COVID-19 Uncertainties Fuel Ransomware Attacks and Phishing Schemes

COVID-19 has slowed the economy down, but hackers are busy as usual—looking to take advantage of the pandemic to breach systems, steal data, and profit by holding both systems and data hostage.

While attackers are using a variety of tools to target these victims, one of their preferred methods is ransomware, using coronavirus fear to lure people into clicking malicious links or giving up sensitive data so the hackers can infiltrate systems.

Shift in Focus

Historically, attackers targeted a wide range of victims, with individuals often targeted over organizations, but in recent years, there’s been a shift to hone in on organizations and large enterprises.

Since 2018, according to the 2020 State of Malware Report, consumer threat detections are down by about 2%, but business detections have increased by 13%.

Not only are attacks targeting organizations increasing, so are their levels of sophistication, including use of credential stealing methods, exploits, and attacks that include multiple stages—and often lateral moves—that cause mass infections from a single initial exploit.

More New Ransomware Attacks

Reports indicate the industry is seeing more net new ransomware attacks than ever before.   The New York Times reports that in 2019, organizations experienced a 41% increase in ransomware attacks over the previous year.

While all organizations are at risk, in the center of ransomware attackers’ bullseye today are healthcare facilities, especially hospitals and interconnected business units. Earlier this year, the Federal Bureau of Investigation (FBI) issued an alert about an increase in cyber-attacks for the healthcare industry and related supply chains.

Attackers use a variety of ransomware tools to stall—and sometimes even completely shut down—functions for organizations of all types, but government organizations such as cities and towns, as well as healthcare facilities and schools, have dominated news coverage about attacks.

Before we dive deeper into the impact of ransomware on organizations, let’s explore exactly what it is and what happens.

What is Ransomware?

Ransomware is a type of malware that affects computers and other devices.

Once infected, attackers can take over a single device or an entire network and restrict access to those devices. To regain access, attackers demand a ransom, usually in the form of Bitcoin or similar digital currency, in exchange for a decryption key.

Once an attacker gains control of these systems and locks users out, victims must decide whether they’ll pay the ransom to get that decryption key or whether they’ll focus on restoration and rebuilding targeted systems.

Cost of Ransomware

In 2020, it’s estimated that ransomware could cost the U.S. more than $1.4 billion. Add in the cost of downtime and recovery, that number could quickly exceed $9 billion this year.

In the first quarter of 2020, ransomware payments increased by about 33%, driven in part by new attacks resulting from the coronavirus-fueled business shift to remote teams and use of home and non-business networks that are inherently less secure.

The average cost of an enterprise ransomware attack in Q1 2020 was more than $111,000, with the average ransom payment exceeding $40,000 (which is the equivalent of about 5 bitcoin).

About a third of ransomware victims end up paying the ransom instead of recovering and rebuilding on their own. That’s because with productivity loss and revenue loss, the average downtime costs can quickly reach five to 10 times the amount of the original ransom fee, easily lasting up to 15 days.

Emerging Ransomware Types

Phishing emails are common entry points for ransomware attacks, but remote desktop protocol (RDP) access is the most common attack vector.

With RDP, attackers use stolen credentials to access a network and then carry out attacks on machines.

Software vulnerabilities also give attackers access points to launch a ransomware attack.

In Q1 2020, the top three ransomware types were Sodinokibi, Ryuk, and Phobos. Let’s take a quick look at each of those and what they do.


Sodinokibi, also known as REvil, uses a ransomware as a service (RaaS) variant that targets Windows systems. Once an attacker gains access, Sodinokibi enables them to encrypt files and then demand a ransom for decryption.

Sodinokibi was used in an attack against Travelex, a foreign exchange company, which was hit in late 2019. The attack meant Travelex lost use of its website for more than a month as it attempted to contain the attack spread. Ultimately, Travelex paid a $2.3 million ransom.


Ryuk takes advantage of banking integrations and generally gets a boost from phishing schemes. Ryuk came to light in late 2018, making a name for itself after attackers targeted Chicago’s Tribune Publishing newspapers during the Christmas holiday season.

Ryuk also hit the state of Louisiana’s Office of Technology Service late in 2019 and affected systems across a number of state agencies. Ryuk is considered among the most costly ransomware variants. Ransom demands can average between about $100,000 to more than $300,000.


Phobos is also a RaaS and the attacks generally begin when an attacker gets RDP credentials on the dark web or through phishing. The variant emerged in early 2019 and may be based on a previous variant of Dharma.

Once an attacker gains credentials, the hack gets distributed through RDPs. Generally, Phobos attacks focus on small businesses, therefore the ransom demands tend to be less substantial than attacks that target larger enterprises.

Targeted Industries

In 2020, the healthcare industry remains in the cross-hairs for ransomware attacks, with almost 14% of ransomware attacks targeting the industry in Q1.


Although attackers are moving toward targeting larger enterprises for more lucrative payouts, it’s an issue that still affects small and midsized businesses (SMBs) that may likely be harder hit by loss of systems and data with lesser ability to pay demands for restoration.

In that lucrative vein, in 2020, ransomware is pushing ahead of the traditional data-stealing focus for attackers. It’s even overtaken credit card data theft for the first time, with one in five attacks emerging as ransomware.

Paying Ransoms

We mentioned earlier than about a third of organizations hit by a ransomware attack end up paying the ransom for decryption. For those that do, almost 96% are able to recover data after decryption, but some ransomware variants cause data damage and loss that can’t be recovered, resulting in about 8% of data loss post-recovery.

Avoiding Ransom Payments

The city of Atlanta learned firsthand just how vulnerable an organization can be to ransomware when it was hit by the SamSam ransomware in 2018. Attackers demanded the equivalent of about six Bitcoin, which was around $50,000 at the time.

The SamSam ransomware variant uses brute-force attacks to enter networks and encrypt computers. In Atlanta, multiple city services, such as the court system and the police department, were affected.

The attack began in March 2018 and city officials decided relatively quickly that they would not pay the ransom and instead would double down on restoration and recovery. By that summer, officials estimated that more than a third of its 400 software programs were affected, including almost 4,000 computers and more than 30% of its mission-critical programs.

One report indicates the attack, with downtime and recovery, could have easily reached $17 million.

Atlanta is not alone as a target. Other major cities, like New Orleans, Baltimore and Pensacola, have been. Even smaller towns aren’t immune, with some attacks completely shutting down local governments for extended periods.

COVID-19 and Increased Attacks

And while attackers were already targeting governments and larger enterprises, the coronavirus outbreak has created a new environment for attackers to double-down on ransomware, seeking big payoffs by crippling organizations during a crisis.

Their objective is clear—hit organizations when they’re most needed and they’ll likely pay (and pay quickly!) for decryption keys because lives are at stake.

Fueled by federal, state, and local government “social distancing” and “stay-at-home” mandates, many organizations are experiencing new levels of vulnerabilities because their teams—many of whom have never worked remotely—are now working from home on potentially unsecured networks, using personal devices that may or may not have adequate cybersecurity protections.

It’s a situation further complicated by lack of data privacy and cybersecurity training for many of these newly remote workers. This is creating a perfect opportunity for attackers to use tried-and-true infiltration methods, such as phishing emails.

Some attackers are even using COVID-19 fears to entice users to click links or release credentials.

Since February, there’s been an almost 700% increase in phishing emails, led by coronavirus fears and uncertainties. As is common in phishing schemes, attackers craft what look like real email messages from legitimate sources, such as the World Health Organization (WHO) and the Center for Disease Control (CDC), to lure clicks and engagements.

The U.S. Department of Health and Human Services Office of Inspector General issued an alert about the uptick in these scams, saying attackers are employing a variety of tactics in an attempt to steal sensitive user information.

Here’s an example: In one phishing attack, hackers sent an email with the subject line: “Coronavirus outbreak in your city (emergency).” This email looks like it originated from the CDC. The address is close, but instead of originating from, hackers created a similar email address,

Out of 467,825 phishing emails recently studied by Barracuda Networks, more than 9,000 of those were related to COVID-19, compared to 137 coronavirus-related phishing emails sent in January.

The study also revealed that:

  • 54% of those phishing emails were scams (donation requests, purchasing protective gear, investing in false companies)
  • 34% brand impersonation
  • 11% blackmail
  • 1% business email compromise

These phishing schemes had a range of intents, from stealing credentials to malware distribution and financial gains via ransomware.

Protecting Your Organization from Phishing and Ransomware

All organizations are susceptible to cyber-attacks, but our new “work-from-home” normal creates greater risks.

According to a new report from Kaspersky indicates that about 45% of employees would have no idea what to do if they experienced a ransomware attack.

A study from IBM revealed that nearly 50% of breaches are caused by either human error or system issues.

Here are a few tips from the CDC that may be helpful to share with your employees:

  • Don’t open unsolicited emails from people or organizations you’re unfamiliar with.
  • Use official sources, such as the CDC, for coronavirus information and always be wary of third-party resources.
  • Don’t click a link without knowing where it’s going to take you. You can hover your mouse over a link to see the URL. Read those links carefully. Remember, many are devices that look incredibly similar to actual email domains.
  • Even if you’ve reviewed it and think the address looks correct, don’t click it directly within the email message. .
  • Be cautious about all attachments, especially those sent from people you don’t know.
  • Businesses and agencies should not request your sensitive data, for example passwords, date of birth, or social security numbers, in email, so do not respond to messages that request that information.

In addition to employee education, strong cybersecurity and business continuity programs can help protect your organization from increasing ransomware threats.

Ransomware and other cyber-attacks should be included in your business continuity plans. These plans will be key for recovery should you become a victim. If you don’t already have an existing business continuity plan for cyber-attacks, this business continuity plan template is a great starting point.

If you’re managing a remote team and have never done so before, or you have but haven’t worked with such large volumes of simultaneous remote workers, check out the on-demand webinar, “Top 5 Teleworking Cybersecurity Threats On-Demand Webinar,” for expert guidance about how you can ensure cybersecurity for remote teams.

Here are a few other resources you may find helpful:

And be sure to bookmark Apptega’s COVID-19 Resource Center. We’re constantly adding new content to help your organization stay safe and operational during this new normal of COVID-19 and beyond.


*** This is a Security Bloggers Network syndicated blog from Apptega Blog authored by Cyber Insights Team. Read the original post at: