Cybersecurity researchers aren’t running out of terms to describe how bad ransomware attacks have become. The latest, “stratospheric,” comes from Positive Technologies.

According to Positive’s Cybersecurity Threatscape: Q2 2021, ransomware attacks now account for 69% of all attacks involving malware.

The report also finds:

Well-Organized Structure, High Ransoms

Ekaterina Kilyusheva heads Positive Technologies‘ Information Security Analytics Research Group.

Positive Technologies’ Ekaterina Kilyusheva

“There’s a low threshold of entry into the extortionate business, which has a well-organized structure,” She said. “And criminals are receiving large amounts of ransoms. Within the framework of partnership programs, ransomware operators have been able to attract many low-skilled cybercriminals who can be quite successful in distributing malware and monetizing their skills. Good bonuses are another reason for the proliferation of ransomware. When even one successful operation pays for all the efforts spent, this motivates criminals to continue their attacks.”

The retail sector is seeing a shift in attacks and motives, according to Positive.. There was a sharp decrease in the number of Magecart attacks, as criminals shift from stealing data, such as payment details, to pursuing direct financial gain through ransomware attacks. Malware was used in six out of 10 attacks against retail. That’s up from only 26% during the same quarter last year. Moreover, ransomware accounted for 95% of all malware used in attacks against the sector.

Threat actors also are actively targeting manufacturing and industrial companies.

Positive Technologies previously thought attackers distributing malware posed a danger mainly to Windows systems, Kilyusheva said.

“Now we see that the trend toward creating malware for attacks on Unix systems, virtualization tools, and orchestrators has taken hold,” she said. “In Q1 2021, we wrote that many attackers targeted virtual infrastructure. In Q2, they were joined by ransomware operators. REvil, RansomExx (Defray), Mespinoza, GoGoogle, DarkSide, Hellokitty and Babuk Locker are ready to be used in attacks on virtual infrastructure based on VMware ESXi.”

Most Common Targets

The most common ransomware targets during the quarter were governmental, medical, industrial companies, and scientific and educational institutions.

“Large companies, which are more willing to make deals with cybercriminals, are the main targets for ransomware distributors,” Kilyusheva said. “There are several reasons for this. First, it takes a lot of time to recover, which can be critically important for the activities of a large company. Second, attackers not only encrypt data, but also steal it for the purpose of blackmail, and the disclosure of information, including customer data, may be absolutely unacceptable for a large organization. And of course, large organizations are financially capable of paying the ransom.”

Positive Developments

On a positive note, some of the latest ransomware attacks attracted special attention of law enforcement agencies, Kilyusheva said.

“The ransomware rampage culminated in an attack on Colonial Pipeline, the largest U.S. pipeline system,” she said. “Law enforcement agencies reacted quickly, and the DarkSide operators responsible for it lost access to their servers in a matter of days. The criminals had no choice but to announce the termination of their activity, and some other operators followed their example. Due to the mass exodus from the market, the boom of ransomware attacks observed in April began to gradually subside.”

There are also disputes on dark web forums regarding the business of ransomware operators in general, Kilyusheva said. Some forums have banned advertising of affiliate ransomware programs.

“This step, having further complicated the life of ransomware operators, could precipitate a change in their business structure,” she said. “We believe ransomware operators responsible for high-profile attacks will find it hard to quit such a profitable business, and will instead wait for things to blow over before developing a new concept, but there is a possibility that the number of attacks will decrease. For example, June saw a halving of such attacks.”