What is the most common type of ransomware attack?

by
What is the most common type of ransomware attack

Ransomware attacks have become increasingly common in recent years, inflicting significant damage on businesses, governments, healthcare organizations, and everyday internet users. These cyber attacks involve malware that encrypts files on a device or network, preventing access until a ransom payment is made. But what is the most prevalent specific type of ransomware attack today?

Key Facts and Figures on Ransomware Attacks

Some quick facts and statistics on the ransomware landscape:

  • Ransomware attacks increased by 105% globally in the first half of 2021 compared to the first half of 2020, according to SonicWall.
  • The average ransom payment nearly tripled from $111,605 in Q4 2020 to $309, 373 in Q1 2021, per Coveware.
  • 99% of ransomware attacks involve the threat actors encrypting victims’ data, per Sophos.
  • There were 304.7 million ransomware attacks in 2021, representing a 151% year-over-year increase, according to SonicWall.

These figures indicate the scale and growth of the ransomware problem facing organizations today. Attackers are targeting victims more frequently, demanding higher ransom payments, and leveraging data encryption at an extremely high rate.

What Are the Main Types of Ransomware?

There are a few primary categories into which most ransomware variants can be placed:

  • Encrypting ransomware – Prevents access to files and data by encrypting them. A decryption key is required to restore access.
  • Locker ransomware – Locks users out of their devices or blocks access to the operating system and applications. No files are encrypted.
  • Doxware – Exfiltrates and threatens to publish sensitive data if the ransom isn’t paid. May also encrypt files.
  • RaaS – Ransomware-as-a-Service enables affiliates to use existing ransomware tools to carry out attacks.

Of these main types of ransomware, encrypting ransomware is overwhelmingly the most prevalent in today’s threat landscape. In fact, 99% of ransomware attacks involve encryption, per research from cybersecurity firm Sophos.

Most Common Ransomware Families

Looking at specific ransomware families, which types of ransomware are behind the most attacks? Several notorious ransomware operations stand out as the most active and widespread:

LockBit

  • LockBit emerged in 2019 and is a RaaS affiliate model ransomware.
  • Attacks involve encrypting files and demanding a cryptocurrency payment in exchange for decryption.
  • LockBit was responsible for 35% of all ransomware attacks in 2022, according to Trend Micro.
  • High-profile victims include IT infrastructure provider Conscia and the Scottish Environment Protection Agency.

Conti

  • Conti is another RaaS ransomware that debuted in 2020.
  • It leverages advanced encryption algorithms to lock files.
  • Conti accounted for 10% of global ransomware attacks in 2022, per Trend Micro.
  • The group notoriously attacked the Costa Rican government in an attack that impacted numerous government agencies.

Quantum

  • First observed in 2019, Quantum focuses on encrypting entire networks.
  • It makes copies of stolen data to increase pressure on victims to pay ransoms.
  • Quantum was tied to roughly 7% of ransomware incidents in 2022, according to Trend Micro.
  • Major victims include industrial equipment rental company United Rentals.

REvil

  • REvil (also known as Sodinokibi) is a prolific RaaS ransomware active since 2019.
  • Affiliates break into networks and encrypt files, coupled with ransom demands.
  • REvil was linked to around 5% of ransomware attacks in 2022, per Trend Micro data.
  • The group infamously crippled meatpacker JBS Foods in a high-dollar attack in 2021.

The ransomware threat landscape is always evolving, but operators like LockBit, Conti, Quantum, and REvil have consistently been behind a large share of attacks on businesses and organizations over the past couple years.

Ransomware Delivery and Deployment

How does ransomware like LockBit and Conti actually get deployed on victims’ systems in order to launch an attack? Ransomware threat actors use a variety of technical means to infiltrate networks and plant their malicious payloads:

  • Phishing emails – Malicious emails with infected attachments or links to malware are the most common ransomware delivery method.
  • Remote desktop protocol (RDP) – RDP gives access to internal systems, and exposed or brute-forced RDP often leads to ransomware attacks.
  • Software vulnerabilities – Unpatched security holes in apps and operating systems are exploited to push ransomware.
  • Managed service providers (MSPs) – MSPs provide centralized access, and compromising them allows ransomware to spread rapidly.

Phishing is ubiquitous due to its simplicity – just a convincing looking email that victims are fooled into opening. RDP attacks and exploiting security vulnerabilities require more technical sophistication, but also represent highly effective ransomware deployment tactics. Gaining access to MSPs offers ransomware groups an efficient way to disperse infections rapidly across multiple customer networks.

Costs and Impact of Ransomware

What is the actual business and organizational cost or impact of having data and systems encrypted by ransomware like LockBit or REvil? The consequences can be severe:

  • Average total cost of recovery from a ransomware attack is $1.27 million, according to Sophos.
  • Average ransom payment in Q2 2022 was $247,555, per Palo Alto Networks.
  • 97% of organizations that paid ransoms ended up being targeted again, per Cybereason.
  • Downtime from an attack lasts on average 3 weeks, per research from Cybint.
  • 8-9% of ransomware victims end up going out of business following an attack, per Cybint.

Between business disruption, ransom payments (which prompts repeat attacks), recovery costs, and potential closure, the fallout from ransomware can be catastrophic. This massive impact underscores the need for proactive measures to reduce vulnerability.

Most Targeted Industries

What sectors are bearing the brunt of ransomware attacks currently? According to research and reporting, the most targeted industries include:

Healthcare

  • 37% of all ransomware attacks in 2021 struck healthcare organizations, per Cynet.
  • Notable examples include attacks crippling scripps health and the The Asian Heart Institute.
  • Patient safety and lives can be jeopardized by healthcare cyber incidents.

Education

  • School districts saw a staggering 1,681% increase in ransomware attacks between 2018 and 2021, per Barracuda Networks.
  • Recent attacks disrupted major universities like the University of Colorado and Lincoln College.
  • School ransomware can expose student data and derail learning.

Manufacturing

  • Manufacturers suffered over 40 ransomware attacks per month in 2021, per research from Preveil.
  • Attacks on manufacturers can cause production lines to halt.
  • Notable victims include manufacturer Kawasaki and aerospace parts maker Asco.

Energy and Utilities

  • Energy companies faced over 20 monthly attacks in 2021, per Preveil.
  • Major incidents include the Colonial Pipeline shutdown that led to gas shortages.
  • Power grid and oil/gas operational disruptions are concerns.

Insurance

  • The insurance sector saw a 13% increase in cyber incidents including ransomware from 2020 to 2021, per the Coalition.
  • Prominent attacks have impacted companies like AXA and Chubb.
  • Insurers increasingly affected both as targets and providers of cyber policies.

Healthcare, education, energy, and insurance are clearly high-priority targets for ransomware operators. Manufacturing is also a popular target due to operational technology vulnerabilities and valuable intellectual property.

Government Responses to Ransomware

With ransomware attacks escalating sharply in recent years, what steps are governments taking to try to counter this cyber threat?

United States

  • Signed anti-ransomware law in 2022 increasing reporting requirements and sanctions.
  • State department offered $10 million reward for info on ransomware leaders.
  • DHS mandated new cyber rules for pipelines after Colonial Pipeline attack.
  • FBI formed a ransomware task force with key federal agencies.

United Kingdom

  • Created a National Cyber Force to improve cyber capabilities to deter ransomware gangs.
  • Urged businesses to boost cyber spending and preparedness for ransomware
  • Backed Interpol and international cooperation against ransomware.

European Union

  • Europol set up the European Cybercrime Centre to help EU members fight ransomware.
  • Created cybersecurity regulations requiring organizations to assess risk.
  • Provided funding and coordination support for ransomware response.

While governments are taking actions to address the ransomware epidemic, experts argue that substantially more change is needed in areas like law enforcement, cybersecurity regulation, threat information sharing, and infrastructure investment to turn the tide.

Ransomware Mitigation Strategies

For organizations seeking to build resilience against prevalent ransomware attacks, here are crucial mitigation strategies to consider:

Employee Training

  • Train staff on how to identify and avoid phishing attempts.
  • Conduct phishing simulation exercises.
  • Ensure personnel don’t use work devices for general web browsing or accessing suspicious sites.

Patching

  • Prioritize patching known exploitable vulnerabilities.
  • Use asset management to monitor patch status across all systems.
  • Segment networks to limit impact of any unpatched assets.

Access Controls

  • Require strong, unique passwords for all users.
  • Limit admin privileges to only essential staff.
  • Set up multifactor authentication (MFA).

Backups

  • Maintain regularly updated backups offline and immutable.
  • Test backup recovery to ensure it works when needed.
  • Ensure backups are comprehensive and include entire system.

Incident Response Plan

  • Have an IR plan that outlines roles, actions if under attack, communication protocols, and how to request law enforcement assistance.
  • Run response exercises to validate effectiveness of IR plan.

Ransomware threats like LockBit and REvil aren’t going away anytime soon. But by intelligently assessing risks, hardening IT infrastructure, and preparing staff, organizations can build resilience against even state-of-the-art cyberattacks.

Conclusion

In summary, while many types of ransomware are circulating globally, encrypting ransomware delivered via phishing represents the vast majority of attacks. Sophisticated major ransomware families like LockBit and Conti are behind a large percentage of incidents. Attacks carry heavy financial costs and business disruption. Healthcare, education, energy, manufacturing, and insurance are heavily targeted. While governments are taking actions, the ransomware epidemic is likely to continue escalating if more organizations do not take steps like employee training, patching, backups, and incident response planning to enhance their cyber defenses and overall security posture.