Why 2020 was a banner year for ransomware

Nov. 23, 2020
A look back at five of the most significant attacks and the changing threat landscape heading into the new year

Ransomware had a very good 2020. With millions of people working from home due to the Covid-19 pandemic, the opportunities for infection and exploitation were higher than ever. As a result, we've seen more (and more dangerous) ransomware attacks in the last 12 months than in any comparable period. In 2020, according to Cybersecurity Ventures, a company was attacked every 11 seconds. The costs from these attacks will reach around $20 billion by 2021.

It seems that even the big names weren't safe, either. As we've reported, Tyler Technologies was hit by ransomware attack, and so was Tesla. Looking at the extensive list of ransomware attacks in 2020, and you'd be forgiven for getting a little worried. With so many companies under assault each week, how does the average firm stand a chance?

One important way to protect yourself, staff, organization, and data is to stay vigilant. If you are aware of the most popular ransomware attacks at any given moment, you at least know what to look for and what to defend against.

With that being said, here are the five most significant ransomware attacks that have taken place thus far in 2020 and could have lingering implications in the new year:

1. Maze

The story of Maze ransomware in 2020 is a strange one. The malware itself is a variant of the ChaCha ransomware, which was discovered back in May 2019. In the intervening period, a now-infamous gang of hackers picked up the malware, adapted it and started a destructive campaign of their own.

While the attack methods of the group is standard – the malware is delivered via a phishing scam, encrypts victims' files, and then demands money for their return – the way in which they talk about themselves is unusual. They claim to be in the business of helping companies learn (albeit the hard way) about data security, with the method of "education" being high-profile releases of highly sensitive data.

Or at least it was. In November, the gang announced that they would be "retiring," and that "All the links to ou[r] project, using of our brand [sic], our work methods should be considered a scam." Unfortunately, their malware is still out there and remains one the biggest threats of 2021.

2. REvil

REvil became the most famous computer virus of 2020 – and arguably of all time – when it was used to attack the systems of media and entertainment lawyers Grubman Shire Meiselas & Sacks. The group behind the attack then began to post the personal and professional details of celebrity clients online, including tour contracts for Madonna and the personal information of Robert De Niro, Drake, Mariah Carey, Rod Stewart, Elton John, and many more.

What surprised many in the cybersecurity community about the hack, though, was that it was relatively unsophisticated, and that repeat attacks continued for a number of weeks. It seems, in other words, that the hackers were exploiting the fact that the lawyers didn't know how to get rid of a virus that was already in their system, and were so scared of losing face that they didn't admit this fact for weeks.

3. Ryuk

Ryuk is a rare breed of ransomware, but that doesn't make it any less dangerous for the average firm: quite the opposite. From 2018, Russian-based group Wizard Spider has been using Ryuk to specifically target enterprise environments of the biggest firms out there. In the first year of operation, this group has netted over 705.80 BTC across 52 transactions for a total current value of $3,701,893.98.

Since then, the number of attacks that use the ransomware appear to have gone down significantly, but there is good reason to be skeptical about this apparent drop. The type of victim targeted by Ryuk – large companies with shareholders and millions of dollars of market capitalization – tend to be extremely reticent to share the news that they have been hacked. 

For this reason, it's difficult to estimate how prevalent Ryuk still is at the end of 2020. Given the capabilities of the ransomware, this means it remains a huge threat for all businesses – but especially growing ones – into the coming year.

4. Tycoon

Tycoon is also a strange bird in the malware field. This is not because of the type of company it is deployed against, but rather the language it is written in: Java. This relatively new piece of malware was discovered by security researchers analyzing the servers of mega accountancy firm KPMG, but since then it has been discovered in other company's systems.

There are two further curiosities about Tycoon. One is that, at least to date, it appears to be relatively benign. Despite a wide infection base, and code that seems to be geared towards stealing intellectual property from entertainment and software firms, it has not been used to its full “potential” yet. 

It's natural to assume that when Tycoon was discovered, the group behind it was in the process of planning a delayed-action attack, waiting for a certain number of computers to be infected before the attack is triggered. When this will happen is anyone's guess, so check your systems for this malware now.

5. NetWalker

NetWalker is perhaps the "most 2020" of the ransomware on this list, because it appears to have been designed to take advantage of the biggest crisis of this year: Covid-19. 

This may be a coincidence, of course. Ransomware that specifically targets healthcare providers – like the Mailto malware that NetWalker was derived from – has been around for a while, and is growing in "popularity." It seems that hackers have realized how much valuable data healthcare providers hold and how (often) unprotected it is. 

Whether a coincidence or not, NetWalker still ranks as among the most dangerous ransomware of 2020.

The Future

So, there you have it. Five emerging threats that caused havoc in 2020 and will likely continue to do so into next year as well. Check your systems for these pieces of ransomware now and keep checking back. Every passing year brings new forms of attacks. Stay vigilant, keep your fingers crossed, and train everyone in your organization how to avoid the kind of phishing scams that often lead to a ransomware infection. 

About the Author:

Bernard Brode is a product researcher at Microscopic Machines and remains eternally curious about where the intersection of AI, cybersecurity, and nanotechnology will eventually take us.