RaaS gains notoriety as ransomware attacks shoot up 120% in 2020

Ransomware attacks have spiked 120% between January and November this year, affecting enterprises across sectors such as high-tech manufacturing, communications and media, natural resources, and healthcare, according to Singapore based predictive cyber threat visibility and intelligence analytics firm Cyfirma.

In its latest report -- Top ransomware groups and their exploits -- Cyfirma said the average demand in a ransomware attack was $80,000 and against 3% prior to the Covid-19 pandemic, 32% of enterprises attacked have succumbed and paid ransomware.

“Industries where it is process-driven have been attractive targets as a break in the supply chain and ecosystem would cause significant disruption and financial damage,” the report noted. 

Read: Lucideus launches tool to help users assess personal cybersecurity risks

With the increase in attacks, collaboration models such as ransomware-as-a-service (RaaS) have gained popularity along with availability of ransomware for lease, backed by intuitive online dashboards and support. Such services are usually exploited by less technology savvy hackers, the report said. 

RaaS, Cyfirma said, was started by hacker organisation Maze and has subsequently become adopted by other ransomware hacker groups such as Revil, NetWalker and lockbit. 

The report also pointed to new methods such as leave-behind code, also known as ‘leave a mole’, where remnants of malware codes would remain in the infected systems and these codes would be re-triggered at a later time to reinfect.

Also read: Ransomware attacks in India double in June quarter: Seqrite

The hacker network goes further to track how companies take steps to shut down the network, how they recover and rebuild their systems. 

“With this knowledge, hackers can proceed to adjust their ransom demands in order to extract maximum financial gain,” the report said. 

Hackers have also amassed the capability to collect assets, network topology, traffic patterns, individual profiles and contact details which are then relayed back to the command and control servers of the hackers, Cyfirma said.