Ransomware attacks continue to grow, according to data from IBM, which also suggests that ransomware gangs are upping their ransomware demands and getting more sophisticated about how they calculate the ransom they try to extort.
The number of ransomware attacks IBM’s Security X-Force Incident Response team were called in to deal with tripled in the second quarter of this year compared to the previous quarter, and accounted for a third of all security incidents it responded to between April and June 2020. “Ransomware incidents appeared to explode in June 2020,” said a report by the company’s security analysts.
June alone saw one-third of all the ransomware attacks the IBM team has remediated so far this year. The report said ransom demands are increasing rapidly, with some reaching as high as $40 million. It revealed that Sodinokibi ransomware attacks account for one in three ransomware incidents IBM Security X-Force has responded to so far in 2020.
IBM said it has observed a general shift in ransomware attacks. Ransomware hits manufacturing companies hardest, it said, and that these account for nearly a quarter of all the incidents responded to this year, followed by the professional services sector and then government.
“Attacks on these three industries suggest that ransomware threat actors are seeking out victims with a low tolerance for downtime, such as manufacturing networks. Organizations that require high uptime can lose millions of dollars each day due to a halt in operations. Therefore, they may be more likely to pay a ransom to regain access to data and resume operations,” IBM said.
IBM said there is also a shift to blended extortion-and-ransomware attacks – where gangs steal a copy of sensitive company information before encrypting it. If victims look like they won’t pay up for the decryption key, the attackers will increase the pressure by threatening to release the stolen data too.
With attackers actually stealing company data, ransomware attacks are also becoming data breaches, which for some companies, depending on where they are, can bring additional risk of fines from regulators. Indeed, in some cases IBM said attackers were thought to name their ransom according to the regulatory fines organizations would have to pay.
The ransomware strain IBM Security X-Force has seen most frequently in 2020 is Sodinokibi. IBM calculates that Sodinokibi has claimed at least 140 victim organizations since its emergence in April 2019. It estimates more than one in three Sodinokibi victims have paid the ransom, and 12% of victims have had their sensitive data sold in an auction on the dark web. In these auctions, prices for data range from $5,000 to over $20 million.
“Our research also indicates Sodinokibi attackers consider a victim organization’s annual revenue when determining a ransom request, with known requests ranging from 0.08% to 9.1% of the victim company’s yearly revenue,” IBM said.
“The group appears to tailor its requested ransom amount to a victim organization, with the highest Sodinokibi requested known ransom amount being $42 million and the lowest around $1,500. Our conservative estimate for Sodinokibi ransomware profits in 2020 is at least $81 million.”