Ransomware Research: Attacks Tripled in Q2 to 33% of All Incidents, IBM Security Says
It’s no surprise that ransomware threat actors have adjusted their attack models to match improvements that organizations’ security defenders are making.
But the extent of that shift is eye-opening. As of September 2020, one in four attacks IBM Security X-Force Incident Response has remediated so far this year have been ransomware related, IBM Security said in a new Security Intelligence blog post. In particular, ransomware incidents erupted last June, which alone produced one-third of the cyber kidnappings IBM Security said its X-Force team remediated in 2020 to date.
Here are the report’s top line data:
- In some cases, IBM Security X-Force is seeing ransom demands of more than $40 million.
- Sodinokibi ransomware attacks account for one in three ransomware incidents IBM Security X-Force has responded to so far this year.
- Schools and universities are favorite targets for ransomware attackers owing to virtual or hybrid classes due to COVID-19.
- 41% of all ransomware attacks IBM Security X-Force analyzed in 2020 targeted organizations with operational technology networks.
On ransomware trends. In Q2 2020, the number of ransomware attacks IBM Security X-Force Incident Response remediated more than tripled compared to the previous quarter, amounting to one-third of the total incidents it responded to during the period.
On targets. Ransomware hits manufacturing companies hardest, accounting for nearly 25 percent of all the incidents IBM has responded to so far this year, followed by professional services at 17 percent and government organizations at 13 percent of all attacks.
Attacks on these three industries suggest that ransomware threat actors are seeking out victims with a low tolerance for downtime, such as manufacturing networks. Ransomware events on academic institutions have also ticked upwards. A cluster of universities attacked in May and June 2020 has expanded to additional academic institutions in August and September, with universities paying ransoms ranging from $400,000 to over $1 million.
On geos. Asia (33%) and North America (30%) are the hardest hit of ransomware engagements that IBM Security X-Force has responded to in 2020, suggesting ransomware attackers are focusing on business-dense markets.
On new techniques. More attackers are using blended extortion-ransomware attacks, threatening victims who decline to pay up with the release publicly of their stolen information.
On ransomware variants. The ransomware strain IBM Security X-Force has seen most frequently in 2020 is Sodinokibi (also known as REvil), a ransomware-as-a-service (RaaS) attack model that has been capitalizing on blended ransomware and extortion attacks this year. Sodinokibi comprises 29% of all IBM Security X-Force ransomware engagements in 2020.
IBM offered six recommendations to help mitigate risks and minimize damage:
- Paying. If your organization has been hit by a ransomware attack, seek a solution to restore your data and keep your reputation intact rather than paying the attackers. Paying a ransom doesn’t guarantee you or your organization will get any data back.
- Backups. Availability of backup files is a significant differentiator for organizations that can help recover from a ransomware attack. Ensure you have files safely stored from attacker accessibility with read-only access.
- Data theft. Implement a plan to thwart data theft, particularly for uploading large amounts of data to legitimate cloud storage platforms that attackers can abuse.
- Analytics. Use analytics to identify potential security incidents. When triggered, assume a breach has taken place. Audit, monitor and quickly act on suspected abuse related to privileged accounts and groups.
- MFA. Employ multi-factor authentication on all remote access points into an enterprise network, especially to secure or disable remote desktop protocol access that ransomware attackers regularly exploit to gain network access.
- Testing. Use penetration testing to identify weak points in enterprise networks and vulnerabilities that should be prioritized for patching.