As 2019's ransomware attacks rolled into 2020, industries fell hard again. 

In 2017, ransomware graduated from consumer-focused attacks to devastating some of the world's largest enterprises. By 2019, ransomware elevated the threat, dangling data breaches over victims. Now the ransomware as a service model gives low-level cybercriminals a slice of the business — and it's a profitable one.   

Ransomware "makes the most money," compared to other methods of cyberattacks, said Allan Liska, senior security architect at Recorded Future. 

Bad actors remain observant, fleshing out where precious data lives before launching attacks. The average "dwell time" of ransomware is about 72 days and 12 hours in 2019, according to research from Mandiant's FLARE Advanced Practices Team. 

Studying ransomware is an imperfect science. Even if patterns in code and strategy resemble a certain group, it's not always reliable enough to definitively identify an attacker or variant. 

Malware as a service (MaaS) adds further complexity as attackers can take any shape, using any strain. The MaaS business is leading to half of customized cyberattacks, according to VMware Carbon Black. 

This month Microsoft was given permission from the United States District Court for the Eastern District of Virginia to stop Trickbot's operations, a MaaS bot used to spread ransomware. By Oct. 18, Microsoft and its partners "eliminate[d] 94% of Trickbot’s critical operational infrastructure," which included the malware's command-and-control servers and the "new infrastructure Trickbot has attempted to bring online," according to a company announcement. 

Much like other forms of malware, operators adapt or retire a strain for a new and improved iteration. Microsoft expects Trickbot's operators to find a way to remain active. 

The charts below represent ransomware attacks in the U.S. from January to September tracked by Cybersecurity Dive. Comments, questions or feedback? Please send an email to: [email protected].

Of the strains tracked by Cybersecurity Dive, almost half were unknown or not publicly disclosed. Prominent strains, including Maze, NetWalker and REvil, appeared across industries, though Maze and NetWalker heavily targeted healthcare-related organizations. 

During Q2 2020, Emsisoft's top reported strains included Djvu, Phobos, Dharma, REvil, and Globeimposter. 

"If you were to ask me to name ransomware families, I could probably give you 10 or so off the top of my head. But we actually track over 100 ransomware families," said Aaron Stephens, senior threat analyst on Mandiant's FLARE Advanced Practices Team, while speaking during a SANS Institute webcast Wednesday. Of those 100 ransomware families, many only appear once or twice. 

Attribution is an unreliable process —  it's the reason hack back initiatives are often cautioned against. VPNs and proxies blur geolocation information on IPs and domains, said Jonathan Tanner, senior security researcher at Barracuda Networks. Reused patterns might help "but still don't generally reveal much other than the scale of operations." 

Ransomware followed a similar pattern last year: It preys on the resource-poor. 

"The majority of what I've seen, what I've read in research also, is that this is coming from phishing, which is nothing new," said Jon "JP" Perez, security research engineer at IronNet Cybersecurity. This year's attacks leveraged more exploits for initial access. 

Unlike last year, crises compounded as new strains emerged. 

Cybersecurity Ventures estimates the healthcare industry to reach $125 billion in cybersecurity spending the next five years. Cumulatively the industry has outdated IT protecting invaluable data, making healthcare organizations more likely to pay.

The evolution of ransomware attacks is forcing cybersecurity professionals to change how they perform incident response. "Nowadays, if you turn on the lights on an attacker, you're going to be dealing with an escalation," said Tom Kellermann, head of cybersecurity strategy at VMware Carbon Black, in the report. 

There was a lull in ransom payments in March for the U.S. and Europe, when the pandemic began to spread. But security experts say the drop was in sync with the economic downturn impacting everyone — even criminals. 

An April press release from Maze's operators said "We are living in the same reality as you are. That's why we prefer to work under the arrangements and we are ready for compromise. But only with those partners who can understand what is reputation and what are the real consequences of private data loss." 

In the 133 ransomware attacks Cybersecurity Dive tracked, at least 15 organizations paid a ransom. In cases where consumer data is at risk, bad actors will resort to increasingly "destructive actions" that make "it impossible to recover encrypted data," according to VMware Carbon Black. 

California ranked just ahead of Texas in the number of known ransomware attacks so far this year, according to Cybersecurity Dive's tracker. California has the nation's largest population and its economy is equivalent to 25 states combined, according to CompTIA's 2020 Cyberstates report. 

Texas ranks behind California in population, but the states are the leaders in overall tech employment. California and Texas employ 1.9 million and 1 million tech workers respectively, outpacing the third-place tech employer New York, which has 679,000. 

Last year more than 20 municipalities in Texas were hit in what's believed to be a connected ransomware attack, which is unusual for a singular event. Texas declared a state of emergency.  

Ransomware attacks historically encrypted files, denying organizations access to data. Now some bad actors add data exfiltration to ransomware, it's "a separate kind of attack," said Perez. Generally, it doesn't cost bad actors any more to follow a ransomware attack up with a data breach. It's just another actionable step. 

Data exfiltration was added to ransomware's traditional encryption practices last year. Of the 100,000 ransomware submissions ID Ransomware received between January and June, more than 11,600 were performed by data-stealing operators, according to Emsisoft. 

Cybersecurity Dive found at least 64 organizations were breached or issued a breach notification to their customers this year. 

Methodology: 

Much of the data represented in this article was compiled from ransomware trackers by Recorded Future, BlackFog, and Cybersecurity Dive's research using news reports, breach disclosures, and announcements on social media platforms. This report is based only on information publicly available. Some information is also unknown amid ongoing investigations. Attacks or breach threats included in the data occurred between Dec. 31, 2019 and September 2020.