Check Point Software

Global Surges in Ransomware Attacks

Organizations worldwide are in the midst of a massive wave of ransomware attacks. In the last 3 months alone, the daily average of ransomware attacks has increased by 50%. As these attacks continue to mature both in frequency and intensity, their impact on business has grown exponentially.  In the past month, there has been reports about ransomware attacks targeting a shipping giant, a US-based broker and one of the largest watch-makers in the world.

Claiming a new victim every 10 seconds, ransomware has proved to be a lucrative attack method for cybercriminals. Check Point Research studied and analyzed this wave of recent attacks, and this blog details characteristics, the targeted countries, potential reasons for the wave, and tips on how organizations can prevent ransomware attacks.

Ransomware in Q3 2020 – which countries are most impacted?

In the last 3 months, there has been a 50% increase in the daily average of attacks, compared to the first half of 2020. US ransomware attacks doubled (~98% increase) in the last 3 months, making it the #1 most targeted country for ransomware, followed by India, Sri Lanka, Russia and Turkey.

The top 5 countries affected by ransomware in Q3 in terms of the number of attacks are:

*All the graphs and statistics used in this report present data detected by Check Point’s Threat Prevention technologies, stored and analyzed in ThreatCloud during Q3 2020.

Why is this happening now?

The current pandemic has forced organizations to make rapid changes to their business structures, often leaving gaps in their IT systems. These gaps have given cybercriminals the opportunity to exploit security flaws and infiltrate an organizations network. Hackers will encrypt hundreds of thousands of files, incapacitating users and often taking whole networks hostage. In some cases, organizations simply prefer to pay the price instead of dealing with encrypted files and recovering their IT systems. This creates a vicious cycle – the more these type of attacks “succeed” the more frequently they occur.

Cyber-criminals have also started to incorporate a new tactic in their ransomware playbook: double extortion.  In what has become a trend since Q1 2020, threat actors are adding an additional stage to their attacks. Prior to encrypting the victim’s databases, the attackers extract large quantities of sensitive information and threaten to publish this information unless their ransom demands are paid.

Driven by fear, organizations sometimes prefer to pay the ransomware immediately to avoid having their valuable data exposed. Recently, different ransomware operators have taken advantage of the current pandemic and used this tactic to force hospitals and medical research institutes to pay the ransom, putting the lives of patients in danger.

Furthermore, Emotet, after taking a 5 month hiatus, has surged back to 1st place in the Most Wanted Malware Index, impacting 5% of organizations globally. Emotet is an advanced, self-propagating and modular Trojan. It was originally a banking Trojan, but has recently been used as a distributor of other malware or malicious campaigns.

Emotet operations sell their infected victim’s details to ransomware distributers and because they are already infected, these victims are vulnerable to more attacks. This makes ransomware attacks even more “effective” to the attacker since more infected targets means more entry points for ransomware attacks.

Ryuk Ransomware in focus

Unlike common ransomware which is systematically distributed via massive spam campaigns and exploit kits, Ryuk is used exclusively for tailored targeted attacks. Ryuk was first discovered in mid-2018, and soon after, Check Point Research published its first thorough analysis of the ransomware which was then targeting the United States. There has been a significant increase in Ryuk’s activities since July 2020, and it has been attacking about 20 organizations per week.


Ryuk attacks per week across all sectors

There has been a steady increase in the number of healthcare organizations targeted by Ryuk, and there has been an almost twofold increase in the percentage of healthcare organizations being impacted by ransomware globally, from 2.3% in Q2 to 4% in Q3. And, healthcare is number one most targeted industry in the US.

Ryuk Attacks on healthcare organizations

Our data comes from ThreatCloud, Check Point’s threat intelligence engine, which is derived from hundreds of millions sensors worldwide, enriched with AI-based engines and exclusive research data from Check Point Research.

Preventing Ransomware

So what can organizations do to ensure they’re less susceptible to ransomware attacks? Here are some tips to consider.

General Good Practice

Security Best Practice

Check Point’s Anti-Ransomware solution defends organizations against the most sophisticated ransomware attacks, and safely recovers encrypted data, ensuring business continuity and productivity. Anti-Ransomware is offered as part of Check Point’s comprehensive endpoint security suite, SandBlast Agent, to deliver real-time threat prevention to your organization’s endpoints.