Researchers at Sixgill have noted that the number of Dark Web forum/marketplace references to ransomware in March, which is the month COVID-19 created most lock-downs, increased 50% compared to the average number of ransomware mentions compiled over the preceding 3 months.
Charity Wright, Cyber Threat Intelligence Analyst at IntSights, observes that “RaaS has been in high demand” while another researcher notes “an increase in ransomware leveraging false COVID-19 sites – infecting devices, both mobile & desktop.”
Where there seems to be less agreement is whether the strategy is paying off?
Q1 of 2020
In the US, Emsisoft reported in March a total of 89 US-based organisations were known to be affected by ransomware in Q1 of 2020. However, “as the COVID-19 crisis worsened, the number of successful attacks reduced considerably, & is now at a level not seen in several years,” the company said in a blog post.
Emsisoft threat analyst Brett Callow explains that this downward trend could be attributed to a reduction of potential targets’ attack surfaces once their non-essential services were scaled back. Companies’ work-from-home conditions, despite introducing new vulnerabilities, may have also posed unforeseen challenges to adversaries, Callow explains.
Even successful ransomware infections during this time may not actually be worth it, because the victims cannot pay.
“In a recent note posted to its website, the Maze group pointed out, ‘We are living in the same economic reality as you are. That is why we prefer to work under the arrangements, & we are ready for compromise,’ Emsisoft has reported. “That economic reality is likely now that companies are now less able to pay than they were previously to the COVID-19 outbreak.”
For that reason, do ransomware attackers now set lower expectations? It has been observed that ransomware recent payment demands “appear to be on the low side, usually indicating a volume-based strategy by the threat actors.”
Could it be possible that cyber-criminals have developed a conscience? Earlier this year, the operators behind the Maze and DoppelPaymer ransomware programs said they would not attack health care organisations during the pandemic, although their sincerity is in doubt.
Digital Shadows recently observed that a person on Torum received negative responses from his or her fellow members after asking how to best to exploit COVID-19. “The gravity of the “pandemic has shown some benevolent reasoning has emerged on some platforms that are typically used for crime:.Users urging others to avoid taking advantage of an already dire situation,” explained Alex Guirakhoo, Digital Shadows Strategy & Research Analyst, in a company blog post.
Healthcare & Academia
However, health care absolutely remains a prime target. Criminals are noting which industries do not have appropriate protections and infrastructure for protection. These are then discussed in the underground mainly as healthcare & academia, which top the target list for ransomware. Add the high levels of chaos, that the healthcare industry is currently facing, bad players are putting extra effort into attacking this sector it has been suggested.
Microsoft recently reported in a blog post that ransomware delivering a “motley crew” of payloads were stretching security operations amid the pandemic, especially in the health care sector.