LAS VEGAS — As cybercriminals continue to chase the most lucrative attack vectors they can find, ransomware attacks are migrating from consumer targets to organizations, businesses, municipalities and beyond. For the first time, consumer detections have fallen below organizational infections, as of the second quarter of the year.
That’s according to Malwarebyte’s Black Hat 2019 edition of its quarterly threat report, which determined that overall ransomware detections against businesses in the second quarter rose by a whopping 363 percent year-over-year. Meanwhile, consumer detections of ransomware have been on the decline, decreasing by 12 percent year over year and 25 percent quarter over quarter.
The report also found that ransomware is expected to evolve in sophistication, too, with blended attacks with worm-like functionality and more paired attacks with other malware families expected to dominate the second half of 2019.
“This year we have noticed ransomware making more headlines than ever before as a resurgence in ransomware turned its sights to large, ill-prepared public and private organizations with easy-to-exploit vulnerabilities such as cities, non-profits and educational institutions,” said Adam Kujawa, director of Malwarebytes Labs, in the report published on Thursday at Black Hat 2019. “Our critical infrastructure needs to adapt and arm themselves against these threats as they continue to be targets of cybercriminals, causing great distress to all the people who depend on public services and trust these entities to protect their personal information.”
The findings dovetail with another report released at Black Hat, from Vectra, which also noted the shift away from consumer targets. It highlighted the tactics of the Ryuk ransomware strain, which sets the ransom according to the victim’s perceived ability to pay. First seen in August 2018, Ryuk has targeted more than 100 U.S. and international businesses, including cloud service providers like DataResolution.net, according to Vectra.
“Ransomware is a fast-and-easy attack with a bigger payout than stealing and selling credit cards or personally identifiable information (PII), both of which have perishable values as time passes after their theft,” said Chris Morales, head of security analytics at Vectra, via email. “Factor in cryptocurrency as the ransom payment – an anonymous, hard-to-trace currency – and it’s easy to see why cybercriminals like ransomware’s clean, no-fuss business model. Today’s targeted ransomware attacks are an efficient, premeditated criminal threat with a rapid close and no middleman.”
Municipalities, educational institutions and healthcare organizations have become prime targets, likely because of legacy infrastructure, outdated hardware and software applications, and lack of security funding in these sectors, according to the Malwarebytes report. There’s also a lack of human resources.
“Fifty-three percent of organizations say they have a ‘problematic shortage’ of cybersecurity skills today and the ramifications of it are very evident with fast-moving ransomware attacks,” said industry analyst John Oltsik of Enterprise Strategy Group, via email. “The industry simply doesn’t have enough trained security folks scanning systems, threat hunting or responding to incidents.”
The findings also highlighted that the top ransomware families overall include: GandCrab, Ryuk, Troldesh, Rapid and Locky. For business detections there was a constant increase in detections of ransomware families, particularly in Ryuk and Phobos. Ryuk detections increased by 88 percent over last quarter, while Phobos exploded 940 percent from Q1 2019.
The rise and alleged retirement of GandCrab has led to the emergence of Sodinokibi ransomware, another ransomware-as-a-service (RaaS) using similar technical components.
In terms of geography, the U.S. leads with 53 percent of detections, followed by Canada at 10 percent and the United Kingdom at 9 percent.
Black Hat USA 2019 has kicked off this week in Las Vegas. For more Threatpost breaking news, stories and videos from Black Hat and DEF CON, click here.