Ransomware Risk Trends

Shared Assessments’ Vice President Tom Garrubba and Senior Advisor Charlie Miller have been reflecting on recent ransomware risk trends. As of late, Garrubba and Miller have observed increased occurrences of data exfiltration and ransomware-as-a-service attacks. In the aftermath, trends in ransomware response include a significant increase in payments to attackers as well as longer recovery time after attacks.


Ransomware Trends

2021 has seen an increase in occurrences of data exfiltration, instances where data may require multiple ransom payments prior to have having “clean” data returned. To make matters worse, data returned from attackers may include additional new variations of malware baked into the data and code. Data taken may be used to extort additional payments so as not to be traded or sold on the Dark Web. And, multiple copies of your data may have been made for additional ransom later.

Ransomware-as-a-service (RAAS) has been available on the dark web since 2016 and is increasing due to the chances of payout – fear is the primary driver. It is raising concern of a lot of “copycat” attacks as well.

Significant Ransomware Attacks

Below, Garrubba and Miller summarize the most significant business ransomware attacks this past spring.

MultiCare, March 9, 2021: A third-party ransomware attack exposed the personal information of over 200,000 patients, providers and staff of MultiCare Health System, a non-profit health care organization. The attack allowed access to personal information including names, insurance policy numbers, Social Security numbers, dates of birth, bank account numbers, and more.

Facebook, April 3, 2021: The personal data of 533 million Facebook users from 106 countries has been posted online for free in a low-level hacking forum. The data was scraped in a vulnerability that the company patched in 2019, and includes users’ phone numbers, full names, location, email address, and biographical information.

LinkedIn, April 6, 2021: Over 500 million LinkedIn user profiles were discovered on the Dark Web. The hackers shared two million of these LinkedIn records for only $2 total to prove the legitimacy of the information in the stolen data. The LinkedIn account users’ data was scrapped or imported from the website into a database, and includes names, LinkedIn account IDs, email addresses, phone numbers, gender, LinkedIn profile links, connected social media profile links, professional titles, and other work-related personal data.

ParkMobile, April 12, 2021: A third-party software vulnerability is responsible for exposing 21 million customer records belonging to ParkMobile, a contactless payment parking app. The stolen data includes email addresses, phone numbers, license plate numbers, hashed passwords and mailing addresses.

GEICO, April 19, 2021: The auto insurance company Government Employees Insurance Company, known as GEICO, filed a data breach notice announcing information gathered from other sources was used to “obtain unauthorized access to your driver’s license number through the online sales system on our website.” The total normal of insured drivers affected has not been disclosed but the hackers had accessed between January 21 and March 1. Driver’s licenses contain Personally Identifiable Information (PII) such as name, address and date of birth.

Apple, April 27, 2021: Quanta Computer One of Apple’ Taiwan based Manufacturer’s was hit by an attack orchestrated by a ransomware gang known as ‘Revil.’and demanded $50 million to return their data.

Colonial Pipeline, May 7,2021 – The operator of US’s largest fuel pipeline confirmed it paid $4.4m to a gang of hackers who launched a ransomware attack, which took the company’s pipeline system offline and needed to do everything in its power to restart it quickly and safely, and made the decision then to pay the ransom.

City of Baltimore, MD, USA May 7, 2019 – The RobbinHood ransomware attack shut down the critical systems of nearly 15 departments and services of the city along with their email system. Reportedly, the recovery from the ransomware attack cost the city of Baltimore over US$18 million, which dwarfs the paid ransom of 13 Bitcoin (roughly US$80,000). The US newspaper, the Baltimore Sun, obtained and published an undated risk assessment report advising Baltimore city officials to address security gaps in their systems immediately for failing to do so would render Baltimore “a natural target for hackers and a path for more attacks in the system,” such as ransomware incidents. It is important to note that the RobbinHood ransomware attack also affected the smaller city of Greenville, NC one month earlier and they did not pay the ransom.


Ransomware Risk

As ransomware continues to dominate headlines and draw federal and international attention, Garrubba and Miller led a webinar discussion on trends and strategies for dealing with these devastating attacks on your organization and your suppliers and vendors. You can find a recording of the webinar here.