Most discoveries are made through careful observations and critical analysis that provides answers to the world’s most complex questions. In order to draw proper conclusions from major events, variables need to be isolated and well-documented. For cybersecurity, discoveries are made possible thanks to threat intelligence. To focus on ransomware; an unsettling, crippling cyberattack that relies on the encryption of data, many variables can be isolated. For instance, the threat actor’s length of time in a victim’s network or dwell time, their tactics techniques and procedures (TTPs), the Indicators of Compromise (IOCs) that help differentiate the different threat actor groups, as well as countless other qualifying factors which play into the execution of this crime. In order to predict future trends and prevent future attacks, Tetra Defense presents an interesting variable: the location of organizations that have been publicly named by ransomware threat actors.
There’s an important distinction here between “data encryption” and “data theft.” Most of the ransomware incidents we fight daily begin with an alarming ransom note on a victim’s device: “Your files have been encrypted!” This means that unfortunately, a victim organization has been compromised and they no longer have access to their own files, but “encryption” alone does not mean “theft.” Ransomware groups often claim they will release sensitive data to the public, yet this data may not be completely in their control yet (they have not exfiltrated the data, nor copied it, nor shared it, etc.). If a threat actor feels they can get paid without actually having sensitive data in their possession, they may simply encrypt it and hope a victim’s fear is enough to convince their payment.
What we’ve compiled are incidents where victim organizations have been publicly listed on the respective threat actor sites. The amount and/or nature of the data varies; in some cases, only the names of the organizations were published on the threat actor’s site in order to shame them into paying the ransom. In other instances, large amounts of data have been published. These ransomware strains thrive on being unpredictable, but through tracking their behavior and location of attacks, we can start making predictions. As we gather this insight, we hope to provide a vision for what future threats look like.
While there are many variables to consider within each attack, diligent data collection can illustrate these variables and offer insights for upcoming trends, preventative strategies, and methods for law enforcement to bring justice to threat actors. In isolating only the incidents where victim information was published and made available, we hope to further refine predictions and trends we see in future attacks. As of now, we can clearly make appropriate conclusions that some ransomware variants are more prolific in exfiltrating data than others, and some locations are more consistently targeted than others. Vice President of Digital Forensics and Incident Response at Tetra Defense, Nathan Little remarks: “As this type of extortion continues, we start to see a correlation with geographic location. Of the data leaks thus far by these groups, there is a clear indication that attacks being made public are focused on the western region of the world, and largely the United States.”
Other key takeaways from attacks in 2020 so far:
- 64% of attacks made public by these threat actors are organizations based in the United States.
- California- and Florida-based organizations have been publicly disclosed by these threat actors most, consuming 21% of the incidents in the United States.
“We can also see that Maze ransomware is the most active attack group when it comes to publicly shaming its victims,” Nathan adds. By continuously and vigorously collecting, analyzing, and contextualizing data from known cyberattacks, we can continue to provide credible threat intel. For this resource, we hope to provide a deeper understanding of the nature of ransomware and in this case, where it’s taken to its extreme. While the fight against ransomware is prolific and un-even, the data behind each attack can be used against threat actors to make stronger defenses, more robust policies, and more appropriate protection for organizations the world over.