, NetWalker, doppelPaymer are in the second tier.The most often attacked sector was manufacturing. Half of all attacks targeted entities in the manufacturing, trade, government, healthcare, construction, and academic sectors. Although they currently focus on the above industries, affiliates usually seek easier targets, which explains the wide distribution of attacks across different verticals.
Nation-state actors sell access to networks and use ransomware
In an effort to increase their profits, some state-sponsored groups began selling access to corporate networks or even using ransomware like regular cybercriminals. A perfect example is an ad published by a user with the nickname nanash in June 2020. The seller offered access to many networks, including some belonging to Us government departments, defense contractors (Airbus, Boeing, etc.), iT giants, and media com-panies
Large companies under increasing threat from massive hacks
In the past, massive attacks did not cause serious damage to large companies. This was because brute-force attacks or exploiting vulnerabilities in widespread software led to their infrastructure being used to distribute or manage malicious code, mine cryptocurrencies, conduct ddos attacks, or proxy traffic.However, the market for the sale of access to corporate networks, the number of ransomware attacks, and APT group activity have all increased, so the cost of an error on a company’s external perimeter has surged as well. Ten out of 15 ransomware affiliate programs focus on brute-force attacks on RdP. Three programs actively exploit vulnerbilities in VPN services.