24 September 20, 09:49
Quote:Continue Reading
In Q2 2020, we saw the continued trend of ransomware groups exfiltrating data prior to encryption and using the stolen data as additional leverage to extort victims. Throughout the quarter, dozens of non-paying victims had their data published on leak sites or sold off to the highest bidder. There is now a greater than one in ten chance of data being stolen in a ransomware attack.
COVID-19 remained an influential force in the Q2 threat landscape and helped cement remote desktop protocol (RDP) as the attack vector of choice for ransomware operators. Many organizations evidently failed to securely implement RDP in their rush to roll out work from home arrangements, leaving RDP connections vulnerable to compromise.
Despite the promises made by some threat actors during Q1 to avoid targeting the healthcare sector, a number of healthcare organizations fell to ransomware in Q2. In the U.S. alone, at least 12 hospitals and other healthcare providers were impacted by ransomware this quarter, as discussed in our U.S.-specific ransomware report.
We also observed some rare cooperation between ransomware groups, with Maze teaming up with LockBit and Ragnar Locker to share intelligence and use of data leak platforms. Whether this was a one-off display of teamwork or the dawn of a new generation of cybercrime cartels remains to be seen.
The following statistics are based on ransomware submissions made to Emsisoft and ID Ransomware between April 1 and June 30, 2020. Created by Emsisoft Security Researcher Michael Gillespie, ID Ransomware is a service that enables organizations and individuals to identify which ransomware strain has encrypted their files.
Most commonly reported ransomware strains of Q2 2020
The following chart shows the 10 most commonly reported strains of Q2. A ransomware family known as STOP/Djvu was by far the most common strain, accounting for 71.7% of all submissions.
Most commonly reported ransomware strains of Q2 2020
- STOP (Djvu): 71.70%
- Phobos: 8.90%
- Dharma (.cezar): 6.90%
- REvil / Sodinokibi: 3.20%
- Globeimposter 2.0: 2.00%
- Makop: 1.80%
- Paymen45: 1.60%
- LockBit: 1.40%
- GoGoogle: 1.30%
- Magniber: 1.10%
The following chart shows the 10 most commonly reported strains of Q2 with STOP submissions excluded.
...