Ransomware – groups extorted at least $45 million in the first quarter of 2o21
27. Mai 2021Ransomware – groups extorted at least $45 million in the first quarter of 2o21
Berlin, 5/27/2021
According to the eSentire Ransomware Report, six ransomware groups attacked 292 companies between January 1 and April 31 of the current year, extorting at least $45 million.
Researchers at eSentire focused primarily on the Ryuk/Conti, Sodin/REvil, CLOP and DoppelPaymer ransomware groups, as well as two up-and-comers : DarkSide and Avaddon.
According to eSentire, each gang has chosen an industry focus. According to them, Ryuk/Conti gang mainly attacks manufacturing, construction and transportation companies. Since 2018 until the end of 2021, a total of 352 companies in these industries have been hit with ransomware. This year, 63 companies have already fallen victim to them. Although the company names are usually kept quiet, every now and then something gets out to the public. According to the report, the Broward County School District and French cup company CEE Schisler, both of which have failed to pay the exorbitant ransoms, are currently among the favored regions.
In addition to manufacturing, the group made news in 2020 for attacking the IT systems of smaller federal governments across the United States, including Jackson County, Georgia; Riviera Beach, Florida; and LaPorte County, Indiana. All three local governments paid the ransoms, which ranged from $130,000 to nearly $600,000. The group primarily attacked local hospitals in the U.S. in 2020.
Like the Ryuk/Conti gang, those behind the Sodin/REvil ransomware focused on healthcare organizations and attacks on laptop manufacturers. Of their 161 victims, 52 were affected in 2021. They made international headlines with attacks on Acer and Quanta, two of the world’s largest technology manufacturers.
Quanta, which makes Apple laptops, was hit with a $50 million ransom demand. The company refused to pay, after which the Sodin/REvil gang leaked detailed blueprints of an Apple product. The gang threatened to release more documents, but withdrew the photos and any other reference to the attack in May, according to the report, which notes that Apple has not commented on the intrusion since.
The DoppelPaymer/BitPaymer have made a name for themselves by targeting government facilities and schools. The FBI released a notice in December specifically about the ransomware, noting that it is used to attack critical infrastructure such as hospitals and emergency services.
The report adds that most of the group’s 59 victims this year have not yet been publicly identified, with the exception of the Illinois Attorney General’s office, which was attacked on April 29.
The Clop gang has focused its efforts on abusing the widely known vulnerability in Accellion’s file transfer system. The eSentire team and Mayes explain that the group used the vulnerability extensively, attacking the University of California, U.S. bank Flagstar, global law firm Jones Day, Canadian aircraft manufacturer Bombardier, Stanford University, Dutch oil giant Royal Shell, the University of Colorado, the University of Miami, gas station company RaceTrac and many more.
Clop attacked Darmstadt-based Software AG in October 2020, demanding a $20 million ransom. Germany’s second-largest software maker refused to pay.
The report notes that the Clop gang became notorious for allegedly combing through a company’s files and contacting customers or partners to force the victim to pay a ransom.
The DarkSide gang has been in the headlines lately for its attack on Colonial Pipeline, which triggered a political firestorm in the U.S. and a run on gas stations in cities along the U.S. East Coast.
The group is one of the youngest among the leading ransomware groups, emerging in late 2020, according to the report. But they are already very active, attacking 59 victims since November and 37 victims this year.
The report notes that the DarkSide group is one of the few that operates as a ransomware-as-a-service operation, handing off responsibility to contractors who attack targets and split the ransom. eSentire said its research indicates that the people behind DarkSide didn’t know about the Colonial attack before it happened and only learned about it from the news. They made news last week when they allegedly suspended all their operations due to increased scrutiny from law enforcement agencies.
The ransomware has been involved in several attacks against energy producers, such as one of Brazil’s largest power companies, Companhia Paranaense de Energia, which it attacked in February.
The latest group under investigation is the Avaddon gang, which was in the news this week for its attack on AXA, a major European insurance company. The attack was notable because AXA provides cyber insurance to dozens of companies and has pledged to stop reimbursing its customers in France for ransomware.
In addition to AXA, the group has already attacked 46 companies this year and, like DarkSide, operates as a ransomware-as-a-service operation. According to the report, the group stands out by displaying a countdown clock on its Dark Web site and additionally threatening a DDoS attack if the ransom is not paid.
Their list of victims includes healthcare organizations such as Capital Medical Center in Olympia, Washington and Bridgeway Senior Healthcare in New Jersey.
The eSentire team and Mayes added that the high number of unreported attacks suggests these gangs are harming many more facilities than the public realizes.
„Another sobering realization is that no single industry is immune from this ransomware scourge,“ the report said. „These crippling attacks are occurring in all regions and industries, and it is imperative that all businesses and private organizations take security precautions to mitigate the damage caused by a ransomware attack.“
Below are some basic security steps every organization should take to defend against ransomware attacks:
– Back up all critical files and make sure they are offline backups. Backups linked to infected systems are useless in the event of a ransomware attack.
– Require multi-factor authentication for access to your organization’s virtual private network (VPN) or remote desktop protocol (RDP) services.
– Allow only administrators to access network appliances via a VPN service.
– Domain controllers are a prime target for ransomware actors, so make sure your security team has visibility into your IT networks using endpoint detection and response (EDR) agents and central logging on domain controllers (DCs) and other servers.
– Apply the principle of least privilege to your employees.
– Implement network segmentation.
– Disable RDP when it is not in use.
– Patch your systems regularly, prioritizing the most critical IT systems.
– User training should be mandatory for all employees in the organization and should focus on
– downloading and running files from unverified sources
– avoiding free versions of paid software
– check the full URL before downloading files to ensure it matches the source (e.g. Microsoft Teams should be from a Microsoft domain)
– Always check file extensions. Don’t trust the file type logo alone. An executable file can be disguised as a PDF or Office document.
