Analysis from NCC Group’s Research Intelligence and Fusion Team (RIFT) has highlighted the growing threat of ransomware around the world.
The number of ransomware attacks analysed by the team has increased by 288% between January-March 2021 and April-June 2021, with organizations continuing to face waves of digital extortion in the form of targeted ransomware.
22% of ransomware data leaks analysed between April and June were attributed to Conti ransomware, which often uses email phishing to remote into a network via an employee’s device. This was closely followed by Avaddon ransomware, which was linked to 17% of ransomware data leaks.
While the victims of this ransomware strain have faced data encryption, the threat of data leaks, and the wider risk of DDoS attacks disrupting operations, the strain is now believed to be inactive.
One significant trend identified is the prevalent issue of ransomware gangs threatening to leak the stolen sensitive data of non-paying victims to damage organizational reputation. This additional pressure to force a pay out is known as “double extortion”, which is an increasing tactic used by threat actors.
Ransomware attacks by location in H1 2021
This issue is affecting organizations around the world, with 49% of victims with known locations in the last three months based in the United States, followed by 7% in France and 4% in Germany. One notable example is the Colonial Pipeline ransomware attack in June, carried out by affiliates of the DarkSide ransomware. The attack resulted in the shutdown of oil supplies and fuel shortages across the United States.
Christo Butcher, global lead for threat intelligence at NCC Group, said: “Over the years, ransomware has become a significant threat to organizations and governments alike. We’ve seen targets range from IT companies and suppliers to financial institutions and critical national infrastructure providers, with ransomware-as-a-service increasingly being sold by ransomware gangs in a subscription model.
“It’s therefore crucial for organizations to be proactive about their resilience. This should include proactive remediation of security issues, and operating a least-privilege model, which means that if a user’s account is compromised, the attacker will only be able to access and/or destroy a limited amount of information.”