Most news on ransomware attacks is about U.S. organizations. We hear little about ransomware attacks in India, as few organizations report it. That’s not to say that Indian companies are spared. In fact, India is the fifth most attacked country in the world and the third in Asia. This is widely reported in the media. In its report titled “The State of Ransomware 2021,” cybersecurity firm Sophos reveals that India tops the list of top 30 countries for ransomware attacks, with 68% of Indian organizations surveyed being hit by ransomware in the last 12 months.
Ransomware Attacks in India Decline
According to Sophos, there has been a drop in ransomware attacks this year, compared to the previous year. The Sophos survey also highlighted that 67% of Indian organizations whose data was encrypted paid a ransom to get back their data compared to last year, when 66% paid a ransom.
The Sophos report states, “In fact, Indian organizations were the most likely to pay a ransom of all countries surveyed: the global average was just under one third (32%).”
While ransomware attacks in India saw a dip this year, various research reports show that attackers are taking a more targeted and organized approach. There are new vulnerabilities; zero-day attacks are now common. Ransomware hackers have now zeroed in on blockchain, cryptocurrencies, and cryptocurrency exchanges. EC-Council’s Cyber Research cell will be releasing a report on this next month.
According to the Microsoft Security Endpoint Threat Report 2019, Asia Pacific continued to experience a higher-than-average encounter rate for malware and ransomware attacks – 1.6 and 1.7 times higher than the rest of the world, respectively.
India registered the seventh-highest malware encounter rate across the region, at 5.89% in the past year. This was 1.1 times higher than the regional average. The report also found that India recorded the third-highest ransomware encounter rate across the region, which was two times higher than the regional average.
This was despite a 35% and 29% decrease in malware and ransomware encounters, respectively, over the past year.
Cryptojacking Attacks Increasing
The Microsoft report states that crypto-hacking, malware, ransomware, and drive-by download attacks have high cybersecurity challenges in India. In fact, India recorded a cryptocurrency mining encounter rate that was 4.6 times higher and drive-by download attack volume that was three times higher than the regional and global average.
It’s a well-known fact that millions of Indians have taken to cryptocurrency trading via hundreds of exchanges around the world. And since cryptocurrency is linked with ransomware, it’s not surprising that new attack vectors like crypto-hacking, cryptojacking, and illegal cryptomining are picking up in the region.
Cryptocurrency is generated through crypto mining, which requires a lot of computing power. During cryptojacking attacks, the victims’ computers are infected with cryptocurrency mining malware, which enables criminals to leverage the computing power of victims’ computers without their knowledge, to mine cryptocurrency. Pro-Ocean, which was discovered by Palo Alto Networks, is an example of cryptocurrency mining malware.
New Vulnerabilities Found
In its Q2 Index Update, Cyber Security Works reveals new vulnerabilities in the ransomware arsenal. Its research shows that six vulnerabilities have become associated with seven ransomware strains; among them are the infamous Darkside, Conti, FiveHands, and the newly christened, Qlocker.
“With this update, the total number of vulnerabilities associated with ransomware has increased to 266. We have also noticed a 1.5% increase in the number of actively exploited vulnerabilities that are trending currently, reiterating that a risk-based approach for the remediation of vulnerabilities is the need of the hour.
One of the most compelling observations during this quarter was the exploitation of zero-day vulnerabilities even before vendors published their discovery or released patches,” said Ram Movva, Chairman and Co-founder of Cyber Security Works.
More Targeted Attacks
Another trend we observe is that the attacks are getting more targeted. Going forward you can expect to see attackers going after niche sectors rather than trying to pull off large scale attacks on everyone.
“Ransomware threats actors have been constantly evolving their tradecraft to increase the odds of the ransom payment. The most infamous ransomware variants such as WannaCry, NotPetya were more of opportunistic attacks than targeted. However, the ransomware incidents and attacks from 2020 and 2021 are much more focused, planned, and targeted and are becoming ‘Human-Operated’. They leverage known information such as vulnerabilities/ stolen credentials/ phishing attempts to launch initial attacks. These newer ransomware variants are also including ‘cyber extortion’ angle in the mix along with ransomware rendering the data backups/ restoration controls implemented by organizations less effective,” said Prateek Bhajanka, Sr Principal Analyst, Gartner.
He continued, “In many cases of ransomware incidents, the encryption of data may not even occur, and the threat actor would issue a ransom note saying, we have stolen your regulatory, client and other sensitive information, here is the sample, and if you don’t pay, we will also encrypt your data. The ransomware threat actors are going to various lengths to increase the odds of the payment and even resorting to launching/ threaten a DDOS attack if the organization doesn’t pay, called ‘Triple extortion attacks'”.
Bhajanka also said there will be an increase in the volume of attacks due to emergence of Ransomware as a Service (RaaS) in the dark web, which makes it much easier to target specific organizations. He said the attacks are going to be directed at specific industries.
“In 2020, Healthcare and Pharmaceutical industries were the most sought-after targets and now we are also observing increase in attacks in Retail and education sectors. Alongside, the threat actors are targeting the technology service providers such as Managed service providers (MSPs) and Managed Security Service Providers (MSSPs) to use them as a vector/pivot to large number of victim organizations,” he added.