This has been another record-breaking year for ransomware attacks. The waves of attacks seen in the USA at the start of the year, followed by attacks on public administrations all over Europe, and the latest breaches detected in Spain have all led to ransomware keeping its place on the list of the most important cyberthreats in 2019. And the statistics speak for themselves: ransomware attacks have shot up 500% in 2019 since this time last year.

All organizations are exposed to security breaches: from large multinationals to SMEs and public administrations. In fact, according to the World Economic Forum, the percentage of organizations that experienced an attack in 2018 rose to 61%. The figure of 2019 is likely to be even higher. This is largely down to the surge of ransomware attacks that we’ve seen in different waves throughout the year..

Nevertheless, more than waves specifically designed to be deployed massively all at once, these seem to be a series of attacks that have coincided in time and in their use of ransomware. We’ve actually identified a large range of TTPs used to breach the security of the victims of these attacks.

The first signs

The earliest indicators of the series of ransomware attacks that we’re currently experiencing came in January. The city of Del Rio, Texas, reported a ransomware attack that affected their systems, and forced them to carry out their administrative tasks manually, with pen and paper. Del Rio’s Management Information Services were obliged to disconnect City Hall’s computers to keep employees from accessing the system and spreading the infection.

According to US media outlets the attack was carried out using an unusual strategy. The ransom note included a phone number to communicate with the attackers and get instructions as to how to pay to recover their files.

In March, the Norwegian company Norsk Hydro suffered a devastating attack when a strain of ransomware called LockerGoga got onto its network and forced the closure of 22,000 endpoints in 40 countries. This was a highly targeted attack; according to the BBC, the attackers spent weeks on the company’s IT systems, searching for weak points and vulnerabilities before launching the ransomware. The company has so far spent over £45 million (€50 million) on recovering from the attack.

LockerGoga was most likely delivered via a phishing attack, potentially hidden in Word documents with malicious macros. Some of the characteristics of the ransomware could suggest that encrypting files and demanding a ransom is not the main goal of LockerGoga. In some variants, the malware changes the administrator’s password and logs the victim off using logoff.exe, making it much harder to pay the ransom.

The focus moves to US public administration

While the trend for attacking public administrations began with the incident in Del Rio, it wasn’t until a few months later that similar organizations began to fall. In March, the city hall of Jackson County, Georgia unleashed controversy when it paid the $400,000 ransom demanded by cybercriminals after a ransomware attack—probably a variant of Ryuk. The infection closed down almost all of the local government’s systems except for its website and its emergency system.

Also at the beginning of March, the Police Federation of England and Wales fell victim to a ransomware attack that managed to encrypt its databases and servers. The attack also managed to erase the backups that the organization had created.

In April, Augusta, Maine, suffered what was described as a highly targeted ransomware attack. The attackers demanded a ransom of at least $100,000. Luckily, the city hall managed to stop the ransomware, and their systems were almost back to normal the following day.

In May, two cities were attacked in the space of two days. The first was Cartersville on the 6th, in one attack, and then on the 7th, Lynn was hit by a piece of ransomware called “Herpes 1.2”, which infected the city’s online parking payment system.

May 7 is also when the municipal government of Baltimore announced that the city government had closed most of its servers due to a ransomware attack. The attackers demanded a 3 bitcoin ransom for each computer, or 13 bitcoins to free the whole city. The city’s systems were out of service for nearly a whole month, and to date, the city has spent $4.6 million on recovering the data on all of its computers.

The strain of ransomware used is called RobbinHood. According to Bleeping Computer, the ransomware doesn’t get onto computers via spam; rather, it takes advantage of remote desktop protocols (RDP) or other Trojans that can let the attacker gain access. In the last few months, there has been some evidence that the attackers that encrypted the systems in Baltimore are proud of their work: a new variant of RobbinHood includes a ransom note that suggests that the victim google ‘Baltimore’ to understand the gravity of their situation.

Unfortunately this was just the start of the “Summer of discontent” in the United States. Two cities in Florida were attacked in one week, both of which took the controversial decision to pay the ransoms—65 bitcoins (over €600,000) in Rivera Beach, and 42 bitcoins (€420,000€) in Lake City.

In July, there were ransomware incidents in Richmond Heights and in Georgia Department of Public Safety.

One of the most striking incidents came on the morning on August 16: a total of 22 local governments in Texas became victims of a coordinated ransomware attack. Although the Texan authorities didn’t reveal what ransomware was used in the attack, they did announce that the 22 attacks came from the same source. The attackers demanded a $2.5 million ransom.

The wave hits the rest of the world

In the fall, we began to see ransomware attack in Europe and the rest of the world. In the middle of September, several city halls and institutions in Spain were affected by ransomware attacks. In the Basque Country, there were at least four reports of alleged cybersecurity crimes, while the municipal government announced that it had been attacked by a piece of ransomware called Ryuk. This crypto-malware encrypted the files stored on over 50 servers, forcing municipal government employees to carry out their work by hand.

In Germany, a major producer of automation tools was paralyzed for over a week by an incident involving the ransomware BitPaymer, while the systems of the city of Johannesburg in South Africa were hijacked by attackers demanding 4 bitcoins.

Among the latest victims of ransomware are several Spanish companies, whose systems were encrypted at the beginning of November. Panda has had access to the ransom note received by the affected external clients, and we have seen that these incidents share many characteristics with the ransomware BitPaymer.

PandaLabs explains: “According to our preliminary investigations, which still haven’t been confirmed, one of the strongest hypotheses is that the victims could be companies affected by some of the spam campaigns launched in the previous weeks, whose aim is to infect the machines with the malware Emotet. If this is the case, the ransomware will have kept a low profile until now, when its C&C sent it BitPaymer to begin the attack.”

The most recent victim is the Mexican oil company Pemex. On November 11, several computers were hijacked, stopping employees from carrying out their work. The IT department advised the employees to disconnect their computers.

The main causes

Although this series of attacks have coincided in time and form, in practice they have all used a wide variety of techniques to get onto their victims’ systems. The main causes for these ransomware attacks are the following:

  • In the Norsk Hydro incident, the attackers spent months on the company’s system, searching for vulnerabilities that could be used in conjunction with spam to launch the ransomware. And this isn’t an isolated case; in fact, the cause of one in every three security breaches is an unpatched vulnerability. One of the most notorious ransomware attacks in history—WannaCry—exploited a vulnerability to get onto some 300,000 computers worldwide.
  • 92% of the world’s malware gets in via phishing, and ransomware is no exception. It can be hidden in attachments with macros or links to malicious URLs. One of the theories for how the ransomware made its way into Spanish companies in November is that it got in via a phishing email sent by the botnet Emotet.
  • Supply chain attacks. To carry out the massive attack in Texas, a technique called island hopping was used. Island hopping involves cybercriminals infiltrating the networks of smaller companies—marketing or HR companies, for example—that are normally providers for the final target, and use this access to gain entry to larger organizations. In the case of Texas, island hopping was possible because the many of the affected municipalities share the same software and IT system provider.

Zero trust to fight ransomware

The fact remains that ransomware is an ever-present threat, and one that is very hard to contain if you don’t have the appropriate protection in place, and don’t follow the proper steps. The most important thing is to follow a zero trust approach to security: don’t trust anything until you can be sure that it is not malicious, and question everything.

Panda Adaptive Defense isn’t based on signatures or traditional techniques, but on zero trust of all activity on all devices. To do this, it proactively monitors absolutely all activity on every computer and server in order to classify each process on all of the devices in the organization, and define their behavior profiles. If it detects any suspicious activity, even if it doesn’t have a seemingly suspicious profile, it blocks it and analyzes it in order to make a decision about what to do. What’s more, it has anti-exploit technology that is able to detect malicious scripts and macros.

99.98% of the decisions are made automatically thanks to artificial intelligence processes based on machine learning and deep learning. The remaining 0.02% of decisions are delegated and scaled to a team of expert threat hunters who determine the nature of the process, enriching and perfecting the automatic algorithms at the same time.

What’s more, you can further reduce the attack surface with Panda Patch Management. This module searches for and applies patches and updates to operating systems and hundreds of applications so that vulnerabilities don’t pose a risk of intrusion.

We can tell you how these attacks work, what vulnerabilities they exploit… We can also tell you that they will by no means be the last. The only thing we don’t know is when the next massive attack will be launched.

Get ready and strengthen your systems with Panda Adaptive Defense. Thanks to its Zero Trust model, it is able to register and validate 100% of processes before they can run on your computers. These levels of visibility and control strengthen our prevention, detection and response capabilities. This is why no Panda Security customers have been affected by any of these waves of ransomware.