- Number of organizations impacted by ransomware has risen to 1210 in June 2021
- Check Point Research sees a 41% increase in attacks since the beginning of 2021 and a 93% increase year over year
- Latin America and Europe saw the largest increase in ransomware attacks since the beginning of 2021, marking a 62% and a 59% increase, respectively
Following our previous report in May in which we’ve reported a global surge in ransomware attacks, Check Point Research (CPR) continues to closely monitor the developments of this troubling trend. CPR believes the surge has yet to reach its pinnacle. Ransomware attacks are being reported globally on an almost daily basis, from the US pipeline attack, to Ireland’s health services, which suffered a fallout after an attack a few weeks ago. In an unusual announcement by the Head of GCHQ (Government Communications Headquarters) in the UK, the official stated “Ransomware hackers are now bigger cyber threat to UK than hostile states”.
The Global Ransomware Data
In our previous report in May, researchers at CPR saw increases in the number of organizations impacted by ransomware in 2021, marking a 21% increase in the first trimester of the year. This increase has resulted in a staggering 102% overall increase in the number of organizations affected by ransomware compared to the beginning of 2020.
Today, we report that the weekly average of ransomware attacks in May increased to 1115, and that in the first half of June, it has already reached to 1210 organizations impacted by ransomware each week. This is a 20% increase in less than two months, a 41% increase since the beginning of the year, and a 93% increase since previous June.
Average Weekly Attacks per Organizations by Industry
Year over year, since June 2020, the industry sectors that are currently experiencing the highest increase of ransomware attack attempts globally are Education, which saw a 347% increase, Transportation, which saw a 186% increase, then the Retail/Wholesale sector, which suffered a 162% increase, and then the Healthcare sector, which experienced a 159% increase since June 2020. From the beginning of 2021, the “Consultancy” domain saw a 126% rise in attacks, followed by the education/research sector that experienced an 81% increase in attacks, followed by the transportation & Government/military sectors that saw an 80% & 75% increase in attacks.
Ransomware Impact per Region – a global “Ransomwave”
Recent months showed no signs of ransomware attackers slowing down, not in amount or scale of attacks. In the past two months, the continent of Africa saw an increase of 38% in attacks, followed by Europe, who experienced a disturbing 27% increase in attack attempts.
The Middle East saw a 21% increase, while Latin America and Asia both saw 19% increases.
Since the beginning of 2021, Latin America suffered the most prominent increase in ransomware attack attempts, spiking to a 62% increase. Europe saw a 59% increase in attacks. Africa saw a 34% increase, followed by North America, who experienced a 32% in attacks.
Why is this happening now?
More threat actors are being introduced to the growing field of ransomware, as ransomware gangs are rolling out more affiliation programs to foster operations in 2021. For now, ransomware is considered “successful” by threat actors, and therefore it continues to thrive. While federal agencies have put out clear messages that they will treat ransomware attacks as acts of terror, it won’t put hackers away from this profitable field, unless the business becomes totally not worth it.
Furthermore, innovation and creativity in this field brings more business models to action. From ransomware-as-a-service to triple extortion – these actors aren’t just becoming bigger, they are becoming better in what they do.
Five Ways To Prevent Ransomware
1. Robust Data Backup
The goal of ransomware is to force the victim to pay a ransom in order to regain access to their encrypted data. However, this is only effective if the target actually loses access to their data. A robust, secure data backup solution is an effective way to mitigate the impact of a ransomware attack. If systems are backed up regularly, then the data lost to a ransomware attack should be minimal or non-existent. However, it is important to ensure that the data backup solution can’t be encrypted as well. Data should be stored in a read-only format to prevent the spread of ransomware to drives containing recovery data.
2. Up-to-date patches
At the time of the famous WannaCry attack in May 2017, a patch existed for the EternalBlue vulnerability used by WannaCry. This patch was available a month prior to the attack and labeled as “critical” due to its high potential for exploitation. However, many organizations and individuals did not apply the patch in time, resulting in a ransomware outbreak that infected more than 200,000 computers within three days. Keeping computers up-to-date and applying security patches, especially those labeled as critical, can help limit an organization’s vulnerability to ransomware attacks.
While the previous ransomware prevention steps can help in mitigating an organization’s exposure to ransomware threats, they do not provide a perfect protection. Some ransomware operators use well-researched and highly targeted spear phishing emails as their attack vector. These emails may trick even the most diligent employee, resulting in ransomware gaining access to an organization’s internal systems. Protecting against this ransomware that “slips through the cracks” requires a specialized security solution. In order to achieve its objective, ransomware must perform certain anomalous actions, such as opening and encrypting large numbers of files. Anti-ransomware solutions monitor programs running on a computer for suspicious behaviors commonly exhibited by ransomware, and if these behaviors are detected, the program can take action to stop encryption before further damage can be done.
Training users on how to identify and avoid potential ransomware attacks is crucial. Many of the current cyber-attacks start with a targeted email that does not even contain malware, but a socially engineered message that encourages the user to click on a malicious link. User education is often considered one of the most important defenses an organization can deploy.
5. Ransomware attacks do not start with Ransomware
Ryuk and other ransomware purchase infection bases in targeted organizations. Security professionals should be aware of Trickbot, Emotet, Dridex and CobaltStrik infections within their networks and remove them using threat hunting solutions – as they open the door for Ryuk or other ransomware infections to infiltrate organizations.
The data used in this report was detected by Check Point Threat Prevention’s technologies, stored and analyzed in Check Point ThreatCloud. ThreatCloud provides real-time threat intelligence derived from hundreds of millions of sensors worldwide, over networks, endpoints and mobiles. The intelligence is enriched with AI-based engines and exclusive research data from Check Point Research – The Intelligence & Research Arm of Check Point Software Technologies.