Blackmailer at work

There was much excitement on the US East Coast in mid-May when Colonial Pipeline's network was hit by a ransomware attack. The company had to take certain systems offline after the cyberattack, which completely shut down pipeline operations, causing gasoline shortages in parts of the country.

The FBI confirmed in a statement that a professional cybercriminal group called Darkside was responsible for the Colonial Pipeline ransomware attack. Other large-scale attacks, in this country for example on Swiss Cloud Computing or Griesser, globally for example on the city of Tulsa, and the REvil ransomware that tried to extort Apple, make it clear: Ransomware attacks are a major problem worldwide. It is estimated that last year, ransomware cost businesses around $20 billion globally - a figure that is nearly 75 percent higher than in 2019.

Healthcare in focus

Our researchers at CPR (Check Point Research) have found that, on average, more than 1,000 organizations are affected by ransomware each week. The number of affected organizations has increased significantly in 2021 - up 21 percent in the first quarter of the year and seven percent since April. These increases have led to a staggering 102 percent overall increase in the number of organizations affected by ransomware compared to the start of 2020. The industry experiencing the most ransomware attack attempts globally is healthcare, with an average of 109 attack attempts per organization per week, followed by utilities with 59 attacks and insurance/legal with 34 attacks.

Regional differences

Interestingly, regional differences can also be identified: Organizations in the Asia-Pacific region (APAC) are currently the most affected by ransomware attacks. On average, organizations in APAC are attacked 51 times per week. On average, a North American organization experiences 29 weekly attacks, European and Latin American organizations experience 14, and African organizations each have four weekly attacks per organization. India saw the most attack attempts per organization, with an average of 213 weekly attacks year-to-date. It is followed by Argentina with 104 per organization, Chile with 103, France with 61 and Taiwan with 50.

While in North America healthcare organizations have suffered the most attacks since the beginning of the year, in Europe utility organizations have been hit the hardest. In APAC, the insurance and legal sectors have been hit hardest, while in Latin America it is the communications industry. In Africa, the financial and banking sectors are the most attacked.

Triple ransomware

The success of double extortion (criminals not only encrypt data, they publish it) in 2020, especially since the outbreak of the Covid 19 pandemic, is undeniable. Although not all incidents - and their outcomes - are disclosed and published, statistics collected in 2020-2021 reflect the importance of this attack vector: the average ransom payment increased 171 percent last year and now stands at about $310,000. More than 1,000 organizations suffered data breaches after refusing to comply with ransomware demands in 2020, and about 40 percent of all newly discovered ransomware families included data infiltration in their attack process. Attacks that took place in late 2020 and early 2021 point to a new attack chain - essentially an extension of the double-extortion ransomware technique that incorporates an additional threat into the process - we call this triple extortion.

The first notable case was the attack on the Finnish Vastaamo psychotherapy clinic with around 40,000 patients. It was affected by a large-scale theft of patient data and a ransomware attack. Not only was a ransom demanded from the clinic, but surprisingly, smaller sums were also demanded from patients who had received the ransom demands individually via email. In these emails, the attackers threatened to publish their therapists' session notes. Even as they ride the wave of success, cybercriminals are constantly on the lookout for more innovative and fruitful business models. That's why it's all the more important to be aware of the threat and be safeguarded.

How to arm yourself against ransomware attacks

1. increased vigilance on weekends and holidays: most ransomware attacks last year took place on weekends and holidays.

2. up-to-date patches: you MUST keep computers up to date and install security patches, especially those that are classified as critical.

3. anti-ransomware solutions: These monitor programs for suspicious behaviors that are often detected by ransom-
ware are shown. When such behavior is detected, the program can take action to stop the encryption before further damage can be done.

4. Educate: Educating users to detect and avoid potential ransomware attacks is critical. Many cyberattacks begin with a targeted email that doesn't even contain malware, but a fake message that tricks the user into clicking on a malicious link. User education is often considered one of the most important defenses an organization can employ.

Ransomware attacks don't start with ransomware: Security professionals should be on the lookout for Trickbot, Emotet, Dridex, and CobaltStrik infections on their networks and remove them using threat hunting solutions - because they open the door to ransomware infections.

Source: Check Point Software