Medical and government institutions, as well as industrial companies, bore the brunt of ransomware attacks.

Besides conducting attacks, hackers also created their own sites for publishing stolen data, such as the News & Leaks data leak site by the Mount Locker group. Some also formed alliances with other gangs. For example, Ako and ThunderX ransomware operators joined under the name Ranzy Locker.

Top 5 ransomware families

1. Ryuk (Conti)
2. REvil
3. Clop
4. Egregor
5. DoppelPaymer

Operators of Ryuk ransomware attacked medical institutions most frequently in Q4 2020. The victims included Wyckoff Heights Medical Center in Brooklyn, the University of Vermont Health Network, Sky Lakes Medical Center in Klamath Falls (Oregon), St. Lawrence Health System (New York), a gastroenterology clinic in Nevada, and Taylor Made Diagnostics. Attacks on medical institutions can have devastating consequences. For example, electronic health records for cancer patients went down after a cyberattack on the University of Vermont Health Network. The system was restored only a month after the attack, forcing clinicians to attempt to recreate chemotherapy protocols from memory in the meantime.

However, Ryuk operators target other industries as well. FS-ISAC describes Ryuk as a "rapidly evolving threat" to financial institutions. An incident with payment card processing giant Total System Services is a notable example. The third-largest payment processor for financial institutions in North America was hit by a ransomware attack in early December. More than 10 GB of data was published as a result of the attack.

In one Ryuk ransomware incident investigated by DFIR experts, the attackers managed to compromise an entire corporate network with the ransomware in just two hours. The attackers exploited vulnerability CVE-2020-1472 to elevate their privileges in the domain. On average, it takes Ryuk ransomware operators from two to five days to perform an attack.

A new ransomware operator known as Hades debuted in early December. The first reported incident took place on December 15, when trucking and freight logistics company Forward Air suffered a ransomware attack. The attack caused disruption and service delays, since cargo documentation was stored electronically. Nine days after the Forward Air incident, news came of an attack on logistics provider OmniTRAX. This attack was attributed to the Conti ransomware gang. The hackers stole over 70 GB of internal documents. OmniTRAX refused to pay the ransom.

Security experts warn against paying off ransomware attackers, since doing so encourages future crimes and justifies the continued investment of time and effort. However, not all companies follow these recommendations; some of them agree to pay up. In Q4 2020 alone, several companies paid a ransom, including online educator K12, hit by Ryuk ransomware in mid-November; Barbados-based conglomerate Ansa, attacked by REvil in October; a Mississippi school district; and Delaware County (Pennsylvania), hit by DoppelPaymer ransomware. The last two victims paid attackers $300,000 and $500,000, respectively.

First observed in September 2020, Egregor ransomware made a name for itself at the end of the year. Prominent victims included transportation agency TransLink, Chile-based multinational retailer Cencosud, U.S. department store Kmart, game developers Ubisoft and Crytek, U.S. bookstore giant Barnes & Noble, and major staffing agency Randstad. At Barnes & Noble, the stolen data included financial and audit documents as well as client information, including shipping addresses, email addresses, and purchase history. As a result of the attack on Cencosud, the company's customers were temporarily unable to use Cencosud Card credit cards, make returns, or pick up web purchases.

Nor did ransomware operators spare resorts. In late October, U.S. ski and golf resort operator Boyne Resorts suffered a WastedLocker ransomware attack. The company's reservations system was down for days as a result.

In November, web hosting provider Managed.com was attacked by REvil ransomware. The company's web hosting systems were unavailable for at least four days. The attack impacted client sites. Managed.com said the attack took down its entire infrastructure, including WordPress and DotNetNuke managed hosting solutions, mail servers, DNS servers, RDP access points, FTP servers, and online databases. The hackers demanded a $500,000 ransom.

Attacks on the industrial sector

Industrial companies have remained the second-most popular target for the last two years. In Q4 2020, a third of attacks on the industry involved hacking, and 84 percent of attacks were performed using malware.

Figure14 Main attack methods in 2020 (percentage of attacks on industrial companies)

The PT Expert Security Center recorded an uptick in attacks by the RTM group: 61 phishing mailings from them targeted the industrial sector, among others. Banking trojans, which previously had been used in 33 percent of attacks against industrial companies, grew to account for 59 percent of total malware attacks.

Figure 15. Types of malware in attacks on industrial companies (percentage of malware-related attacks)

Two airplane makers hit ransomware turbulence in Q4. RansomExx attacked Brazilian company Embraer. The attackers stole and later published employee details, contracts, flight simulation data, and other confidential information. Next, operators of Ragnar Locker ransomware breached breached Dassault Falcon Jet's network and encrypted the company's systems by exploiting vulnerability CVE-2019-19781 in Citrix Application Delivery Controller. The hackers stole trade secrets, including documents pertaining to the development of a new Falcon 6X business jet. By persisting on the company's network for over half a year, they were able to thoroughly study the infrastructure and strike the most sensitive targets.

Dassault Falcon Jet is not the only major victim of Ragnar Locker. On November 1, Italian liquor company Campari Group joined the list of victims. Attackers made off with 2 TB of data, including bank statements, emails, and trade secrets. They demanded a ransom of $15 million. In return, they promised to provide a decryptor, not to publish the stolen data, and even provide a network penetration report and recommendations on how to improve security.

The DoppelPaymer ransomware gang demanded an even greater ransom—a whopping $34 million—to decrypt systems and keep quiet after an attack on electronics manufacturer Foxconn. The attackers stole more than 100 GB of data. Interestingly, they made a point of stating that they had targeted only Foxconn servers, avoiding employees' workstations.

Attackers did not leave out energy companies, either. A cyberattack on October 13 in Mumbai caused a two-hour power outage. Attackers targeted the city's load dispatch center. The outage disrupted operations at the stock exchange and other establishments across Mumbai, Thane, and Navi Mumbai, and led to the cancellation of train services. Mumbai hospitals shut down all non-ICU patient care. In mid-November, energy company Parkland in Calgary (Canada) was attacked by the operators of Clop ransomware. The stolen information included sensitive documents related to refinery operations as well as personal data, such as a scan of one of the directors' passports. At The Standoff cyber-range in November 2020, theft of sensitive documents from an oil refinery constituted one of the most frequently triggered risks.

In November 2020, attackers hacked a water reservoir SCADA system in Israel. With such access, attackers can freely modify the operating parameters of critical infrastructure. They could, for example, increase the water pressure in the reservoir (causing it to burst) or increase the temperature to critical levels. Lack of authentication and direct connection of ICS devices to the Internet made the hack possible. After attackers published a video of the breach, authentication was turned on but the system remained Internet-accessible, meaning that hackers could strike again.

Supply chain attacks

Software vendors were another "trendy target" in Q4. The most prominent incident targeted SolarWinds clients, including the U.S. Department of State, Microsoft, Cisco, and FireEye. In a supply chain attack, attackers penetrated the SolarWinds network and added a malicious backdoor into updates for the company's Orion platform. Around 18,000 clients installed the tainted update on their systems. Of note, the attackers managed to steal penetration testing tools from cybersecurity firm FireEye. The stolen software contains exploits for numerous vulnerabilities, which attackers will likely leverage in future campaigns.

In November, domain name registrar GoDaddy fell victim to a phishing attack. The attackers duped employees into changing registration records of several clients, including cryptocurrency exchanges NiceHash and Liquid. The changes allowed redirecting user traffic to attacker-controlled servers.

Figure 16. Attack methods (percentage of attacks on IT companies)

Social engineering was especially popular in Q4, accounting for 65 percent of all attacks against IT companies. In one such case, the website of Japanese game developer Koei Tecmo was hacked and data for 65,000 users was stolen through a phishing email sent to an employee. The threat actor attempted to sell access (in the form of a backdoor) and a forum user database for $7,800. Five days later, however, the database was posted online free of charge.

Another Japanese game giant, Capcom, was hit by Ragnar Locker ransomware in early November. Capcom flatly denied that customer data had been accessed, but the ransomware operators published confirmation on their website. The criminals stole personal information of Capcom employees (including former employees), such as passport information, as well as data for customers and business partners, sales reports, development documents, and other confidential information. Ransomware attacks on IT companies did not stop there. In late December, hacking group Pay2Key attacked Israeli cybersecurity firm Portnox. Before encrypting the IT infrastructure, the group stole confidential information, including documents related to Portnox's clients. They even published a security audit of Elbit, a major Israeli defense company. A total of 1 TB of data was stolen.

Software AG, Germany's second-largest software vendor, fell victim to a Clop ransomware attack. Company files and employee information were compromised. The criminals demanded a $23 million ransom for non-disclosure of the stolen data.

Dangerous shopping

The number of attacks on retail and commerce increased by 56 percent compared to Q3, reaching a new high for the last two years.

Figure 17. Number of attacks on retail and commerce

When attacking retail and commerce, threat actors are typically seeking payment card data, which accounted for 33 percent of all data stolen in Q4. Other targets include customers' personal data (27%) and credentials (20%).

Figure 18. Data stolen in attacks on retail and commerce

Ransomware was used in 31 percent of incidents. One notable example is the attack on South Korean retailer E-Land on November 22. The ransomware operator had persistence on the company's network for more than a year. During this time, they exfiltrated credit card data with the help of POS malware. The company learned of the data breach only after the ransomware attack. As a result, E-Land was forced to shut down 23 stores. Attackers failed to capture CVCs and CVVs, but the amount of stolen data is enough to create fake cards.

Magecart attacks accounted for 23 percent of incidents. The most interesting thing about these attacks is how they are made stealthy. For example, researchers at cybersecurity company Sansec discovered web skimmers inside CSS code on the sites of three different online stores. This tactic is useful for evading detection, since CSS code is not commonly checked by security scanners and will most likely escape attention during manual audits. The skimmer script launched only when customers of compromised sites started to enter payment or personal information.

Sansec discovered another sophisticated stealth method, involving hiding a malicious payload in social media SVG sharing icons. The code of the skimmer script is loaded as an HTML element. A separate decoder can be deliberately deployed somewhere else because if only one of the malware components is found, an infosec expert may conclude that the malware is inactive.

Malefactors did not pass up Black Friday: a self-healing skimmer was discovered on over 50 online stores. On the compromised sites, the skimmer script showed a fake payment form and then sent all of the intercepted data to the real checkout page. The transaction process was virtually indistinguishable from the real thing, so security systems did not raise any flags. For robust persistence, attackers placed four payload components on the hacked websites:

• Backdoor loader, to install the skimmer;
• Backdoor watchdog, to restore the backdoor in the event of detection and deletion;
• Web skimmer;
• Infostealer, to steal administrator credentials.

Therefore, even if the entire infection and healing chain were to be discovered, the infostealer would still provide continuous access to servers, allowing the attackers to deploy all the payload components a second time. The infection became possible in the first place only because all the compromised stores were running Magento versions 2.2.3–2.2.7, despite being urged to upgrade to a more recent version.

Even when criminals do not manage to hack online stores, customers may still not receive products due to attacks on other links in the supply chain, such as delivery. One such incident struck Russian delivery service PickPoint on December 4. Attackers hacked the company's network of package lockers , remotely opening 2,732 lockers in Moscow and St. Petersburg. The process of restoring systems took several days.

Pre-election happenings

In late 2019, Positive Technologies experts shared their forecasts about cybersecurity trends for 2020. They expected many cyberattacks in the run-up to the U.S. presidential elections, including against the sites of political parties and candidates. This is, indeed, what happened.

In late October, hackers stole stole $2.3 million from the account of the Wisconsin Republican Party. Criminals manipulated invoices from four of the party's direct mail and merchandise vendors. Also in Wisconsin, a spokeswoman for the state's Democratic Party said there had been more than 800 attempts to phish for financial gain during the most recent election cycle, but none were successful.

Cyberattacks hit not only those in power, but also ordinary people. On October 7, the DoppelPaymer ransomware gang stole data on voters in the state of Georgia in an attack on the network and phone systems of Hall County. In early November, a phishing attack was spotted in which Qbot malware was distributed in a file allegedly containing information about election interference. Once on a victim's computer, Qbot starts grabbing user data and email messages for use in later attacks.

Election support systems fell prey to attacks exploiting vulnerability CVE-2018-1337 in the FortiOS SSL VPN and Windows vulnerability CVE-2020-1472.

The criminals behind Emotet malware got in on the act as well. In an October phishing campaign, they sent emails purporting to come from the U.S. Democratic National Committee. The emails claimed to be looking for volunteers, with an attachment promising further information. But in reality, opening the attachment triggered a message that the file was created on an iOS device and prompted users to "enable content" in order to view the file. Once a user enabled content, the infection process started.

One thousand and one ways to exploit COVID-19

The share of social engineering attacks that made use of the pandemic remained the same as in Q3: 4.6 percent. Despite the abundance of materials available online about COVID-19, attackers still manage to lure victims into opening phishing emails with the promise of valuable information. In one such attack, a phishing email disguised as an automatic message from SharePoint linked to a document supposedly informing of pandemic-related requirements. Clicking the link led victims to an attacker-controlled site.

Another popular ruse was financial relief. In late October, fraudsters sent messages purporting to come from the International Monetary Fund claiming that 125 beneficiaries had been shortlisted for compensation. All users had to do to receive this bounty was to reply with their private email address and provide additional information if requested. The goal was to collect as much user information as possible. The attack was masked to evade detection: the message did not contain any links, the "reply-to" address differed from the sender address, and the message was made to look like part of an email thread.

In December, fraudsters impersonated the New York Department of Labor to offer $600 in pandemic relief. To receive the money, users were asked to enter their personal data in a special form.

In yet another phishing attack, messages claimed to contain COVID-19 test results. The email contained a password-protected RAR file with malware inside. This is another time-proven stealth technique, since not all security tools can scan encrypted RAR files.

Interest in COVID-19 vaccines was targeted in 40 percent of all phishing attacks in Q4. A vivid example is the December phishing campaign discovered by KnowBe4 security researchers. The campaign was propelled by reports that a vaccine manufacturer might not be able to supply additional vaccine doses to the U.S. Tapping into panic and confusion, hackers sent messages asking users to fill out a form in order to get on a vaccine list. When users clicked the included link, they were redirected to a phishing site that pretended to be a legitimate cloud service asking users to sign in.

COVID-19 vaccines interest both ordinary Internet users and cybercriminals. Throughout the quarter, we observed attacks on vaccine production and supply chains. Pharmaceutical companies, such as Fareva, Dr. Reddy's, Johnson & Johnson, Novavax, Genexine, Shin Poong Pharmaceutical, Celltrion, and AstraZeneca, came under a barrage of attacks. U.S.-based cold storage giant Americold, whose facilities have considerable importance for vaccine storage, was not spared either: sources said the company was hit by a ransomware attack. Cyberattacks also target government agencies involved in making vaccine-related decisions. In early December, the European Medicines Agency was hit by a cyberattack in which documents of vaccine developers Pfizer and BioNTech were stolen.

About the research

In this quarter's report, Positive Technologies shares information on the most important global IT security threats. Information is drawn from our own expertise, outcomes of numerous investigations, and data from authoritative sources.

In our view, the majority of cyberattacks are not made public due to reputational risks. The result is that even organizations that investigate incidents and analyze activity by hacker groups are unable to perform a precise count. This research is conducted in order to draw the attention of companies and ordinary individuals who care about the state of information security to the key motives and methods of cyberattacks, as well as to highlight the main trends in the changing cyberthreat landscape.

In this report, each mass attack (in which attackers send out a phishing email to many addresses, for instance) is counted as a single incident. Definitions for terms used in this report are available in the glossary on the Positive Technologies site.