Rising Trends in Ransomware and Data in the Dark Web

Posted on October 18, 2020 by Noa Hassidim

read the article

Our dark web data coverage here at Webhose reflects the growing trend we’ve seen in mainstream media – a significant increase of ransomware attacks hitting universities, municipalities, and businesses across the United States. The cost in responding to these attacks has already reached a total of $144 million as of June this year. 

Experts predict that ransomware attacks will only increase and by 2021, a business will be attacked by ransomware every 11 seconds. Global financial damage from these attacks is estimated to reach $20 billion by 2021.

We would like to explain the history behind these trends and examine a few examples of how they are reflected in our dark web data coverage.

A Brief Definition of Ransomware 

Before we continue, however, let’s first take a step back. What exactly is ransomware, and why is it one of the leading cyber threats to organizations at the present time?  

Ransomware is a type of malicious software that is particularly crippling to organizations. It not only encrypts the data of a computer or device but only allows the data to be decrypted in exchange for an exorbitant fee. Ransomware can easily infiltrate an organization through deceptive links in an email message, instant message, or website. 

There are generally two main types of ransomware that attack these organizations:

  • Crypto  – Files are encrypted and cannot be decrypted without access to a key only the attacker has. To obtain the key, the victim must pay a ransom. 
  • Locker – A device is locked and inaccessible to the victim. To unlock the device, the victim must pay a ransom. 

The Latest Trends in Ransomware in 2020 

A few different factors have contributed to the recent rise in ransomware attacks in the mainstream media. First, ransomware groups at first focused on larger enterprises, thinking they would have money to pay the ransomware. Fortunately, these large-scale enterprises also have the resources for extensive cybersecurity. As a result, these ransomware groups have switched their focus to healthcare, small to medium-size businesses and state and municipal governments. These organizations are ideal targets, who are often easier to breach because they typically have a minimal budget allocated to cybersecurity. 

Second, the COVID-19 pandemic, with the lack of cybersecurity measures taken by millions of people working at home, has contributed to an increase in these and other types of cyberattacks. 

Finally, one of the most recent trends of ransomware groups is the creation of public websites, usually TOR-based, that share data or information of the most recently attacked companies and organizations. Here at Webhose, we keep track of the latest ransomware website and continually add the latest data to our dark web coverage. 

Webhose Adds Public Websites of Active Ransomware Group to its Data

We’ve seen a significant rise in the number of mentions of different ransomware in news, blogs, and discussions from our Open Web endpoint, which can visualize the trending ransomware attack phenomenon by mentions in different sites. 

The steep increases might indicate more reports about recent attacks by those ransomware groups:

Ransomware darkweb 1
Mentions of different ransomware groups in the News, Blogs and Discussions in the Open Web endpoint

For instance, we’re able to see mentions from the end of September about a Ryuk ransomware attack on Universal Health Services (UHS) hospitals. 

Another way we know ransomware is on the rise is that we have suddenly seen a rise in the number of affiliate programs offering RaaS (Ransomware as a Service). Affiliate programs offer a way for individuals outside of the ransomware group to profit from the operation. 

Here are a few examples of affiliate programs we found for different ransomware groups: 

  • Suncrypt – From our research in hacking forums such as XSS and Exploit, the Suncrypt ransomware affiliate program started in August 2020. According to their message, they’re currently looking for 5 new team members, before they go underground again. Only three days after the first post, the representative actor advertised that only two seats were left.
Post about Suncrypt affiliate program from the Exploit Forum in our Cyber endpoint
  • Avaddon – This affiliate program began in June 2020. From the first post in the thread we start to see some of the ransomware abilities: it can encrypt  files in a multi-threaded mode on all hard / removable / network / other drives, as well as encrypting new detected files on the attacked machine. The group has been recruiting members for the past few months.
Post about Avaddon affiliate program from the Exploit Forum in our Cyber endpoint (Translation of title: [Partnership Program] Avaddon Ransomware)

We will now elaborate on a few high-profile ransomware groups that we have been crawling with public websites that have been trending this year. 

NetWalker

Discovered as early as August 2019, NetWalker ransomware was initially named Mailto because of an extension added to its encrypted files. NetWalker ransomware is especially malicious because it compromises the Microsoft-based network and encrypts all Windows devices connected to it.

We have seen an upwards trend in Netwalker attacks in universities, healthcare, and governmental organizations since the coronavirus pandemic hit. According to McAfee, Netwalker attacks have earned more than $25 million from ransom payments since March this year. This figure puts the group as one of the most successful ransomware gangs known today

 One of the more scandalous Netwalker attacks occurred in June at the University of California San Francisco, who paid $1.14 million in ransomware to access its School of Medicine servers. Incredibly, this was shortly after the Illinois Public Health provider website was also attacked. The good news: Due to cloud backups, they were not affected by the attack and continued on as normal.  

Here is an example of a victim’s data on the Netwalker site before it is released.

An example of a victim’s unreleased information

Here is what it looks like after the attacks, with a link and password of the victim’s data. 

Ransomware 5
Example of a link and a password to one of the victim’s full obtained data during the attack
Mentions of NetWalker in the Cyber endpoint over the past year

Maze Ransomware 

Sophisticated yet widespread, Maze ransomware has stepped into the spotlight recently, attacking organizations around the world, demanding cryptocurrency payment in exchange for the safe recovery of encrypted data. 

The attackers use a variety of different techniques to compromise your network. This can include exploitation of known vulnerabilities that have not been patched, remote desktop connections with weak passwords, malicious email attachments, and/or links.

Since 2019, Maze has announced the names of organizations it has attacked. It then uploads the stolen data on the website after they refuse or are unable to pay the ransomware fee. 

Recently, however, the group decided to take it one step further. 

Here is an announcement from the Maze website from our Cyber endpoint from July 2020 where the group states they have a new, uniform deadline for a ransom payment.

Source: Maze official website

Here is an example of the type of data of different companies that the group is able to obtain and upload to their website. 

Fully dumped information of one of the attacked companies
New victim’s partial obtained data published

Once Maze’s website became public, Webhose quickly added this website to their data collection, ensuring the most up-to-the-minute data breach coverage for its customers. After discovering this trend’s scope, it paid attention to similar ransomware groups that publicly published names of organizations it had attacked and added them to its coverage.

Maze ransomware mentions from the past year in the Cyber endpoint

DoppelPaymer

DoppelPaymer is one of the ransomware groups that significantly raised its popularity since May 2020, and took advantage of the current COVID-19 situation.

The group is known for attacking Digital Management Inc., a Maryland-based company providing managed IT and cybersecurity services on demand and a NASA partner.

On the group’s website, you’ll be able to find proof of attacked companies and full leaked data obtained from these victims. You can also find a list of attacked machines for every logged incident.

Ransomware 8
ransomware 9
Ransomware 10
Mentions for Dopplepaymer ransomware in the Cyber endpoint in the past year

REvil

A ransomware strain that appeared in April of 2019, REvil or Sodin (short for Sodinokibi Ransomware) quickly became the fourth most distributed ransomware in the world. This particular ransomware program usually infects computers via infected email attachments, torrent websites, or malicious ads. It demands ransom generally at a rate of anywhere between $500 and $2500 per attack.

The interesting thing about REvil ransomware is their website. Next to the known section of sharing information about the group’s victims, the data is also auctioned off. After registering, a user can place an offer on the stolen data the group sells.

REvil 1

One of the known operations of the group is the attack on Grubman Shire Meiselas & Sacks, a high-profile entertainment law firm that represents celebrities such as Lady Gaga, Madonna, Elton John, Barbara Streisand, Bruce Springsteen, Mariah Carey, and Mary J. Blige. The data obtained from this attack was offered for auction on the group’s official website.

In some cases, it seems like stolen data will also be publicly available if the auction does not go through.

Ransomware 16

The Role of Dark Web Data in Mitigating Against Ransomware Attacks

Today, both enterprise and small and medium-level businesses alike recognize how crucial it is to defend themselves against ransomware. Since attacks have also expanded from businesses to municipalities and the health care sector, dark web monitoring has become an essential part of this defense. At Webhose we firmly believe that digital risk and threat analysis in any industry is only as good as your data – in particular your dark web data. That’s why our mission remains the same as always: Delivering our customers the freshest and most recent data from a wide variety of dark web networks, marketplaces, forums, and chat applications at all times so you can stay on top of the latest ransomware threats to your business.

Want to learn more about dark web data and mitigating digital risk? Schedule a call with our data experts today!