Threat Analysis Unit

2019: Looking Back at Ransomware

In security, 2016 was “The Year of Ransomware.” Since then, ransomware has only gotten more pervasive, costing billions in damages. In that vein, 2019 could have been referred to as “The Year of Ransoming Governments.” More than 70 state and local governments across the U.S. suffered ransomware attacks in 2019.

VMware Carbon Black has observed an increased rise not only in the number of ransomware variants but also new ransomware behaviors witnessed on a recurring basis. The most common behaviors seen across all ransomware attack data—mapped to the MITRE ATT&CK™ Framework—were: Hidden Windows for Defense Evasion, Software Packing for Defense Evasion, Process Discovery, Registry Run Keys in the Startup Folder,  and Standard Application Layer Protocol for Command and Control (C2). Notably, defense evasion behaviors continue to play a key role with ransomware. We saw that behavior in 95 percent of our analyzed samples.

Ransomware’s resurgence played out across the vertical landscape in 2019. Looking at the data, it’s hard to ignore the role geopolitical tension has played in this resurgence with the most targeted verticals of the year being: Energy / Utilities, Government, and Manufacturing.

The clear spike in both Energy / Utilities and Government suggests that as geopolitical tensions rise so do attacks on these sectors, which often serve as critical infrastructure and provide critical services to massive portions of the population. 

Ransomware continues to be used illicitly to gain cryptocurrency, which is being used by nation states to bypass sanctions. In September 2019, the U.S. Treasury Department stated that state-sponsored hacking groups from North Korea attacked critical infrastructure, drawing illicit funds that ultimately funded the country’s weapons and missile programs. These attacks remain generally low cost to perform with a high rate of return. In this cyber arms race, when nation states are involved, the evolution of malware speeds up. We should expect to see a continual arms race for extortion. For nation states, ransomware can be an effective tool to gain returns on an investment. And just like all other malware scoped as part of this research, ransomware is continually evolving.It is being used to gain a footprint onto a system. It is being used to create noise and distract defenders. Ransomware can and will continue to make a great ruse while more nefarious activity occurs. 

Ransomware attacks will continue to be aimed at sectors which have historically struggled to defend their systems. Ransomware as a service provider continues to gather data on vertical’s pay rates and how fast the victim paid. These will be used to not only lower their cost of delivery and maximize profits but also to help target future attacks, such as access mining and crypto-jacking. 

To learn about how malware changed the threat landscape in 2019 check out last week’s post and be sure to come back next week when we’ll talk about how defenders can set themselves up for success.


 

 

To learn more about what security will look like in 2020 check out VMware Carbon Black’s 2020 Cybersecurity Outlook Report.

Read Now