Spurred on by 2020’s worldwide pandemic-related economic shutdown, cyber-criminals emerged from all corners of the globe to wreak havoc on critical businesses, corrupt data and demand record-breaking ransoms.
The success cyber criminals saw in 2020 drove record-breaking ransomware attacks in 2021. These attacks got bigger, smarter and more expensive for businesses. Here are five key takeaways IT experts learned about ransomware in 2021 and one ominous forecast for 2022:
- Critical resources make prime targets: COVID-19 put a huge strain on hospitals and other critical infrastructures. Cyber-criminals took advantage of this, knowing many of these organizations would have to pay quickly. Attacks on healthcare especially skyrocketed, with more than 1 in 3 healthcare organizations globally reporting being hit by ransomware in 2020, according to AAMC.org, adding the sector experienced a 45% uptick just since November 2020. Organizations like FIN12 are shutting down systems, eliminating access to patient records, radiology imaging and other functions until a ransom is paid. And beyond hospitals, the Colonial Pipeline and JBS attacks showed cyber-criminals can hinder supplies of gas and food with a few clicks.
- FBI interest did not dissuade big attacks: FBI alerts warned of new and impending attacks, clawed back Bitcoin ransoms and sought to disable cyber-criminals worldwide. This did little to dissuade cyber-criminals from executing bigger, flashier attacks and demanding higher paydays. JBS Meats, Colonial Pipeline, Air India and CWT Global made massive headlines and drew record-breaking ransoms. The Colonial Pipeline drew so much attention, REvil temporarily disappeared but resurfaced, more cunning than ever, in the fall.
- Cyber-criminals launch new attack vectors: As organizations tried to stay in front of cyber-criminals, these entities evolved their ransomware attacks, bypassing common detection methods. For years, they have corrupted data in the same number of ways. As security tools started finding those basic methods, they added new approaches. Lockfile ransomware was brought to light this past July, doing something unique in the field of ransomware, “intermittent encryption.” This method evades detection of many metadata analytics tools. Other attack vectors also cause significant destruction while avoiding detection, include Jigsaw (encryption combined with a progressive deletion) and CrypMIC, which corrupts files without changing the extension.
- Backup has a bullseye on it: Cyber-criminals are trying to do as much damage as possible to make organizations as desperate as possible and demand as much money as possible. Disabling, erasing and encrypting backups will make it near impossible to rebuild and recovery without paying ransom, making backup an increasingly common focus for big ransomware attacks. REvil and Conti, a Ransomware-as-a-Service organization led the way, targeting backups including turning off popular backup applications, driving a massive shift towards more intelligent cyber protection solutions.
- Recovery is taking longer: Many organizations found that their disaster recovery process did not extend to cyber recovery so attempts to recover grew longer, causing more economic hardship. Average down time is now 23 days, up by two days in 2021. But some organizations take months to get back to normal, especially if they were just relying on disaster recovery backups. Tulsa mayor GT Bynum saw his city attacked in mid-April of 2021 and remarked, “We’re on path to have all our city services restored back to normal by mid-September. That is the goal for us which is six weeks earlier than we were initially projecting. The city has hundreds of different computer systems that our team and contractors and law enforcement personnel that are having to go through and make sure they’re clean before restoring them.”
Prediction for 2022: It’s going to get worse before it gets better
Why would cyber-criminals stop now? It’s a lucrative business and attracting more hackers into its criminal enterprise. Cyber-criminals will continue to get smarter; attacks will continue to increase; these attacks will get even more sophisticated and be even more destructive. In October, ZDNet reported a new strain of malware that can encrypt a corporate system in less than three hours. It capitalizes on the new remote work spaces, breaking in through TeamViewer and deploying within 10 minutes. The responsibility is organizations to implement a recovery plan that can detect, diagnose and recover from the sophisticated attacks of 2021 and stay in front of what is coming in 2022.