• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

OneClik APT campaign targets energy sector with stealthy backdoors

 | 

APT42 impersonates cyber professionals to phish Israeli academics and journalists

 | 

Kai West, aka IntelBroker, indicted for cyberattacks causing $25M in damages

 | 

Cisco fixed critical ISE flaws allowing Root-level remote code execution

 | 

U.S. CISA adds AMI MegaRAC SPx, D-Link DIR-859 routers, and Fortinet FortiOS flaws to its Known Exploited Vulnerabilities catalog

 | 

CitrixBleed 2: The nightmare that echoes the 'CitrixBleed' flaw in Citrix NetScaler devices

 | 

Hackers deploy fake SonicWall VPN App to steal corporate credentials

 | 

Mainline Health Systems data breach impacted over 100,000 individuals

 | 

Disrupting the operations of cryptocurrency mining botnets

 | 

Prometei botnet activity has surged since March 2025

 | 

The U.S. House banned WhatsApp on government devices due to security concerns

 | 

Russia-linked APT28 use Signal chats to target Ukraine official with malware

 | 

China-linked APT Salt Typhoon targets Canadian Telecom companies

 | 

U.S. warns of incoming cyber threats following Iran airstrikes

 | 

McLaren Health Care data breach impacted over 743,000 people

 | 

American steel giant Nucor confirms data breach in May attack

 | 

The financial impact of Marks & Spencer and Co-op cyberattacks could reach £440M

 | 

Iran-Linked Threat Actors Cyber Fattah Leak Visitors and Athletes' Data from Saudi Games

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 50

 | 

Security Affairs newsletter Round 529 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Cyber Crime
  • Hacking
  • Malware
  • The evolution of ransomware in 2019: attackers think bigger, go deeper and grow more advanced

The evolution of ransomware in 2019: attackers think bigger, go deeper and grow more advanced

Pierluigi Paganini May 27, 2020

The number of ransomware attacks increased by 40 percent last year, according to Group-IB attackers think bigger and grow more advanced.

Group-IB, a Singapore-based cybersecurity company that specializes in preventing cyberattacks, found out that the year of 2019 was marked by ransomware evolution and was dominated by increasingly aggressive ransomware campaigns, with its operators resorting to more cunning TTPs, reminding those of APT groups to get their victims shell out.

The number of ransomware attacks increased by 40 percent last year, according to Group-IB’s incident response engagements and industry researchers data, while devious techniques employed by the attackers helped them to push the average ransom grow over tenfold in just one year. The greediest ransomware families with highest pay-off were Ryuk, DoppelPaymer and REvil. 

The findings come as highlights of Group-IB whitepaper titled “Ransomware Uncovered: Attackers’ Latest Methods,” closely examining the evolution of the ransomware operators’ strategies over the past year, issued today. 

Big Game Hunting 

Last year, ransomware operators matured considerably, having joined Big Game Hunting and going beyond file encryption. More groups started distributing ransomware, and Ransomware-as-a-Service (RaaS) adverts opted to focus their attacks on big enterprise networks rather than individuals. TTPs employed by ransomware operators showed that they came to resemble what once was considered a modus operandi of primarily APT groups — last year saw even trusted relationship and supply chain attacks conducted by ransomware operators. 

Another feature that ransomware operators started to share with APT groups was downloading of sensitive data from victims’ servers. It should, however, be noted, that unlike APT groups that download the info for espionage purposes, ransomware operators downloaded it to then blackmail their victims to increase the chances of ransom being paid. If their demands were not met, they attempted to sell the confidential information on the black market. This technique was used by REvil, Maze, and DoppelPaymer operators. 

Big Game Hunters frequently used different trojans to gain an initial foothold in the target network: in 2019, a wide variety of trojans was used in ransomware campaigns, including Dridex, Emotet, SDBBot, and Trickbot. 

In 2019, most ransomware operators actively used post-exploitation frameworks. For instance, Ryuk, Revil, Maze, and DoppelPaymer actively used such tools, namely Cobalt Strike, CrackMapExec , PowerShell Empire, PoshC2, Metasploit, and Koadic, which helped them collect as much information as possible about the compromised network. Some operators used additional malware during their post-exploitation activities, which gave them more opportunities to obtain authentication data and even full control over Windows domains. 

How it all began

In 2019, the majority of ransomware operators used phishing emails, intrusion through external remote services, especially through RDP, and drive-by compromise as initial attack vectors. 

Phishing emails continued to be the most common initial access technique. This technique’s main admirers were Shade and Ryuk. Financially-motivated threat actor TA505 also started its Clop ransomware campaigns from a phishing email containing a weaponized attachment that would download FlawedAmmy RAT or SDBBot, among others.

Last year, the number of accessible servers with an open port 3389 grew to over 3 million, with the majority of them located in China, the United States, Germany, Brazil, and Russia. This attack vector was popularized among cybercriminals by the discovery of five new Remote Desktop Service vulnerabilities, none of which however was successfully exploited. Dharma and Scarab operators were the most frequent users of this attack vector.

In 2019, attackers also frequently used infected websites to deliver ransomware. Once a user found themselves on such a website, they are redirected to websites, which attempt to exploit vulnerabilities in, for example, their browsers. Exploit kits most frequently used in these drive-by attacks were RIG EK, Fallout EK, and Spelevo EK.

Some threat actors, such as Shade (Troldesh) and STOP operators, immediately encrypted data on the initially compromised hosts, while many others, including Ryuk, REvil, DoppelPaymer, Maze, and Dharma operators, gathered info about the intruded network, moving laterally and compromising entire network infrastructures.

The full list of the TTPs outlined in the whitepaper can be found in the heat map below, which is based on MITRE’s revolutionary ATT&CK matrix. They are ordered from the most commonly used (red) to the least commonly used (green).

ransomware heat map

   Figure 1 – Heat map of ransomware operators’ TTPs based on MITRE’s ATT&CK matrix

Game-changer

After a relative lull in 2018, the year of 2019 saw ransomware returning at full strength, with the number of ransomware attacks having grown by 40 percent in 2019 year-on-year. The larger targets determined greater ransoms — the average figure soared from $8,000 in 2018 to $84,000 last year, according to the industry researchers. The most aggressive and greediest ransomware families were Ryuk, DoppelPaymer and REvil, whose single ransom demand reached up to $800,000. 

“The year of 2019 was marked by ransomware operators enhancing their positions, shifting to larger targets and increasing their revenues, and we have good reason to believe that this year they will celebrate with even greater achievements,” comments Group-IB Senior Digital Forensics Specialist Oleg Skulkin. “Ransomware operators are likely to continue expanding their victim pool, focusing on key industries, which have enough resources to satisfy their appetites. The time has come for each company to decide whether to invest money in boosting their cybersecurity to make their networks inaccessible to threat actors or risk being approached with ransom demand and go down for their security flaws.”

Despite the vim, showed by ransomware operators recently, there is still a number of measures that can be taken to ward off ransomware attacks. They include, among others, using VPN whenever accessing servers through RDP, creating complex passwords for the accounts used for access via RDP and changing them regularly, restricting the list of IP addresses that can be used to make external RDP connections, and many others. More recommendations can be found in the relevant section of the whitepaper. 

Additional details are included in the report “Ransomware Uncovered: Attackers’ Latest Methods” published by Group-IB.

About Group-IB

Group-IB is a Singapore-based provider of solutions aimed at detection and prevention of cyberattacks, online fraud, IP protection and high-profile cyber investigations. Group-IB’s Threat Intelligence system has been named one of the best in class by Gartner, Forrester, and IDC.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – ransomware, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]


facebook linkedin twitter

Hacking information security news it security it security news ransomware Security Affairs Security News

you might also like

Pierluigi Paganini June 27, 2025
OneClik APT campaign targets energy sector with stealthy backdoors
Read more
Pierluigi Paganini June 27, 2025
APT42 impersonates cyber professionals to phish Israeli academics and journalists
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    OneClik APT campaign targets energy sector with stealthy backdoors

    Hacking / June 27, 2025

    APT42 impersonates cyber professionals to phish Israeli academics and journalists

    APT / June 27, 2025

    Kai West, aka IntelBroker, indicted for cyberattacks causing $25M in damages

    Cyber Crime / June 26, 2025

    Cisco fixed critical ISE flaws allowing Root-level remote code execution

    Security / June 26, 2025

    U.S. CISA adds AMI MegaRAC SPx, D-Link DIR-859 routers, and Fortinet FortiOS flaws to its Known Exploited Vulnerabilities catalog

    Security / June 26, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT