Ransomware tracker: Threat groups focus on vulnerable targets
As the recent attack against Colonial Pipeline shows, ransomware groups consider just about any organization to be fair game.
Vulnerable organizations including healthcare companies and schools have been constantly bombarded with ransomware attacks over the last year, according to data collected by Recorded Future from government agencies, news reports, hacking forums, and other sources. For example, there were 7 hospitals, healthcare systems, and clinics that disclosed ransomware attacks last month, down from a record high of 17 in March and 9 in April 2020.
Ransomware operators seem to be expanding their reach outside the U.S.—5 out of the 7 attacks against healthcare organizations happened abroad, said Allan Liska, a ransomware specialist at Recorded Future who is involved in the analysis. For example, French newspapers reported on a ransomware attack that disrupted the computer systems and telephones at Saint-Gaudens hospital in the Pyrenees.
“While the United States is still a big target for big game hunting ransomware attacks, the attackers are expanding their attack surface and looking at other targets,” Liska said. “I think this also reflects better reporting of ransomware attacks in [other] countries as well.”
Attacks against school systems also remained high, despite declining slightly from March. There were 9 disclosed attacks against schools in April, which compares to 13 during the previous month and 1 incident in April 2020.
Based on data from last year, there’s the possibility that ransomware attacks against schools could drop significantly over the summer—there were no reported ransomware attacks against schools in May 2020, and only one attack in June.
Perhaps the biggest drop in ransomware figures comes from extortion sites, which a wide variety of operators have set up to pressure victims into paying demands. Over the last two years, it has become common for ransomware attackers to steal sensitive data from victims before encrypting their information and devices—they then post a small amount of this data on extortion sites, threatening to sell or publicly reveal the rest of the data if the ransom isn’t paid. About one-in-six ransomware payments carries a sanctions violations risk, The Record reported Tuesday.
Last month, there were only 106 victims posted on extortion sites tracked by Recorded Future, down from 261 in March and 521 in December 2020.
Although Liska said the decline could be a reflection of victims choosing to negotiate before their data gets exposed, it is also possible that attacks from these groups are decreasing. “I don’t like to predict trends based on one month of data… but I think it reflects a true, but probably temporary, slowdown in the number of attacks,” he said. However, there will “undoubtedly be a resurgence in attacks at some point [as] there is simply too much money in ransomware for attackers to stop.”
Two ransomware task forces—one from the U.S. Department of Justice and one from a public/private consortium of several dozen organizations—were also announced in April with the aim of curbing ransomware attacks going forward. Both were formed in part due to the increasing losses caused by ransomware and the urgency of the issue, which only increased last week when Colonial Pipeline announced that it had to shut down 5,500 miles of fuel pipelines after suffering a ransomware attack that has since been attributed to Darkside.
Although it’s difficult to quantify the total number of ransomware attacks, Michael Daniel, president of the Cyber Threat Alliance and a co-chair of the public/private Ransomware Task Force, said in an interview with The Record that there is a clear trend in all the measurements of a steady rise in attacks.
While the vast majority of ransomware incidents are “one shot” attacks that only target a single machine, Liska estimates that there were about 11,000 hands-on-keyboard attacks in the U.S. and about 65,000 such attacks worldwide in 2020 that required some level of advanced targeting. The estimates are based on an analysis of data shared by major ransomware operators in addition to research developed by Valery Marchive, chief editor at LeMagIT in France, on the ratio of victims who pay ransomware demands.
The Record by Recorded Future allows outside organizations to share and distribute graphs from this ongoing project with proper attribution.