77% of Ransomware Spurs Data Extortion, Driven by Accellion Hack

April 27, 2021 - Driven by Clop actors and the Accellion File Transfer Appliance (FTA) hack, exfiltration and extortion attempts are now occurring in the vast majority of ransomware attacks, increasing from 70 percent in Q4 2020 to 77 percent during the last quarter, according to Coveware data.

Professional services was the most targeted sector, accounting for 24.9 percent of all ransomware attacks during Q1, followed by healthcare and the public sectors with 11.6 percent each.

Meanwhile, Emsisoft released ransomware cost estimates for 2021, so far, and found the average ransomware demand increased by more than 80 percent over the last year. About 27 percent of affected entities pay the ransom demand, with a $274,200 average price tag for downtime.

Coveware data showed the average ransom payment rose 43 percent from Q4 2020 and Q1 2021, from $154,108 to $220,298. The median payment during the first quarter also increased by 58 percent, from $49,450 to $78,398.

Those increases were likely caused by a small number of hacking groups, particularly Clop, which has been extremely active this year with significantly larger ransom demands against bigger enterprise organizations.

READ MORE: DNS Flaws in Millions of IoT Devices Pose Remote Attack, Exfiltration Risk

The Clop ransomware hacking group exploited Accellion’s FTA in late December, the extent of which continued throughout Q1 2021. The actors exploited two zero day flaws that allowed for remote code execution against unpatched systems.

“The Clop group may have purchased the exploit used in the initial stages of the attack, so as to have exclusive use,” researchers explained. “This behavior stands in stark contrast to how most unauthorized network access is brokered through the cyber extortion supply chain to any willing purchaser post exploitation.”

“Moreover, the Accellion exploit did not allow for the deployment of ransomware across the victims environment, so data theft from the appliance was the sole target of CloPs campaign from the outset,” they added.

There were fewer than 100 unpatched FTA instances but the impact has been pretty substantial, including the extortion of dozens of victims. Centene was one of the larger victims, with at least 1.3 million patients impacted.

Clop has since returned to more traditional network access vectors and encryption ransomware. 

READ MORE: 70% Ransomware Attacks Cause Data Exfiltration; Phishing Top Entry Point

Coveware data also showed the most common attack vector was remote desktop protocol connections, regaining the top spot from phishing emails that install credential-stealing malware or remote access trojans. Sodinokibi remains the most common ransomware variant, followed by Conti V2, and Lockbit. 

Ransomware-as-a-Service operations have also increased competition in both affiliates and credibility in Q1. As these groups have grown, associated operational complexity and risk has followed, according to the report.

The report showed some positive as well: Egregor sunsetted operations four months after taking over Maze, while a global federal effort took down Netwalker in January. Researchers also observed technical issues with Sodinokibi, Lockbit, and BlackKingdom following attacks.

Further, Conti has proved problematic for its complicated recoveries and negotiations with victims. The group has also re-attacked prior victims, in addition to launching second attacks shortly after the initial, sustained attack.

Concernedly, Coveware researchers have observed a number of victims paying the hackers to suppress the leak, as data exfiltration attempts continue to rise.

READ MORE: Healthcare’s Data Extortion Problem, and How to Prepare for Ransomware

“Victims of data exfiltration extortion have very little to gain by paying a cybercriminal, and despite the increase in demands, and higher prevalence of data theft, we are encouraged that a growing number of victims are not paying,” Coveware researchers wrote.

“Over hundreds of cases, we have yet to encounter an example where paying a cybercriminal to suppress stolen data helped the victim mitigate liability or avoid business or brand damage,” they added. “On the contrary, paying creates a false sense of security, unintended consequences and future liabilities.”

Data exfiltration attempts have two main goals: to exfiltrate data from the most convenient file server and to escalate privileges and deploy ransomware on all available endpoints. Coveware stress that entities should employ principles of least privilege and two-factor authentication to limit the ability of an attacker to escalate privileges during an attack.

For the Emsisoft report, the data is primarily based on submissions to ID Ransomware, including the Djvu strain of STOP ransomware. As it’s believed about 25 percent of public and private sector entities impacted by ransomware use ID Ransomware, the submissions data was multiplied by four to create the overall cost estimate.

The data showed a total of 23,661 submissions from the US, with a minimum cost of $920M and overall cost estimates of $3.7B. Of those submissions, 15,672 were from the US private sector: with a minimum cost of $596M and $2.3B estimate for overall costs.

When it comes to ransom demand and downtime costs, the US saw 15,672 submissions with a staggering minimum cost of $4.9B and $19.6B estimated overall cost.

“Ransomware attacks still disproportionately affect small businesses. These small companies rarely end up in the headlines and often don’t have the financial or technical expertise to properly handle the incident or perform the proper remediation required to prevent a repeat attack,” Coveware researchers concluded.

“Small businesses that exist below the cybersecurity poverty line represent the greatest challenge to stemming the expansion of the cyber extortion economy,” they added.

Healthcare entities should review previous ransomware guidance from NIST, Microsoft, and the Office for Civil Rights to ensure they’ve employed the right policies and tech.