Ransomware Doesn’t Discriminate. It Only Cares about Money.

August 7, 2019
Vectra AI Security Research team
Ransomware Doesn’t Discriminate. It Only Cares about Money.

Estes Park Health. Residex Software. Olean Medical Group. Seneca National Health System. Shingles Springs Health and Wellness Center. Baltimore. Atlanta. Lake City. Riviera Beach. DataResolution. iNSYNQ. Olympia Financial Group. Broken Arrows Public Schools. Wickenburg Community Hospital. City Power Johannesburg. Georgia State Patrol. Cleveland Hopkins International Airport. Colorado Department of Transportation. Police Federation of England and Wales. Hexion. Momentive.

These are a few organizations that fell victim to ransomware attacks in 2019. What they have in common is they were deemed mostly likely to pay a ransom to avoid operational downtime and losing critical information. Any organization that attackers believe will pay, and into which they can gain an initial foothold, is a potential target. Complicating matters, cybercriminals are broadening their attacks when they strike. They no longer seek to encrypt files on single-user devices. They can cause significantly more damage and far more money by encrypting multiple file servers and databases.

When ransomware encrypts file servers and databases, the stakes become much higher in terms of operational downtime and data loss. Organizations hit by ransomware outbreaks find themselves in an all-hands-on deck emergency that requires complete attention to restore systems immediately while business operations are held hostage. Downtime becomes worse when the target is a cloud service provider and the systems encrypted are those of its customers. In 2019, cloud hosting firms DataResolution.net and iNSYNQ were hit by ransomware attacks that caused the business operations of more than 30,000 customers to come to a screeching halt.

Ransomware was little known before 2014, when the earliest versions of the software began circulating through organizations. It took attackers about a year to refine their approach and attack techniques, which led to globally-distributed attacks like WannaCry in 2017. In 2019, the opportunistic tactics of ransomware evolved into well thought-out targeted attacks with strains like LockerGaga, Ryuk, MegaCortex, GrandCrab and Dharma. These new targeted families of ransomware set the ransom according to the victim’s perceived ability to pay.

For instance, in the short time of its existence since August 2018, Ryuk has targeted more than 100 U.S. and international businesses, including cloud service providers like DataResolution.net. CrowdStrike characterizes the approach used by Ryuk as “big-game hunting” because attackers have made off with millions of dollars from a wide range of victim organizations with high annual-revenues. And this is just one strain of ransomware.

Modern ransomware has been heavily weaponized, has a sweeping blast radius and is a staple tool in the attacker’s arsenal. In a call to arms, cloud and enterprise organizations everywhere are scrambling to detect and respond early to ransomware attacks.

In the 2019 Spotlight Report on Ransomware, security researchers at Vectra observed hidden attacker behaviors in cloud and network traffic from hundreds of opt-in customers from January-June 2019. The report reveals that a devastating type of targeted ransomware attack—specifically, attempts to encrypt shared network files—has grown in significance as cybercriminals cast a wider net.

Fortunately for our customers, the Cognito platform from Vectra identifies ransomware attacks early in the attack lifecycle, well before they can cause damage. This includes all the precursors and signs of a targeted attack before the encryption of shared network files has a chance to succeed. The data collected over the six-month period shows industries with the most network file-encryption attempts and where they occurred geographically.

In the past six months, we learned that finance is still the most targeted industry, but every other industry was impacted as well.

For more information, I encourage you to download the 2019 Spotlight Report on Ransomware and take a look at our Ransomware Infographic, which provides a striking visualization of the report’s key takeaways.