Ransomware 2.0

Feb 01, 2021

2020.  What a great year it was.  We will look back on it with fond memories … ah yes.

In amongst the dumpster fire that it was, we also saw the greatest concentration of ransomware attacks, with some name-worthy victims making the headlines including Twitter and Garmin, among others.

Ransomware thrived in a COVID-19 landscape and caused a paradigm shift in how businesses and employees work, and bringing a host of new security challenges as a result.  As the year rolled on, attacks became more and more sophisticated.  No one has been spared, including the frontline of the global pandemic response, the embattled healthcare sector, including its hospitals and vaccine manufacturers.

Cyber criminal groups with such names as REvil, Ragnar Locker, Ryuk and Wizard Spider (cool name) have proven to be ruthless, well-funded and will target anyone for a big payday

How lucrative?  Wizard Spider from Russia, for example, is thought to have netted around 695.80 Bitcoin, with an approximate value of 5.0m NZD, since 2018. Meanwhile, the Boss Spider group, thought to be based in Iran, received more than $9.7 million between 2016 to 2018.

What we are seeing now, is what is has been termed as Ransomware 2.0.  This essentially means that attacks are becoming more highly targeted and the focus isn’t just on encryption. We are now seeing various methods of extortion, based around leaking or publishing of stolen data and passwords, public exposure of victims, threatening victim’s customers and so on.  This puts not just company’s reputations at risk, but also opens them up to lawsuits if the published data violates regulations such GDPR.  There’s more at stake than just financial losses.

So just how will ransomware attacks develop in the year ahead?  What tactics will be deployed?

Big Game Hunting

We will see an increased trend away from a “spray and pray” approach to ransomware attacks to ones known as “big-game hunting”.  This is where attackers focus their efforts on victims that can yield a greater financial pay-off.

Double Extortion Attacks

Double extortion attacks where in addition to paralyzing systems, criminals also threaten to release personal or sensitive data on the internet or to the press.  This adds the pressure of regulatory fines and reputation damage if they refuse to pay the ransom.

Cold Calling and Intimidation

In attempts to put pressure on victims, ransomware gangs now cold-call victims directly, if they suspect the company might try to restore from backups and avoid paying ransom demands. This is an intimidation tactic designed to make the attacker seem omniscient and make the victim feel like any suggestion of recovery is futile.

Targeting of Backups

Ransomware is targeting backups directly.  Without the ability to successfully restore systems organizations are left with no option other than to pay the ransom.

Delay Tactics

Attackers are also waiting longer before encrypting data, to outlast backups.  Cyber-criminals know that there is a much greater chance of payment if the victim doesn’t have a good backup to revert to.  Attackers access systems and install ransomware but don’t execute immediately.

In summary, the enemy is still at the gate.  They're armed with new tools and methods, they're sophisticated and well organised. They're taking advantage of global instabilities caused by COVID-19, among other things, plus our ongoing increasing online presence.  Enterprises small and large, will have to look hard at their defenses, find the holes and patch them.  They'll also need to continue to stay informed of ransomware trends, and be aware of the the technologies and methods available to protect them, and of course, make sure they are able to recover in the event of an attack.


Deano is part of vBridge's amazing infrastructure team, who are responsible for keeping the lights on, and making sure your IaaS experience is a happy and productive one.