The rise of ransomware 2.0

2020 has seen a rise in the number of ransomware attacks, from infostealers, PDF attachments, and Excel formulas. What are some of the trends businesses should be aware of?


Ransomware is not a new trend and is certainly not one unknown to businesses. 2020 has seen attackers take full advantage of the chaos of COVID-19, with an explosive evolution of online extortion. Last year, nearly 40% of new ransomware families that were discovered used both data encryption and data theft in their attacks.

A recent report by F-Secure examines the rise of data-stealing ransomware attacks, where criminals are extorting organisations by threatening to leak stolen data if they don’t pay. A crude method, but one that’s effective.

With the pandemic forcing enterprises to shift to a distributed workforce and a wider network, one would think it is a golden opportunity for attackers to target credentials and unprotected endpoints. But we are also seeing a disturbing focus on health data, with a large number of cyber-attacks on hospitals and medical research units.

So, are there any more ransomware surprises businesses should be aware of?

2020 ransomware trends

Calvin Gan, Senior manager with F-Secure’s Tactical Defense Unit explains how ransomware trends work: “If you know fashion, it’s about making a statement. Create something bold enough and people will follow suit. Fashion is also cyclical, so what is a trend today may not be a trend tomorrow. It is the same with cyber threats… Yes, ransomware has been around for many years, but the tactics have constantly evolved, similar to fashion.”

He goes on to explain that it was one ransomware group that was bold enough to start the double extortion trend--stealing data before encrypting--and other groups followed suit when they saw how effective it is.

In F-Secure’s report, the top malware threats by type were infostealers, Remote Access Trojans (RAT), and Trojans, accounting for 33%, 32% and 17% of attacks, respectively.

The two most prevalent infostealers were Lokibot and Formbook. These are programs that steal sensitive and confidential information from an infected system. Lokibeat includes a keylogger component that steals credentials from browsers, file sharing programs and mail clients. Whereas Formbook, as its name suggests, has formgrabbing capabilities and is commonly a malware-as-a-service.

Once infostealers gain access to the credentials, they pass them on to ransomware groups, who then target the appropriate individuals or organisations for payments.

Supply chains

The next significant trend is an increase in attacks on supply chains. The biggest one that comes to mind is the SolarWinds supply chain attack from last year. Roughly 18,000 enterprises installed a corrupted software update from the vendor, affecting several high-profile companies and government organisations.

In 2020, the most common type of software/services that were attacked in the supply chain were utility software (32%) and application software (24%). These are usually text editors, file managers, and also BitTorrent clients. Attackers can also take advantage of opensource codes, by modifying code repositories, which affect businesses.

Email malware

Next on this ransomware list is email malware. Email was used for over half of all malware infection attempts in 2020, delivering 52% of malicious payloads, and is considered the most common method of spreading malware in cyber-attacks. 

More interestingly, the method that’s used to spread the malware is through attachments, with roughly one out of three spam emails containing an attachment, while the rest had malicious URLs. Which attachments should people be most weary of? The answer is PDFs, making 32% of the attachment attacks in the last six months.

It makes sense, considering the popularity of the file type. With most of the world working remotely, PDFs are fairly easy to share across different platforms and devices. And where some people are weary of links, a PDF is the perfect bait that many would still click to check.

“All of us are gullible in some way and this is where threat actors exploit to their benefit. Phishing is so effective because the content is something that triggers our emotion to act for fear of missing out (FOMO). If only we could pick up the habit of pondering over an email before acting on it, we could perhaps lower the success rate of a phishing attack,” said Gan. “It is important for us users to realize that phishers can easily send waves of phishing emails at any time and it only takes one victim to fall for the trick.”

Legacy vulnerability and smarter security

It is also no surprise that attackers are waiting to take advantage of the vulnerabilities in legacy systems and software’s. IT departments face a significant challenge in keeping legacy infrastructure secure. And this is proven by the fact that 61% of all issues found in corporate networks were at least five years old, from on or before 2015. Security is an ongoing and continuous process that should tackle the prevalence of old, unpatched vulnerabilities.

So, it raises the question about how businesses and IT teams can better defend themselves against ransomware attacks? And what kind of security measures do they need to put in place?

“In security, we place a lot of emphasis on organisations protecting themselves by having strong security perimeters, detection mechanisms to quickly identify breaches, and response plans and capabilities to contain intrusions. However, entities across industries and borders also need to work together to tackle security challenges further up the supply chain. Advanced persistent threat groups are clearly ready and willing to compromise hundreds of organisations through this approach, and we should work together to counter them,” comments Gan.

The best advice? Vigilance.

Gan explains: “You will never know when your organization will be targeted next. So why not operate at the assumption that you will be breached? It is just a matter of when.”

Critical and sensitive data should be encrypted, so accessing them is harder. If a file is no longer needed, it should be uninstalled, internet-based services should be disabled when not in use, and only authorised users should be able to access certain types of files. And yes, while backups are also a good method, they also have to be smarter and better secured - new backups should be detached from the network as soon as possible. And with supply chains, it might be a good idea to treat providers like as of the in-house operation - they should be included in routine audits and security tests.

Ransomware attacks are opportunistic in nature, they take advantage of old vulnerabilities and people’s carelessness. Security teams must be proactive in nature to counterattack these potential breaches.