In Q1 2020, we saw the line between ransomware attack and data breach continue to blur. Following in the footsteps of data-leak pioneers Maze, a number of prolific ransomware operators – including Sodinokibi, DoppelPaymer, Nemty, Nefilim, CLOP and Sekhmet – created their own websites where they publish the stolen data of non-paying victims.
However, this quarter has shown us that many ransomware groups are no longer content with simply leaking data; they’re weaponizing it. Over the past few months, we’ve seen ransomware groups double-down on their blackmailing efforts and threaten to: sell stolen data to competitors; use stolen data to attack victims’ business partners; and publicize victims’ “dirty secrets” on the clear web for all to see.
Much of Q1 2020 was dominated with news of COVID-19 and we saw cybercriminals respond to the crisis in different ways. Some attackers took advantage of the global health crisis to coax people into opening malicious emails and attachments, while some ransomware groups showed a rare moment of decency and agreed to an ad-hoc ceasefire on healthcare providers – an interesting gesture, but not one that we’re going to put much stock in.
The following statistics are based on data from more than 123,300 submissions to Emsisoft and ID Ransomware between January 1 and March 31, 2020. Created by Emsisoft Security Researcher Michael Gillespie, ID Ransomware is a website that allows users to identify which ransomware strain has encrypted their files by uploading the ransom note, a sample encrypted file and/or the attacker’s contact information. It also directs the user to a decryption tool, should one be available.
Note: We estimate that only 25 percent of victims make a submission to Emsisoft or ID Ransomware, so the real number of incidents is probably significantly higher.
Most commonly reported ransomware strains of Q1 2020
(STOP submissions included)
- STOP (Djvu): 70.20%
- Phobos: 9.70%
- Dharma (.cezar): 8.00%
- REvil / Sodinokibi: 3.50%
- Globeimposter 2.0: 2.30%
- Magniber: 1.80%
- Rapid: 1.70%
- Rapid 2.0 / 3.0: 1.00%
- Ryuk:0.90%
- Zeppelin: 0.90%
Most commonly reported ransomware strains of Q1 2020
(STOP submissions excluded)
- Phobos: 31.80%
- Dharma (.cezar): 26.30%
- REVIL / Sodinokibi: 11.30%
- Globeimposter 2.0: 7.40%
- Magniber: 5.80%
- Rapid: 5.50%
- Rapid 2.0 / 3.0: 3.30%
- Ryuk: 2.90%
- Zeppelin: 2.80%
- Maoloa: 2.80%
Most ransomware submissions by country
- India: 25.80%
- Indonesia: 13.40%
- Egypt: 12.80%
- USA: 10.20%
- Brazil: 8.90%
- Pakistan: 8.70%
- South Korea: 7.00%
- Turkey: 4.80%
- Philippines: 4.70%
- Italy: 3.70%
Discussion
STOP, sometimes referred to as Djvu, was the most commonly reported ransomware strain in Q1 2020, accounting for more than 70 percent of all submissions. In total, there were more than 66,090 STOP submissions, which probably represents a fraction of the total number of global STOP infections. STOP typically spreads through cracked software, key generators and activators, which facilitate the use of pirated software. Certain older strains of STOP can be decrypted using free decryption tools, but newer variants cannot be decrypted.
Ten nations spanning five continents were responsible for the majority of ransomware submissions in Q1 2020, highlighting the fact that ransomware is truly a global issue. Developing and newly developed nations were over-represented, perhaps due to higher use rates of pirated software and greater reliance on outdated software and operating systems that are more vulnerable to exploitation. For example, only about 61 percent and 67 percent of desktop PCs in India and Indonesia are running Windows 10, compared with 77 percent in North America, according to figures from web analytics service Statcounter. Additionally, businesses in developing regions may not have the resources or IT infrastructure to resolve ransomware incidents independently and are therefore more likely to seek free decryption tools and services such as those provided by Emsisoft.
Conclusion
Q1 2020 has shown us that ransomware groups are no longer content with simply holding data to ransom. We’ve seen a clear and growing trend of ransomware operators using data-stealing mechanisms to exfiltrate and weaponizing data if their demands are not met. This approach has given attackers more leverage and exposed victims to potential litigation, further increasing the financial burden of ransomware.
While backups remain an important part of mitigating the impact of ransomware, they do nothing to prevent data exfiltration, which has become an increasingly common ransomware mechanism. Consequently, companies of all sizes must focus their efforts on preventing the initial point of infection by leveraging proven detection technologies and providing ongoing cybersecurity awareness training to improve resilience to social engineering attacks.