The Westport, Connecticut-based cybersecurity consulting firm Coveware has just released a report that confirms the very worst: ransomware attacks are intensifying across all U.S. industries, including healthcare. Indeed, the firm estimates that, in the first quarter of 2021, 11.6 percent of ransomware attacks hit healthcare, putting the healthcare industry in a tie for second place, together with the public sector, and behind professional services at 24.9 percent, but far ahead of such industries as transportation (4.9 percent) real estate (3.6 percent), utilities (3.1 percent), and retailing (2.7 percent). What’s more, the average ransom paid to hackers in the first quarter of 2021 was $220,298, up fully 43 percent from in the fourth quarter of 2020. Entitled “Ransomware Attack Vectors Shift as New Software Vulnerability Exploits Abound,” the report was published on Coveware’s website on April 26.
The report begins thus: “The Coveware Quarterly Ransomware Report describes ransomware incident response trends during Q1 of 2021. Data exfiltration extortion continues to be prevalent and we have reached an inflection point where the vast majority of ransomware attacks now include the theft of corporate data. Q1 saw a reversal of average and median ransom amounts. The averages in Q1 were pulled up by a raft of data exfiltration attacks by one specific threat actor group that opportunistically leveraged a unique vulnerability.”
Indeed, the report noted that “The average ransom payment increased 43 percent to $220,298 from $154,108 in Q4 of 2020. The median payment in Q1 also increased to $78,398 from $49,450, a 58 percent increase. Averages and median were pulled higher by a small number of threat actor groups, most specifically CloP, that were extremely active during Q1 and impacted large victims with very high ransom demands. As the data exfiltration tactic has proliferated, the risk / reward characteristics of paying to suppress a leak has not changed. We first noted this trend in our Q3 report; victims of data exfiltration extortion have very little to gain by paying a cyber criminal, and despite the increase in demands, and higher prevalence of data theft, we are encouraged that a growing number of victims are not paying. Over hundreds of cases, we have yet to encounter an example where paying a cyber criminal to suppress stolen data helped the victim mitigate liability or avoid business / brand damage. On the contrary, paying creates a false sense of security, unintended consequences and future liabilities. Coveware’s position remains unchanged and we advise victims of data exfiltration extortion to assume the following:
Ø The data will not be credibly destroyed. Victims should assume it will be traded to other threat actors, sold, misplaced, or held for a second/future extortion attempt.
Ø Exfiltrated data custody was held by multiple parties and not secured. Even if the threat actor deletes a volume of data following a payment, other parties that had access to it may have made copies so that they can extort the victim in the future.
Ø The data may be deliberately or mistakenly published before a victim can even respond to an extortion attempt.
Ø Complete records of what was taken may not be delivered by the threat actor, even if they explicitly promise to provide such artifacts after payment.”
In fact, the report noted, “The percentage of ransomware attacks that included a threat to release stolen data increased from 70 percent in Q4, to 77% in Q1. The majority of ransomware attacks that involve data exfiltration have two main goals 1) exfiltrate corporate data from the most convenient file server 2) escalate privileges and deploy ransomware on as many endpoints as possible. Most RaaS [ransomware as a service] affiliates purchase network access and use stolen data solely as additional leverage against the victim. This means that despite the threats, threat actors rarely take the time to steal data that any other criminals or interested parties would want to purchase. The stolen data is just proof that the attack occurred and sometimes creates legal obligations for the victim.”
(As a Jan. 28 post on the website of the Sunnyvale, Calif.-based Crowdstrike explains, “Ransomware as a Service (RaaS) is a business model used by ransomware developers, in which they lease ransomware variants in the same way that legitimate software developers lease SaaS products. RaaS gives everyone, even people without much technical knowledge, the ability to launch ransomware attacks just by signing up for a service. RaaS kits allow malicious actors lacking the skill or time to develop their own ransomware variants to be up and running quickly and affordably. They are easy to find on the dark web, where they are advertised in the same way that goods are advertised on the legitimate web. A RaaS kit may include 24/7 support, bundled offers, user reviews, forums and other features identical to those offered by legitimate SaaS providers. The price of RaaS kits ranges from $40 per month to several thousand dollars – trivial amounts, considering that the average ransom demand in Q3 2020 was $234,000 (and trending upward). A threat actor doesn’t need every attack to be successful in order to become rich.”)
And, very worryingly, the report noted that “During Q1, the cyber extortion economic supply chain demonstrated how a vulnerability in widely used VPN appliances can be identified, exploited and monetized by ransomware affiliates. It is rare to see software vulnerabilities directly leveraged by affiliates of RaaS groups, but when specialists broadly market the results of their elicit skills then the costs of carrying out an attack decline and lower the barriers to entry for new cyber criminals. The continued evolution and specialization of the ransomware supply chain is a worrisome trend,” the report stated. “Lower overall operating costs drop the barrier to entry AND boost the profitability of attacks. Until the unit economics of ransomware attacks becomes less profitable, we should expect the volume of attacks to continue to increase. Even more worrisome is the maturity and progression of the supply chain within the cyber extortion economy. The infrastructure that is being created to run this economy will be difficult to unwind. The more mature the supply chain is allowed to become, the harder it will be to dismantle.”