IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Ransomware During COVID-19

What are current trends for ransomware attacks in 2020? How has COVID-19 impacted these cyberthreats? What are the warning signs to watch out for? Let’s explore.

Photo by Dimitri Karastelev on Unsplash
After 2019 was remembered as the year that ransomware targeted state and local governments, what can be said about ransomware in 2020 – especially during the global coronavirus pandemic?

To start, ransomware made global news headlines this week when a major ransomware attack was thwarted against Tesla. The Associated Press reported that: “Tesla CEO Elon Musk solved a mystery involving a 27-year-old Russian, an insider at an unnamed corporation and an alleged million-dollar payment offered to help trigger a ransomware extortion attack on the firm. …”  

Commenting on the same Tesla ransomware story and the wider industry extortion trends, Wired magazine added this context:

“But that kind of inside-man trick is rarer among ransomware gangs, says Katie Nickels, the director of intelligence at security firm Red Canary. ‘This indictment is the first time I've heard about an insider-enabled ransomware attack,’ she says. But she says that as the scourge of ransomware grows—along with its payoffs—the groups are adopting more ambitious tactics. ‘It’s part of a larger theme of ransomware adversaries really upping their game.’

Nickels adds that despite Tesla's success in thwarting the ransomware crew's insider recruitment, the case should nonetheless serve as a cautionary tale. It may suggest that network defenders need to consider the possibility that not just attackers outside the firewall, but malicious employees within it, could be the origin of an attack. ‘It really changes the game for the defenders. Before today I would not have suggested companies include an insider attacker installing ransomware in their threat model,’ she says. ‘Now everyone has to shift their thinking. If we know about this one case that’s been documented, there might be more.’”

For more on the Tesla ransomware attempt, you can also visit this excellent TechCrunch coverage

What About Ransomware & COVID-19?

But backing up a bit, what about wider ransomware trends this year?

Back on April 15, 2020, VMware Carbon Black issued a report with the headline: Global Orgs See a 148% Spike in Ransomware Attacks; Finance Industry Heavily Targeted. Here’s an excerpt:

“Cyber criminals often exploit fear and uncertainty during major world events by launching cyberattacks. These attacks are often performed with social engineering campaigns leveraging malicious emails that lure victims to install malware that steals financial data and other valuable personal information or, in some cases, turns a user’s computer into a crypto mining zombie.   

In light of the COVID-19 surge, we looked into attack data from the VMware Carbon Black Cloud to determine the shift to remote work, how cyber attackers have stepped up their campaigns, when these campaigns are being launched, and what industry has been most frequently targeted. …”

The report goes on to analyze trends in remote work, sectors impacted and top threats seen before reaching this conclusion: “As the COVID-19 battle continues globally, it’s clear attackers will continue to target vulnerable populations and organizations. As the VMware Carbon Black Threat Analysis Unit (TAU) has found, attackers have been using COVID-19 to launch phishing attacks, fake apps/maps, trojans, backdoors, crypto miners, botnets and ransomware. Increased vigilance and visibility into enterprise-wide endpoint activity are more paramount than ever.” 

On July 22, 2020, Security magazine released this headline: “COVID-19 pandemic sparks 72% ransomware growth, mobile vulnerabilities grow 50% - with the numbers coming from a Skybox Security trends report.  Here’s an important excerpt from that article:

“Key findings from the report include:

  • 20,000+ new vulnerability reports predicted for 2020, shattering previous records.
  • 50 percent increase in mobile vulnerabilities highlights dangers of blurring line between corporate and personal networks.
  • Ransomware thrives during COVID-19 pandemic, with new samples increasing by 72 percent.
  • Attacks on critical infrastructure, including healthcare companies and research labs, have added to chaos…
Also notable in the report is the increase of ransomware's popularity, with the number of new samples rising by 72 percent over the first half of the year. Sivan Nir, Threat Intelligence Team Leader for Skybox Security, commented on this rise. ‘We observed 77 ransomware campaigns during the first few months of the pandemic – including several on mission-critical research labs and healthcare companies. The focus and the capability of attackers is clear: they have the means to impart serious financial and reputational harm on organizations. The need for focused remediation strategies that are informed by full network visibility and contextual, data-rich intelligence has never been more pressing.’”

Other Ransomware Trends in 2020

Earlier this month, Health IT Security released this helpful article with Interpol data describing how Covid-19 has shifted the cyberthreat landscape.  Here’s an excerpt:

“Law enforcement investigations showed the majority of attackers “quite accurately estimated” the maximum amount of ransom they could demand from victim organizations. 

These findings are supported by Coveware’s Q2 ransomware report, which was fueled by big game attacks and an increase in Ransomware-as-a-Service (RaaS) variants targeting small businesses. 

In total, the average ransomware payment for the second quarter of 2020 was $178,254, a 60 percent increase from the first quarter. The rise coincided with the arrival of “big game hunting.” Previously, ransomware attacks were dominated by spray-and-pray attacks, which were more opportunistic in nature. 

Further, Coveware found that data exfiltration is growing much more common across all sectors. The method was first made popular by Maze ransomware attackers in November 2019, but other groups like Netwalker and Sodinokibi have quickly followed suit. 

In healthcare, the most recent data exfiltration incidents occurred at Magellan Health and the University of California San Francisco’s School of Medicine. …”

I also like this KPMG report detailing the rise of ransomware during the current pandemic.

Excerpt: “Criminal groups are increasingly switching to COVID-19 themed lures for phishing exploiting your consumers’ and employees’ concerns over the pandemic and the safety of there loved ones.

There’s also evidence that remote working increases the risk of a successful ransomware attack significantly. This increase is due to a combination of weaker controls on home IT and a higher likelihood of users clicking on COVID-19 themed ransomware lure emails given levels of anxiety.

Some current ransomware lures include:

  • Information about vaccines, masks and short-supply commodities like hand sanitizer.
  • Financial scams offering payment of government assistance during the economic shutdown.
  • Free downloads for technology solutions in high demand, such as video and audio conferencing platforms.
  • Critical updates to enterprise collaboration solutions and consumer social media applications.
We’ve also seen a move towards more creative ways of extorting ransoms. These include ‘double extortion,’ where ransomware encrypts your data and forces you to pay a ransom to get it back and then sends your data to the threat actor, who threatens to release your sensitive data unless further ransom is paid.”

How Can You Spot Ransomware? 7 Red Flag Signs

Many of these referenced article offer tips on training and what to do (and not do) to prepare for and prevent ransomware attacks. I found this Dark Reading article to be very good and a fresh approach – including seven red flags to watch out for. Here are the seven headline items, but you’ll need to read the details in the article on each topic:

  1. Active Directory Will Show Multiple Login Failures
  2. Brute-Force Attacks Will Hit the Network
  3. Phishing Emails Land With Strange Domains
  4. The Network Starts Making a String of Questions About a Single Machine
  5. Security Tools Are Being Used in Environments They Weren't Assigned To
  6. Unusual Time Stamps Appear on VPN Connections
  7. Traffic Is Suddenly Redirected to Questionable Places on the Dark Web
Final Thoughts

I have written about ransomware many times in the past, in addition to the year-end article in 2019 that began this blog. Here are a few of those earlier pieces:

There is no doubt that the focus of ransomware in 2020 has been more on hospitals and research institutions than on state and local governments. Nevertheless, there have been many schools hit with ransomware, like this situation in North Carolina, where a school system was closed due to a ransomware attack. 

This Government Technology magazine article has additional details on the nationwide schools districts targeted by ransomware, with some helpful numbers and context. This article discusses some cities hit by ransomware in 2020.

What is clear is that ransomware attacks are evolving globally, becoming more complex, merging with other cyberattack methods like insider threats (with human contact) and not going away anytime soon – even during the pandemic. 


Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist, keynote speaker and author.