70% Ransomware Attacks Cause Data Exfiltration; Phishing Top Entry Point

February 03, 2021 - Ransomware threat actors are increasingly leveraging email phishing as the leading entry point in these destructive attacks, as Coveware analysis shows data exfiltration occurs in 70 percent of all ransomware attacks -- a 20 percent increase from Q3 to Q4 2020.

The report comes on the heels of Emsisoft research, which found 560 healthcare providers reported falling victim to ransomware in 2020.

“Amid the pandemic, cybercriminals now have limitless attack methods,” said Rick McElroy, Principal Cybersecurity Strategist at VMware Carbon Black, in a statement. “Whether it's using tried and true malware like EMOTET or using BitLocker to ransom systems, malicious actors continue to gain ground.

“The FBI, Department of Homeland Security, and other federal agencies have all issued warnings about the surge in cyberattacks against healthcare organizations,” he added.

Entry Points

Email phishing became the dominant attack vector for ransomware in Q4 2020, overtaking remote desktop protocol (RDP) compromises. It’s the first time RDP compromise was not the leading attack vector since Coveware began tracking these compromises.

READ MORE: US Fertility Sued Over Ransomware Attack, Health Data Exfiltration

The shift can be attributed to hackers leaning on Trickbot and Emotet, which favor phishing attacks as the primary delivery mechanism, according to Coveware. Both of these threats have worming capabilities, which enable attack proliferation across connected devices.

The use of these variants creates a foothold on victims’ networks, which are then sold to other attackers -- particularly those leveraging ransomware.

As a global collaboration recently took down Emotet, Coveware expects another shift in attack methods this year. RDP compromises continue to be commonly used in ransomware attacks, with network credentials sold on the dark web for just $50.

“The variants with the most market share also relied heavily on the fruits of email phishing campaigns,” Coveware researchers explained. “The affiliates that carry out these attacks generally don’t have a preference on the attack vector.”

"The only variable that matters is cost and quality of the network credentials that they are able to procure,” they added. “Even with the cost of RDP credential declining, threat actors still prefer to use network access originally sourced through email phishing campaigns.

READ MORE: Key 2021 Insights: Proactive Security Needed for Ransomware, Phishing

Coveware also noted that an increasing number of these attacks prey on small- to medium-sized entities. And mid-sized organizations are being more frequently targeted, as they are typically as easy to penetrate as smaller organizations but have a greater capacity to pay.

Data Extortion

In particular, VMware is increasingly seeing a rise in “secondary infections”: long-term cyberattack campaigns across the digital healthcare supply chain. These attacks are behind the surge in data extortion attempts and fuel the cybercrime market.

The findings correlate to Coveware’s quarterly ransomware analysis: More ransomware attackers are leveraging data exfiltration to increase the odds of a payout. 

But as trust erodes that the attackers will delete the data after a payment is made, fewer entities are paying extortion demands. As a result, ransom payments decreased 34 percent from $234,000 in Q3 to $154,108 in Q4.

Overall, 59.6 percent of extorted healthcare entities refused to pay the attackers in Q4, down from 74.8 percent during Q3.

READ MORE: FBI Warns Egregor Ransomware Actors Actively Extorting Entities

“Stemming the tide of cyber extortion will only happen if the industry is starved of its profitability. This trend was a distinct positive during Q4,” researchers wrote. “The dramatic reduction was attributed to more victims of data exfiltration attacks saying ‘enough’ and choosing not to pay.”

“With more companies falling victim, more are having the opportunity to constructively consider the trade offs, and are increasingly choosing not to pay,” they added. “Attacking the raw economics of the cyber extortion economy from multiple angles is the best way to retract the volume of attacks.”

The hope is that as the number of companies refusing to pay demands increases, there may be a material decrease in the number of attacks. Though the decline in payment amounts is vastly seen as a positive, profit margins are high for attackers. There's also a small risk of arrest.

Further, data shows that stolen data is not purged or deleted after a payment. There’s also been an increase in hacking groups forging data exfiltration, when the actors did not actually steal the data. Coveware stressed this highlights the need for entities to both thoroughly vet the threats and to not pay extortion demands.

Data Destruction

Another disturbing ransomware demand trend emerged in Q4: a number of victims reported hackers irreversibly destroyed data, in addition to the previous destruction of backups or encryption of critical systems.

Multiple entities reported entire clusters of servers or data were permanently wiped, with no recourse for recovery -- even when the decryption key was provided.

“Ransomware actors are typically attentive when it comes to deleting data, as they know victims are only incentivized to pay for a tool if the data is still there, and merely encrypted,” COveware researchers wrote. “

"The uptick in haphazard data destruction has led some victims to suffer significant data loss and extended business interruption as they struggle to rebuild systems from scratch,” they added. “It remains unclear whether these events have been outliers or a symptom of less experienced bad actors handling the attack execution.”