Ransomware Attacks Rose 17% in 2021; REvil and Conti Dominate
In 2021, ransomware crews launched a record total of nearly 300 reported attacks, amounting to a 17 percent increase from the prior year, security provider Blackfog said in its 2021 Annual Ransomware Report.
The report assesses ransomware attacks publicly disclosed in 2021 and categorizes them by industry, geography and month occurred during the year. Here are some of the findings:
- Of the 292 attacks, more than 80 percent involved data exfiltration in some form, with records disclosed on the Dark Web, websites and directly to the victims.
- Of those, one-third used botnets and two-thirds used illegal networks. Some 80 percent of ransomware utilized PowerShell to infect victims.
- The U.S. experienced more than 51 percent of ransomware attacks, followed by the U.K. with 10 percent, Canada at five percent and France and Australia each at three percent.
- The top three countries represented two out of every three attacks. In addition, one out of every three attacks exfiltrated data to China (16%) or Russia (12%).
- In 2021, the average size of the target organization hit by ransomware hackers decreased by 31 percent to an average of 15,581 employees compared to 2020, making small- to medium-sized businesses a growth market.
- Ransomware in the retail sector experienced a 100 percent growth, followed by an 89 percent increase in technology, 30 percent increase in healthcare, and 24 percent increase in government as compared to 2020.
- REvil dominated the 2021 landscape early in the year and finished with the highest number of victims, representing 17.5 percent of all attacks.
- The latter half of the year saw a massive increase in the number of attacks from Conti, which finished the year at 16.8 percent of all variants, for an increase of 228 percent over 2020.
- Variants such as Ryuk, Maze Nefilim were virtually eliminated and DoppelPaymer saw a 160 percent decrease in activity.
Five Ransomware Predictions for 2022
Blackfog also made five ransomware predictions for 2022:
- Ransomware gangs will rival enterprises in complexity: In 2022, there will be greater coordination between ransomware gangs, double extortion evolving to triple extortion and short selling schemes skyrocketing.
- Companies that pay ransoms will pay in other ways: Consumer trust of organizations that pay the ransom will continue to erode and lawsuits will abound as organizations are thrown under the bus for not doing enough to prevent data exfiltration.
- Our food supply will be compromised: As cyber adversaries continue to focus on making the biggest impact by affecting the most people, the food and agriculture industries will remain an attractive target, with a successful attack crippling our food supply likely in the coming year.
- Cyber insurance providers and security vendors will join forces: With mandatory reporting now in place and a move toward it becoming illegal to pay out ransoms, cyber insurance providers will need to rethink their business models and likely partner with security vendors to build a more lucrative sales model.
- Africa and SE Asia will become cyber contenders: As cyber criminals look to find cheaper labor and technical expertise, 2022 will see new threat actors from Southeast Asia and Africa.
Tips to Protect Against Ransomware Attacks
To mitigate the risk of ransomware attacks, the FBI and CISA say MSSPs and MSPs should take these seven steps:
- require multi-factor authentication (MFA);
- implement network segmentation;
- scan for vulnerabilities and keep software updated;
- remove unnecessary applications and apply controls — and be sure to investigate any unauthorized software, particularly remote desktop or remote monitoring and management software;
- implement endpoint and detection response tools;
- limit access to resources over the network, especially by restricting RDP; and
- secure user accounts.
How MSPs and MSSPs Can Respond to and Recover From Ransomware Attacks
If a ransomware incident occurs, then the CISA, FBI and NSA recommend the following four actions:
- Follow the Ransomware Response Checklist on p. 11 of the CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide.
- Scan your backups. If possible, scan your backup data with an antivirus program to check that it is free of malware.
- Report incidents immediately to CISA at https://us-cert.cisa.gov/report, a local FBI Field Office, or U.S. Secret Service Field Office.
- Apply incident response best practices found in the joint Advisory, Technical Approaches to Uncovering and Remediating Malicious Activity, developed by CISA and the cybersecurity authorities of Australia, Canada, New Zealand, and the United Kingdom.