Business Continuity Management / Disaster Recovery , Fraud Management & Cybercrime , Governance & Risk Management

Mark of Ransomware's Success: $370 Million in 2020 Profits

Proceeds Boosted via Big Game Hunting, Data Leaking, Hitting Healthcare Sector
Mark of Ransomware's Success: $370 Million in 2020 Profits
Fresh affiliate programs helped ransomware-as-a-service operators achieve record profits in 2020. (Source: Group-IB)

Ransomware dominated the online-enabled crime landscape in 2020, some security experts say, thanks to the massive profits it's been generating and the relative ease of use for attackers - including support from a burgeoning cybercrime-as-a-service market.

See Also: The Cost of Underpreparedness to Your Business

Blockchain analysis firm Chainalysis this week reported that it's found just under $370 million in known 2020 ransomware profits - via ransoms that got paid - which represents a 336% increase over known 2019 earnings. The firm continues to update those estimates as it identifies previously unknown cryptocurrency wallets tied to gangs.

IBM Security X-Force, in its latest Threat Intelligence Index, says that of the incidents it investigated in 2020, 23% could be attributed to ransomware, up from 20% in 2019. The most-seen strains tied to attacks that it saw were Sodinokibi/REvil (in 22% of ransomware incidents), Nefilim (11%), RagnarLocker (7%), NetWalker (7%), Maze (7%), Ryuk (7%) and Ekans (4%). Maze announced its retirement last November, while the NetWalker gang was disrupted by law enforcement operations in January.

Numerous other ransomware operations are also at work. "There were 127 new ransomware families discovered in 2020, a 34% increase from the 95 found in 2019," security firm Trend Micro reports.

Cybersecurity firm Group-IB says that based on 500 attacks it investigated or closely tracked last year, it estimates that "the number of ransomware attacks grew by more than 150% in 2020." On average, it says, a ransomware attack caused 18 days of downtime at an affected organization, and that when victims paid a ransom, they tended to pay twice as much in 2020 as in 2019.

Extortionists Focus on Government and Healthcare

Many ransomware gangs' target selection evolved last year. "Ransomware operators ramped up attacks on critical industries such as government and healthcare, perhaps because of how important they were in dealing with the COVID-19 pandemic," security firm Trend Micro reports. The manufacturing and banking sectors were also among the most targeted, it says.

The 10 industries most targeted by ransomware attackers in 2020, based on count of organizations targeted (Source: Trend Micro)

Despite some gangs pledging to avoid healthcare organizations during the ongoing COVID-19 pandemic, cybersecurity firm CrowdStrike says in its latest Global Threat Report that it identified 18 ransomware operations that "infected 104 healthcare organizations in 2020," with Maze and Conti being the most commonly seen strains tied to such attacks.

Healthcare Victims by Ransomware Family

Confirmed healthcare sector victim count by ransomware family in 2020 (Source: CrowdStrike)

Profits Make Ransomware More Popular

The profit potential offered by ransomware continued to draw new participants. "There was a sharp increase in the number of ransomware actors in 2020, following a trend already established in 2019," consultancy PwC reports.

Many criminals operating online previously used banking Trojans. But ransomware offers an easier path to profits, PwC says, and this helps explain its uptake.

"Successful online banking attacks rely on complex money laundering operations to receive stolen funds and transfer the proceeds to bank accounts under criminal control," PwC says. "The specialist criminals who provide money laundering services demand high commissions, whereas ransom payments are usually paid directly to cryptocurrency wallets already controlled by the attackers. As a consequence, ransomware operations are almost certainly more profitable than online banking attacks."

The profits can be substantial. Last October, the operators of Sodinokibi - aka REvil - claimed in a Russian-language social media channel interview to have earned $12 million in 12 months. The Maze gang's retirement in November 2020 was likely a testament to the fact that members had earned so much money that they could move on, says Mikko Hyppöonen, chief research officer of F-Secure. In January 2021, two researchers traced bitcoins tied to the Ryuk operation and found at least $150 million in profits to date.

Source: Group-IB

Experts say the adoption of data leaking sites - as well as charging for promises to delete stolen data - fueled a surge both in the number of victims willing to pay and in their willingness to pay higher amounts.

Average ransom amounts rose steadily over the course of 2020, although they tapered off a bit in Q4, according to ransomware incident response firm Coveware.

Average and median ransom payments made by victims based on thousands of cases investigated per quarter by Coveware

But comparing 2020 to 2019, "the average ransom demand increased by more than twofold and amounted to $170,000 in 2020," Group-IB says, although some groups regularly demanded seven-figure sums. "Maze, DoppelPaymer and RagnarLocker were the greediest groups, with their ransom demands averaging between $1 million and $2 million" last year.

Chainalysis this week reported that the recent law enforcement takedown of the NetWalker ransomware gang identified 1,230 previously unknown cryptocurrency wallet addresses tied to the gang, which had received about $21 million in ransom payments from victims. Those new findings take its assessment of total 2020 ransomware profits, as noted above, to nearly $370 million.

Bigger Targets Mean Larger Profits

Keys to ransomware gangs' increasing profits included the rise of big game hunting - taking down larger targets in pursuit of bigger ransoms. The most sophisticated attack groups also bring a number of tactics, techniques and procedures, or TTPs, to bear on targets to increase their chances of success.

To gain access, many attackers - including big game hunting operations - rely on initial access brokers, who compromise networks and sell them access to others in the cybercrime ecosystem.

"When criminal malware operators purchase access, it eliminates the need to spend time identifying targets and gaining access, allowing for increased and quicker deployments as well as higher potential for monetization," CrowdStrike notes.

On average, attackers spend 13 days inside a victim's network before crypto-locking systems, Group-IB says.

Source: Group-IB (click to expand)

Attackers' first priority after gaining remote access to a victim's network is to complicate any attempts to restore encrypted systems. "They penetrate the backups first to prevent resurrection," says Tom Kellermann, head of cybersecurity strategy at VMware (see: Ransomware: Beware of 13 Tactics, Tools and Procedures).

Affiliate-Based Approach Surges

Group-IB says 64% of all ransomware attacks it saw in 2020 came from ransomware-as-a-service operations, which use an affiliate-based model. RaaS operators provide versions of their ransomware - often frequently updated - to affiliates as a service. Those affiliates then infect victims' devices. For every victim who pays a ransom, the affiliate and operator share profits.

BlackBerry, in its latest annual threat report, notes that compared to purchasing off-the-shelf malware via a cybercrime forum, the RaaS model includes "vendor support and better results for the cybercriminal due to frequent updates by the RaaS distributor." While service models can carry higher costs for affiliates, "the higher cost is passed on to the victims, as evidenced by the increase in average ransom demands."

Running total of organizations with data leaked via ransomware gangs' data leak sites (Source: PwC)

Another profit booster has been the data exfiltration tactic pioneered by the Maze gang in November 2019, which began stealing data before locking systems and threatening to leak it. Now, more than 20 gangs run data leak sites, where they can name and shame victims and publish extracts of stolen data to pressure them into paying.

The Outlook

What's in store for this year? Simply put, ransomware-wielding attackers show no sign of stopping.

"Bitcoin hitting new price highs in January may signal an upcoming increase in ransomware ... attacks," BlackBerry says. That's because as long as criminals can successfully extort victims for cryptocurrency, they seem unlikely to discontinue their viable - albeit illicit - business model for generating massive profits.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.