Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:05 PM

Pay-or-Get-Breached Ransomware Schemes Take Off

In 2020, ransomware attackers moved quickly to adopt so-called "double extortion" schemes, with more than 550 incidents in the fourth quarter alone.

The "pay or get breached" ransomware trend — also known as the "double extortion" scheme — took off in 2020, despite the prolific Maze Team's Nov. 1 announcement that it would be discontinuing operations.

Using data collected by automated feeds, cyber-risk firm Digital Shadows documented 550 double-extortion postings on data leak sites maintained by more than a score of ransomware groups. By far, the industrial goods and services sector bore the brunt of ransomware attacks, with 29% of all 2020 attacks targeting the industry, while businesses in North America accounted for two-thirds of all attacks, Digital Shadows discovered.

Related Content:

Pay-or-Get-Breached Ransomware Schemes Take Off

Special Report: Understanding Your Cyber Attackers

New From The Edge: Learn SAML: The Language You Don't Know You're Already Speaking

Quarter over quarter, the cybersecurity firm saw a signifiant increase in ransomware attacks using the twin strategies of demanding a ransom and then leaking the data if the victim did not pay, says Jamie Hart, a cyberthreat intelligence analyst with the company.

"We are going to continue to see ransomware increase because the pay-or-get-breached method gives an opportunity for the new and less-known ransomware groups to make a name for themselves in 2021," she says. "There is no sector that is off limit to these groups."

By all measures, ransomware is now the default approach for monetizing compromised companies, with cybersecurity services firm CrowdStrike finding more than half of all of its client engagements were to clean up ransomware attacks. The number of companies hit by ransomware each year has remained steady, with 51% acknowledging a ransomware attack in the past year, and three-quarters of those attacks succeeding in encrypting some data, according to a survey by security-software firm Sophos.

While Maze accounted for a third of documented ransomware attacks in the third quarter of 2020, according to Digital Shadows' Q3 threat report, Egregor accounted for a third of incidents in the last quarter, according to ZeroFox's report. Egregor targeted Barnes & Noble Booksellers, game maker Ubisoft, and Epicor Software.

"Throughout 2020, we saw the 'pay or get breached' trend take off like a rocket and it didn’t seem to slow down," Digital Shadows stated in it analysis, published today. "To add to the already stressful situation of having their files exfiltrated and encrypted, victim organizations were pressured into paying ransom payments quickly by the threat of public exposure on a data leak site."

Digital Shadows monitors the data leak sites that ransomware groups use to publicize stolen data. Sites for six groups — Maze, Egregor, Conti, Sodinokibi, DoppelPaymer, and Netwalker — accounted for 84% of the breaches in 2020, the company said. The remaining data leak sites include more than a dozen other groups, including Ako/Ranzy Locker, Avaddon, Clop, DarkSide, Everest, LockBit, Mount Locker, Nefilim, Pay2Key, PYSA, Ragnar Locker, RansomEXX, Sekhmet, and SunCrypt, according to Digital Shadows.

While Maze accounted for a third of documented ransomware attacks in the first three quarters of 2020, Egregor accounted for a third of incidents in the last quarter. Overall, the steep rise in ransomware attacks at the end of 2020 quashed any thought that the November dissolution of the Maze Team would lead to a decline in cybercriminal activity. 

"No one really expected the Maze group to up and quit, but the statement they posted on their site said they would be back," Hart says.

The shuttering of the Maze group and the subsequent rise of the Egregor ransomware has led to speculation that remnants of the Maze group have joined with the Egregor developers. The collaboration would explain the success of Egregor, according to an analysis by the ZeroFox Alpha Team.

"One theory for the high volume of victim data is that former Maze actors may now be working on Egregor," the researchers said in the company's Q4 threat report. "These actors have prior knowledge of running a successful ransomware operation and can help the Egregor team achieve success of Maze's caliber, which ultimately makes Egregor a highly dangerous threat to vulnerable end users." 

Continuing the trend of attacks on industrial goods and services, American packaging giant WestRock acknowledged on Jan. 25 that it had suffered a ransomware breach, which had hobbled its operational technology systems. 

While cybersecurity experts and law enforcement officials have urged companies not to pay, most do not criticize when companies do pay. Ransomware groups have started using new tactics, such as cold calling victims and even threatening employees' safety, to get victims to pay, Digital Shadows said.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-21
neos/forms is an open source framework to build web forms. By crafting a special `GET` request containing a valid form state, a form can be submitted without invoking any validators. Form state is secured with an HMAC that is still verified. That means that this issue can only be exploited if Form F...
PUBLISHED: 2021-06-21
Textpattern 4.7.3 contains an aribtrary file load via the file_insert function in include/txp_file.php.
PUBLISHED: 2021-06-21
Cross Site Scriptiong vulnerability in Typesetter 5.1 via the !1) className and !2) Description fields in index.php/Admin/Classes,
PUBLISHED: 2021-06-21
mongo-express is a web-based MongoDB admin interface, written with Node.js and express. 1: As mentioned in this issue: https://github.com/mongo-express/mongo-express/issues/577, when the content of a cell grows larger than supported size, clicking on a row will show full document unescaped, however ...
PUBLISHED: 2021-06-21
In memory management driver, there is a possible memory corruption due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android SoCAndroid ID: A-185196177