Ransomware in 2020: A Banner Year for Extortion

From attacks on the UVM Health Network that delayed chemotherapy appointments, to ones on public schools that delayed students going back to the classroom, ransomware gangs disrupted organizations to inordinate levels in 2020.

Remote learning platforms shut down. Hospital chemotherapy appointments cancelled. Ransomware attacks in 2020 dominated as a top threat vector this past year. Couple that with the COVID-19 pandemic, putting strains on the healthcare sector, and we witnessed ransomware exact a particularly cruel human toll as well. Attacks had an impact on nearly all sectors of the global economy – costing business $20 billion collectively and creating major cybersecurity headaches for others.

Below are the most impactful ransomware stories of 2020.

250K Databases For Sale: MySQL Ransomware Disaster 

In December, researchers warned of an active ransomware campaign that plagued MySQL database servers. The ransomware, called PLEASE_READ_ME, not only breached at least 85,000 servers worldwide over the past year – but the attackers behind the malware gave the campaign a double-extortion twist, posting at least 250,000 stolen databases on a website for sale.

Garmin Haggles Over Evil Corp Ransom

In August, GPS and aviation tech specialist Garmin reportedly negotiated with Evil Corp for an decryption key to unlock its files in the wake of a WastedLocker ransomware attack. The attack, which occurred on July 23, knocked out Garmin’s fitness-tracker services, customer-support outlets and commercial aviation offerings such as flight-plan filing, account-syncing and database-concierge capabilities.

U.S. Gov Mulls Ransomware Sanctions, Restrictions – To Dismay of Some

ransomware Fin11

ransomware alert

Over the past year, U.S. local and federal governments have increasingly looked at regulatory efforts regarding ransomware payments. In January, New York State mulled banning municipalities from paying ransomware demands in the event of a cyberattack. Meanwhile, in October, the U.S. Department of the Treasury said that companies that facilitate ransomware payments to cyber-actors on behalf of victims may face sanctions for encouraging crime and future ransomware payment demands.

These efforts have generated mixed reviews from the security space: While the feds have always recommended not paying ransoms, in reality, the decision to pay up or to not is an individual choice that has to be made given the context of any given situation, researchers argue.

IoT Chipmaker Reels From $14M Conti Ransom Demand

In November, chip manufacturer Advantech confirmed that it received a ransom note from a Conti ransomware operation on Nov. 26 demanding 750 Bitcoin, which translates into about $14 million, to decrypt compromised files and delete the data they stole. The scammers behind the attack published a list of files from a stolen .zip archive on their leak site. The ransom note claimed that the 3.03GB of data posted on the leak site accounted for about 2 percent of the total amount of data lifted ripped off from Advantech.

Ransomware Election Woes: Georgia Voter Database Hit

With the 2020 November U.S. presidential elections this year, the security space braced for an onslaught of cyberattacks targeting election infrastructure. In October, reports emerged of one of the first breaches of the voting season, on Hall County, Ga. The county’s database of voter signatures was impacted in the attack along with other government systems. Although the county said the voting process wasn’t impacted by the ransomware attack, the incident served as a warning to other municipalities to lock down their systems, particularly in these last days leading up to the election.

U.S. Pipeline Downed For Two Days

Operational Technology (OT) continued to worry security experts from a ransomware attack perspective in 2020. In February, feds warned that a ransomware attack hit a natural gas compression facility in the U.S.

The attack resulted in a two-day pipeline shutdown as the unnamed victim worked to bring systems back online from backups. The attackers were able penetrate the IT portion of the facility’s network, and then move beyond that to eventually infiltrate the control and communication assets on the OT side of the house.

Double Extortion: A Growing Ransomware Threat

Cybercriminals this past year increasingly relied on a ransomware tactic, called “double extortion,” where they increasingly inflict more pain on ransomware victims by threatening to leak compromised data or use it in future spam attacks, if ransom demands aren’t met.

Double extortion first emerged in late 2019 by Maze operators – but has been rapidly adopted over the past year by various cybercriminals behind the Clop, DoppelPaymer and Sodinokibi ransomware families, who have set up websites as a way to leak data when their ransom demands were not met.

Ransomware: The New “Snow Day”

ransomware web hosting service attackForget snow days – ransomware attacks are the new cause of schools being shut down for days in 2020, with a slew of cyberattacks plaguing back-to-school plans. In September,  attacks in Hartford, Conn. and Clark County, Nev. forced public schools to postpone the first day of school, while an attack against the Newhall School District in Valencia closed down remote learning for 6,000 elementary school students. Also in September, personal data for students in the Clark County School District (which includes Las Vegas) reportedly turned up on an underground forum, after a ransomware attack linked to the Maze gang.

Ransomware Shake Up TTPs During Strange Times

Overall, COVID-19 reshaped the ransomware landscape and how organizations were affected by ransomware. Cybercriminals, for their part, stepped up their game this past year, with ransomware attacks more than doubling year-over-year (up 109 percent). Many ransomware attacks utilized COVID-19 related lures in spear phishing attacks.

Hospitals Face Disruption, Appointment Reschedules

While ransomware gangs initially pledged not to hit hospitals during the COVID-19 pandemic, these promises turned out to be empty.

The UVM Health Network, Universal Health Services and University of California, San Francisco (UCSF) medical school were only a few medical entities to be hit by ransomware attacks in 2020.

The increase in attacks – and the consequential impact not just on patient data, but access to healthcare resources during a pandemic – caused U.S. feds to warn of “credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers.”

Suggested articles