RidgeBot: The Ransomware Rampage of 2020, How to Survive 2021

Posted on10/02/2021

A ransomware attack is a form of blackmail, and payouts have increased dramatically in 2020. It often seemed that every other day news broke from somewhere around the globe about yet another business affected by a ransomware attack that resulted in devastating consequences, extortion and ever larger payouts.

In 2020, ransomware yielded enough damage to solidify its position as a boardroom risk. Every aspect of the attacks is on the increase.

Blackfog reports that “Ransomware cyberattacks are a big business… research anticipates a business is attacked by a cybercriminal every 11 seconds and damage costs from these attacks will hit around [US]$20 billion by 2021.” An attack on the Düsseldorf University Hospital in Germany in September 2020 resulted in loss of life as an emergency patient had to be diverted to another facility and could not be cared for in time.

Ransomware Trends

Several trends are leading to the rapid rise in both the frequency and size of attacks in 2020. Threat actors are also adjusting their playbook for larger and more assured payouts.

Trends Fueling the Increased Incidence of Ransomware Attacks

Business and industry trends have dramatically increased the attack surface of small-businesses, enterprises and government networks. Other trends have opened new opportunity.

Cloud migration: Cloud-based technology has rapidly grown over the last several years providing significant cost savings and business agility to all sizes of organizations. Cloud platforms and services afford companies significantly increased flexibility in storage, computing and grow-and-shrink needs at pay-as-you-use rates instead of heavy capital infrastructure investment.

Covid-19 Pandemic and Work-from-Anywhere: The global response to the pandemic caused a momentous and sudden shift to a majority work-from-anywhere (WFA) professional workforce. Urgent organizational efforts to maintain business continuity during Covid-19 lockdowns additionally accelerated the already strong trend in cloud migration. Together, the cloud and WFA trends have dissolved the traditional hard enterprise network perimeter, substituting it with a software-defined perimeter (SDP) that runs along every surface of the network open to Internet access. Businesses are struggling with the ever-changing abilities and technologies to properly secure this new soft perimeter and WFA access via the Internet.

IoT: Unmanaged low-cost devices are proliferating in networks to automate, observe, report, measure, monitor and surveil a wide-ranging array of consumer and commercial devices and situations, from manufacturing to farming. IoT devices often use obsolete copies of open-source TCP/IP stacks, lack even rudimentary security capabilities, and offer no methodology for tracking or installing patches for known vulnerabilities.

Other trends more specific to ransomware also led to a significant increase in the sophistication, severity and financial efficacy of the attacks.

Ransomware-as-a-Service (RaaS): In the past, attack targets were naturally limited because only a few highly-skilled threat actors had the infrastructure, technical ability and fine-tuned execution methodology to infiltrate the well-secured networks of large organizations.

Following the same ease-of-deployment-with-limited-skill-needed path that SaaS, IaaS and PaaS have capitalized on, RaaS has now also moved to the cloud where highly customizable ransomware kits, purchased on the dark web, can be deployed with ease. This lowered the bar to entry and enabled a much larger population of threat actors to launch sophisticated attacks. RaaS offers different types of affiliate partner programs, with a full-fledged web portal where affiliates can get updated kits. REvil/Sodinokibi and Netwalker are examples using a RaaS model.

Spam and Phishing: This has long been the most successful initial entry-point for malware, but the Covid-19 pandemic has accelerated this trend with many new opportunities by preying on human fear as well as exploiting vulnerabilities opened by WFA setups. Threat actors pose as organizations that provide Covid-19 information, statistics, government economic-relief programs, personal protective equipment, or vaccine information.

Bitcoin Payments: The growing popularity and availability of crypto-currencies such as bitcoin offer payment methods with no traceability, no option to dispute, and un-cancelable transactions.

Trends in Ransomware Attack Approaches


Ransomware still occasionally targets consumers, but the vast majority of attacks have shifted to
 focus on corporate and government targets. The initial asset infiltration is almost as easy and the payout opportunities are enormous.

In 2020, threat actors have specifically targeted large organizations, and often those with regulatory exposure. The prospect of regulatory fines and reputation damage resulting from publicly exposed data privacy violations significantly increased the success rate of payouts, as well as the payout amounts.

SOCRadar Labs reports that the industries most affected by ransomware in 2020 are manufacturing, government, and professional services; organizations particularly averse to downtime.



Ransomware has seen considerable growth in virulence, and—empowered by RaaS—a larger population of threat actors who can target a larger number of victims.

In addition to simply holding an organization’s data to ransom by encryption, an increasing number of the more recent attacks combines encryption with extortion to boost the probability of a payment. In these combination attacks, the threat actor first gains access to the organization’s assets and exfiltrates their data, and only then encrypts it. If the organization refuses a payout for the decryption key, the threat actor exposes the exfiltrated data by making it publicly available, or auctioning it on the dark web, thereby damaging the organization’s reputation and financial well-being.

This trend results in ransomware attacks also becoming data breaches. It also forces organizations’ security management to re-assess risk and incident response, and adjust disaster recovery and business continuity strategies. Ransomware groups continue to leverage this data exfiltration and extortion tactic, though trust that stolen data will be deleted is eroding as defaulting on the promises are becoming more prevalent despite the victim paying the ransom.

Threat actors have also taken advantage of the fact that businesses are distracted during the Covid-19 pandemic. While emergency network and compute re-engineering is being done to ensure business continuity, the security vulnerabilities exposed by cloud migrations and WFA often remain unaddressed for a period of time. The proliferation of WFA setups using RDP and other remote access technologies allow threat actors to leverage attack vectors that didn’t previously exist.

Over the last two years, the average ransom payout has also increased significantly, as shown in Blackfog’s Monthly Ransomware Report. The increase is partially attributed to attackers increasingly targeting larger companies.




Geographically, ransomware attacks mostly target Asia, North-America and Europe, although no country or organization in the world is exempt.

Traditionally, threat actors have targeted Windows systems as the largest 
operating system installed base, but as MacOS systems have gained market share in recent times, these platforms are increasingly targeted also.


Harden Your Assets Against Ransomware with Ridgebot 3.2


RidgeBot auto-discovers your assets, scans them, and then proceeds to exploit the vulnerabilities found just as a hacker would. In its report, it alerts you to the dangerous, successfully exploited vulnerabilities and also shows you the exact attack path that allowed the asset to be compromised. With this detailed and accurate information you can quickly and proactively close all the vulnerabilities in your network and other assets.


RidgeBot 3.2 Ransomware Protection


Release 3.2 features a new template specifically focused on combating ransomware attacks. Initially this template includes:

  • Scanning for 27 high-profile ransomware entry point vulnerabilities

  • The ability to launch attacks to exploit these vulnerabilities

  • Reporting in detail on exactly how successful exploitations were achieved

Running the RidgeBot 3.2 ransomware template allows you to quickly and easily launch an asset scan to detect ransomware related vulnerabilities that may be present in your assets. As an integral part of the scan, RidgeBot also launches attacks to prove that the vulnerabilities found are indeed exploitable in your current environment. You can run these penetration tests and attacks on demand or on a regular schedule.

As with other vulnerability tools and tests, it is recommended that you re-execute a ransomware template scan-and-exploit run whenever there is any change in your assets, such as adding a new server or network device, doing a software upgrade of a device, installing a patch on a device, changing scripts or information on a web server, or any other software or hardware change that may result in deploying a new vulnerability in your network. You should be particularly cognizant of IoT devices that may be connected or inserted into your network.


RidgeBot 3.2 Approach


The RidgeBot 3.2 ransomware template includes scanning and exploitation for the following classes of vulnerabilities:

  • Remote Code/Command Execution (RCE)

  • Weak Password and Credential Stuffing (for example, SSH, Redis, and SQL Server)

  • Server Message Block (SMB)

  • WebLogic and Other File Uploads


RidgeBot 3.2 Scope

RidgeBot scanning and exploitation cover technical vulnerabilities such as weak credentials, open ports, file uploads, WebLogic and Struts2 web application vulnerabilities. It can neither protect you against social engineering or phishing, nor with data that has already been encrypted by a ransomware attack. Instead, use RidgeBot to locate the vulnerabilities in your network to keep out ransomware intrusion.

If you consider your organization to be a possible or likely “target organization” for threat actors, then use the RidgeBot 3.2 scanning and exploitation capabilities to protect yourself against the initial compromise stage of a planned attack. Once a threat actor has entered your network and established a foothold, you will need additional tools to detect and correct the intrusion.

Ridge Security Technology is a Silicon Valley-based company founded in late 2019 that offers a fully automated intelligence security validation robot called RidgeBot. This robot is used to test IT security in companies by replicating hackers’ behavior.

Contact Telescience to learn more

Pick the Type of Solution that Best Suits You

Contact us for quotation, we will give you the best pricing and advice!

Contact Us Now

Menu

Settings

Create a free account to save loved items.

Sign in

Create a free account to use wishlists.

Sign in