# Cybersecurity threatscape

## Q2 2020

#### ptsecurity.com


-----

### Contents

###### Executive summary  3

 Statistics 4

 Malware attacks 7

 Industrial companies in the crosshairs 9

 COVID-19 as a social engineering ruse 10

 On the hunt for credentials 12

 Network perimeter resources under attack 14

 Ransomware collaboration 16

 Ransomware owners are not the only ones to demand ransom 17

 About the research 18


-----

### Executive summary

Highlights of Q2 2020 include:

� The number of cyberincidents is continuing to grow. In Q2 2020, we detected

9 percent more attacks than in Q1 2020. Most attacks in the first two quarters

of the year happened in April and May, at the height of the COVID-19 pandemic.

� The percentage of attacks targeting industrial companies has increased signif
icantly. In attacks on organizations, industrial companies were attacked in 15

percent of cases, compared to 10 percent in Q1. Ransomware operators and

cyberespionage APT groups are among those who seem to be the most inter
ested in industrial companies.

� Among social engineering attacks, 16 percent capitalized on the COVID-19 pan
demic. More than a third (36%) of such attacks were not related to any specific

industry, 32 percent targeted individuals, and 13 percent were aimed at govern
ment institutions.

� In the cybercriminal world, the demand for credentials is growing. Of the total

amount of data stolen in attacks against organizations, the share of creden
tials has doubled in comparison with Q1. The most common credential theft

scenarios include exploitation of web vulnerabilities, phishing emails, malware

infection, and bruteforcing of credentials for services on the network perimeter

of companies.

� In attacks on organizations, exploitation of software vulnerabilities and config
uration flaws accounted for 18 percent, compared to 9 percent in Q1. Internet
accessible corporate network resources are especially attractive to attackers.

Criminals have been actively exploiting vulnerabilities in remote access systems

from Palo Alto, Pulse Secure, and Citrix.

� Ransomware trojans were present in 39 percent of malware attacks on organ
izations. A quarter of ransomware attacks on organizations targeted industrial

companies. Attackers continue to threaten disclosure of stolen data if victims

refuse to pay. LockBit, Ragnar Locker, and Maze operators have joined forces

in a so-called Maze cartel to sell stolen data.

� Besides ransomware operators, other threat actors now blackmail victims with

disclosure of stolen data and the prospect of fines for violating the General

Data Protection Regulation (GDPR).

[To protect from cyberattacks, we recommend following our guidelines for ensuring](https://www.ptsecurity.com/ww-en/analytics/knowledge-base/what-companies-can-do-to-stay-safe/)

personal and corporate cybersecurity. Whether you continue to work remotely or

go back to your usual routine, remember that criminals are always on the look
out for easy prey. They regularly update malicious tactics and techniques so that

their actions remain unnoticed in infrastructure for a long time. A web application

firewall (WAF), proper incident management, deep analysis of network traffic, as

well as use of sandbox and SIEM solutions can help to detect attacks in time. SIEM

capabilities provide constant monitoring of infrastructure security incidents, de
tection of sophisticated attacks on domains, and support for secure remote work.


-----

220

200

180

160

140

120

100

80

60

40

20


### Statistics

In Q2, the number of attacks increased by 9 percent compared to Q1—and by 59 percent com
pared to Q2 2019. Significant world events consistently lead to increases in cybercrime, as they

provide fertile ground for social engineering attacks. April and May 2020 were record-break
ing in terms of successful cyberattacks. This sharp increase was spurred by epidemiological

and economic crisis.

###### 9% more cyberattacks than in Q1 2020

206

202 © Positive Technologies

194

167

160 159

152

143
141 141

136
132 132

113

112 111

104

91

01 02 03 04 05 06 07 08 09 10 11 12

2019 2020

_Figure 1. Number of incidents per month in 2019 and 2020 (1 = January, 12 = December)_

72%
Access to information
70%

32%
Financial profit
26%


Hacktivism


5%
4%


Cyberwar 2%

1%
Unknown
1%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Organizations Individuals

© Positive Technologies

_Figure 2. Attackers' motives (percentage of attacks)_


-----

3%


30%


12% 18% 41%


2%

5%
10%

13%

21%

18%


Government

Manufacturing and industry

Retail

Healthcare

Finance

© Positive Technologies

5% 6% 6% 6% 7%

_Figure 4. Victim categories among organizations_


Credentials

Personal data

Corporate secrets

**_in attacks_** **_in attacks_** Client databases
**_on organizations_** **_on individuals_** Payment card information

Medical records

Personal correspondence

Other

© Positive Technologies


18%


19% 12% 17%

_Figure 3. Types of data stolen_


###### 63% of attacks are targeted 14% of attacks are directed  at individuals

16% 15%


IT

Online services

Other

Multiple industries


Computers, servers,
and network equipment


66%
40%


59%
People

51%

20%
Web resources
3%


Mobile devices


1%


32%


IoT 1%

2%

Other
1%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Organizations Individuals

© Positive Technologies

_Figure 5. Attack targets (percentage of attacks)_

|Col1|Col2|
|---|---|


-----

62%
Malware use

59%
Social engineering
51%

Web attacks 15%


69%


Hacking


18%
6%


5%
Credential compromise

3%

3%
Other
1%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%


Organizations Individuals

_Figure 6. Attack methods (percentage of attacks)_


© Positive Technologies

|Per-industry classification of cyberincidents by motive, method, target, and victim categories|Victim categories © Positive Technologies|Col3|Col4|Col5|Col6|Col7|Col8|Col9|Col10|Col11|
|---|---|---|---|---|---|---|---|---|---|---|
||Government|Finance|Manufacturing and industry|Healthcare|Online services|IT|Retail|Other|Multiple industries|Individuals|
|Total|81|28|72|32|24|30|34|86|103|77|
|Computers, servers, and network equipment Web resources People Target Mobile devices IoT devices Other|67|20|63|24|2|22|11|54|58|31|
||7|3|3|5|22|5|22|17|12|2|
||62|20|60|22||13|9|45|60|39|
||1|||||||2||25|
||||||||||4||
||4|||||||5||1|
|Malware use Social engineering Credential compromise Method Hacking Web attacks Other|66|19|63|23|3|17|9|49|54|53|
||62|20|60|22||13|9|45|60|39|
||1|2|1|4|1|2||4|11|2|
||13|2|9|7|3|11|2|21|19|5|
||3|1|2|2|19|1|21|15|9||
||4|1|3||1|2|2|3|1|1|
|Access to information Financial profit Motive Hacktivism Cyberwar Unknown|52|23|62|19|20|20|32|55|69|54|
||22|8|27|20|2|10|4|35|28|20|
||8|1|||2|2|1|7|2|3|
||1||1|1||||4|1||
|||||||||1|6|1|
||||||||||||
||||||||||||


Darker colors indicate a greater
proportion of attacks within a particular
category of victims.


0% 10% 20% 30% 40% 100%


-----

### Malware attacks

Attackers tend to infect victims with a whole array of trojans, not just a single piece of malware.

[In one mass malware campaign, criminals delivered LokiBot spyware to victims' computers to](https://www.bleepingcomputer.com/news/security/new-phishing-campaign-packs-an-info-stealer-ransomware-punch/)

steal saved user credentials from various applications. In addition, LokiBot downloaded Jigsaw

ransomware to compromised devices. Ransomware and spyware are the most common trojans

used in malware attacks. In Q2, they accounted for 39 percent and 34 percent of all malware

attacks on organizations, respectively.

39%
Ransomware
9%

34%
Spyware

40%

17%
RATs 11%

6%
Droppers
6%


3%
Banking Trojans

8%
Miners
4%


28%


Adware


1%


8%


1%

Other
9%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Organizations Individuals

© Positive Technologies

_Figure 7. Types of malware (percentage of malware-related attacks)_


2% 6% 47%


2%


74%


3%

21%


4%

17%


Email


Compromise of computers,
servers, and network equipment
**_in attacks_** **_in attacks_** Websites
**_on organizations_** **_on individuals_**

Official app stores

Fake updates

Other

© Positive Technologies


24%

_Figure 8. Malware distribution methods_


-----

Hackers constantly refine their malware by adding new functionality. For example, Valak mal
[ware previously was a mere trojan loader. Now it can also be used independently as an infor-](https://www.cybereason.com/blog/valak-more-than-meets-the-eye)

[mation stealer hunting for credentials and domain certificates. Another example is Sarwent.](https://www.cybereason.com/blog/valak-more-than-meets-the-eye)

[Its developers have added a module that provides remote access to compromised hosts](https://labs.sentinelone.com/sarwent-malware-updates-command-detonation/)

via the RDP protocol. Sarwent enables RDP on compromised hosts and changes Windows

Firewall settings to allow connections. It cannot be ruled out that the attackers will sell or rent

out such access to other cybercriminals. In May we published an article in which we discussed

the illegal sale of access to corporate networks in more detail.

Malware is refined not only to add new functionality, but to incorporate more sophisticated

techniques for bypassing protection. For example, specialists from the PT Expert Security

[Center (PT ESC) detected an updated version of Calypso APT malware. The attackers](https://www.ptsecurity.com/ww-en/analytics/calypso-apt-2019/)

changed the name of export functions in the main library and set an implausible compilation

time (supposedly in 2021). By doing so, they probably were trying to reduce the odds of be
ing spotted by antivirus software.

_Figure 9. Implausible compilation time of Calypso malware_

In Q2 2020, PT ESC detected 13 attacks by the Gamaredon APT group. The group keeps

[attacking Ukrainian government institutions. They have taken to the technique of remote](https://attack.mitre.org/techniques/T1218/005/)

[VBS script loading with mshta.exe. This technique uses built-in Windows tools and allows](https://attack.mitre.org/techniques/T1218/005/)

bypassing AppLocker restrictions on program launch. The script runs after opening of an

LNK file from a phishing message.

_Figure 10. Message from the Gamaredon APT group to a Ukrainian government agency_


-----

75

50

25


37


33


72

47

Q1 Q2


28 27


0

Q1 Q2 Q3 Q4


2019 2020

_Figure 12. Number of attacks_
_against industrial companies_


_Figure 11. Malicious file from the Gamaredon message_

### Industrial companies  in the crosshairs

In attacks on organizations, industrial companies were targeted in 15 per
cent of cases (compared to 10% in Q1). In nine out of ten cases, attackers

used malware. About half of malware attacks (46%) involved ransomware,

and 41 percent of attacks used spyware trojans.

[In our cybersecurity threatscape report for Q1 2020, we talked about new](https://www.ptsecurity.com/ww-en/analytics/cybersecurity-threatscape-2020-q1/)

ransomware called Snake that is capable of halting ICS processes. In Q2,

[we learned about the first victims—Japanese automaker Honda and ener-](https://www.darkreading.com/attacks-breaches/ics-threat-snake-ransomware-suspected-in-honda-attack/d/d-id/1338075)

[gy giant Enel Group. Industrial companies were also struck by other ran-](https://www.bleepingcomputer.com/news/security/power-company-enel-group-suffers-snake-ransomware-attack/)

somware operators, including Maze, Sodinokibi, NetWalker, Nefilim, and

DoppelPaymer.

Malware use

88%

Social engineering

83%

Hacking

13%

Web attacks

3%

Credential compromise

1%

Other

4%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

© Positive Technologies

_Figure 13. Attack methods (percentage of attacks on industrial companies)_

Phishing emails and exploitation of network perimeter vulnerabilities were

the initial vectors of attacks on industrial companies. According to Bad

[Packets, the Sodinokibi operators penetrated the corporate network of](https://www.zdnet.com/article/uk-electricity-middleman-hit-by-cyber-attack/)

[Elexon by exploiting vulnerability CVE-2019-11510 in the Pulse Secure VPN.](https://www.zdnet.com/article/uk-electricity-middleman-hit-by-cyber-attack/)


-----

[Cisco Talos discovered attacks on the Azerbaijani energy sector, in which criminals](https://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html)

demonstrated interest in SCADA systems related to wind turbines. The attacks started with

phishing messages that contained malicious attachments. Among other subject lines, the

messages used lures related to COVID-19. The RTM APT group also uses phishing against

industrial companies in Russia and the CIS. PT ESC detected 44 malicious mailings by the

group during the second quarter of the year.

_Figure 14. Message with malicious attachment sent by RTM_


Computers, servers,
and network equipment

People

Web resources


4%


88%

82%


0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

© Positive Technologies

_Figure 15. Attack targets (percentage of attacks on industrial companies)_

26% 16% 58%

Corporate secrets

Personal data

Credentials

© Positive Technologies

_Figure 16. Data stolen_

### COVID-19 as a social engineering ruse

In Q2, attackers have been actively exploiting COVID-19 concerns. COVID-19 was leveraged

in 16 percent of social engineering attacks. More than a third (36%) of such attacks were not

related to any specific industry, while 32 percent of attacks targeted individuals. Government

institutions were targeted in 13 percent of COVID-19 social engineering attacks. PT ESC

detected attacks involving Chinoxy malware against companies in Kyrgyzstan and Vietnam.


-----

[The attackers used the Royal Road exploit builder to create a document exploiting vulnerability](https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html)

[CVE-2018-0798 in Equation Editor. The document claimed to contain information about aid](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0798)

from the United Nations to these countries in the fight against COVID-19.

_Figure 17. Document containing Chinoxy malware_

In Q2, PT ESC discovered five phishing campaigns in which KONNI malware was deliv
ered. The criminals lured the victims with information on personal protective equipment for

COVID-19.

_Figure 18. Document containing KONNI malware_


-----

Malicious emails were not the only technique attackers used to capitalize on the crisis. They

[also created fake pandemic-related websites hosting malware disguised as useful information,](https://www.hackread.com/hackers-setup-fake-nhs-website-spread-malware/)

[performed business email compromise attacks to steal money, and distributed malicious ap-](https://www.fbi.gov/news/pressrel/press-releases/fbi-anticipates-rise-in-business-email-compromise-schemes-related-to-the-covid-19-pandemic)

plications. For example, attackers distributed the SLocker Android trojan disguised as an app

[called Koronavirus haqida, which means "About Coronavirus" in Uzbek. The trojan locked the](https://labs.bitdefender.com/2020/05/android-slocker-variant-uses-coronavirus-scare-to-take-android-hostage/)

screen of the victim's phone, prompting to pay to regain control of the device. Another exam
[ple is CryCryptor Android ransomware, which masqueraded as Covid-19 Tracer App to attack](https://www.welivesecurity.com/2020/06/24/new-ransomware-uses-covid19-tracing-guise-target-canada-eset-decryptor/)

users in Canada. In most cases, such mobile trojans are distributed via websites, which is why

we do not recommend installing applications from unofficial sources.

### On the hunt for credentials

Thirty percent of all data stolen in attacks on organizations were credentials, an increase from

15 percent in Q1. Corporate credentials are the most valuable kind of information for attack
ers. Criminals sell them on the darkweb or use them for further attacks, such as imitating the

hacked company to send emails with malicious attachments. Databases with credentials of

hacked companies' clients are also in high demand.

15% 14%

29%

Online services Science and education


11%

3%


Retail

Hospitality and entertainment

IT

Manufacturing and industry

© Positive Technologies


Healthcare

Finance

Other

Multiple industries


3% 5% 5% 7% 8%

_Figure 19. Categories of victims of credential compromise (in attacks on organizations)_

_Figure 20. Advertisement for corporate credentials on the darkweb_


-----

_Figure 21. Advertisement for SSH access to a SIP telephony operator_

Here we will review the most common scenarios of credential compromise attacks performed

in Q2 2020.

**1.** **Hacking of web resources and theft of credential databases.** In Q2, attackers primarily

targeted online services, e-shops, and service sector companies. In most cases, they ex
ploited web vulnerabilities or bruteforced passwords to access websites. For example, the

Shiny Hunters group posted an advertisement on the darkweb offering the databases of

[dozens of companies. Among the victims were e-learning platform Unacademy, The Daily](https://www.hackread.com/tokopedia-hacked-login-details-sold-on-dark-web/)

Chronicle news website, the Knock CRM platform, and many others. A single database gen
[erally costs between $1,000 and $2,000. However, the database of online store Tokopedia,](https://www.bleepingcomputer.com/news/security/hacker-sells-91-million-tokopedia-accounts-cracked-passwords-shared/)

containing information for 91 million accounts, was offered on a darkweb market for $5,000.

**2.** **Phishing emails with links to fake authentication forms. Most often, attackers forge the**

authentication forms of Microsoft products, such as Office 365, Outlook, and SharePoint.

However, at the peak of the pandemic in Q2, they also tried to steal credentials for audio and

[videoconferencing platforms. In one such case, attackers deployed a phishing campaign](https://www.bleepingcomputer.com/news/security/creative-skype-phishing-campaign-uses-googles-app-gtld/)

against remote employees using Skype, sending them emails with fake Skype notifications.

By clicking a link in a phishing email, the victims landed on a fraudulent login page and were

[asked to provide their credentials. Similar attacks hit users of Webex and Zoom.](https://www.proofpoint.com/us/threat-insight/post/remote-video-conferencing-themes-credential-theft-and-malware-threats)

**3.** **Infection with credential-stealing malware. In most cases, it suffices for employees to**

merely open a malicious phishing attachment to get their company infected with malware.

Lately, in the footsteps of cybergroups, ransomware operators have also started hunting for

[credentials. In Q2, Zaha Hadid Architects became a victim of Light ransomware. The crimi-](https://www.zdnet.com/article/hackers-threaten-to-leak-data-from-high-end-architecture-firm-zaha-hadid/)

nals stole a large number of internal files and compromised employees' accounts.

_[Figure 22. Fake Outlook login form used in a phishing attack against Turkish military vehicle manufacturer Otokar](https://twitter.com/issuemakerslab/status/1260888237683302400)_


-----

**4.** **Bruteforcing of credentials to services on the network perimeter. In the first two quarters**

of 2020, such attacks have become especially relevant due to the global workforce’s shift

to remote work, which made some services accessible from the Internet for the first time. In

[April, cybersecurity specialists observed an increasing number of attacks across the globe](https://www.zdnet.com/article/kaspersky-rdp-brute-force-attacks-have-gone-up-since-start-of-covid-19/)

aimed at bruteforcing RDP credentials. In order not to fall victim to such attacks, it is vital

to use strong passwords and multi-factor authentication, as well as enable RDP connec
tions only over corporate VPNs. If you do not use RDP, we recommend closing port 3389.

Specially configured SIEM correlation rules help to detect bruteforce attacks on corporate

remote access systems in time.

_[Figure 23. Credential compromise incident (MaxPatrol SIEM interface)](https://www.ptsecurity.com/ww-en/products/mpsiem/)_

### Network perimeter resources  under attack

In Q2 2020, the COVID-19 pandemic and shift to remote work have led to an increase in

attacks on vulnerabilities in web-accessible corporate services. As a result, the share of

attacks exploiting software vulnerabilities and configuration flaws has increased to 18

percent in Q2 (compared to 9% in Q1). Criminals pursued various goals, from installation of

miners to cyberespionage on large companies' networks.


-----

##### In Q2 2020, hackers targeted the following vulnerabilities:

� _CVE-2020-11651 and CVE-2020-11652 (SaltStack Framework)_

� _CVE-2019-19781 (Citrix ADC, Gateway)_

� _CVE-2019-11510 (Pulse Secure VPN)_

� _CVE-2019-18935 (Progress Telerik UI)_

� _CVE-2019-0604 (Microsoft SharePoint)_

� _CVE-2020-0688 (Microsoft Exchange)_

Attackers were especially hungry for remote access systems. As mentioned, operators of

[Sodinokibi ransomware penetrated the infrastructure of British energy company Elexon by](https://www.zdnet.com/article/uk-electricity-middleman-hit-by-cyber-attack/)

[exploiting vulnerability CVE-2019-11510 in the Pulse Secure VPN server. Operators of Black](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11510)

[Kingdom ransomware used the same penetration vector in their attack. The Australian](https://www.bleepingcomputer.com/news/security/black-kingdom-ransomware-hacks-networks-with-pulse-vpn-flaws/)

[Cybersecurity Center has released an advisory on attacker tactics and techniques, stating](https://www.cyber.gov.au/sites/default/files/2020-06/ACSC-Advisory-2020-008-Copy-Paste-Compromises.pdf)

[that exploitation of vulnerability CVE-2019-19781 in some Citrix products has become a vec-](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19781)

tor for breaching the networks of government authorities and private companies in Australia.

The vulnerability allows an unauthorized attacker to execute arbitrary code and attack re
sources on a company's internal network.

[In Q2, two vulnerabilities discovered by Positive Technologies experts made the headlines.](https://www.ptsecurity.com/ww-en/about/news/cisco-fixes-vulnerabilities-in-asa-firewall-found-by-positive-technologies/)

[This time, the vulnerabilities were found in the Cisco ASA firewall. Vulnerability CVE-2020-](https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-path-JE3azWw43)

[3187 allows an unauthorized attacker to perform DoS attacks against a VPN. The second flaw](https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-path-JE3azWw43)

[(CVE-2020-3259) allows an intruder to intercept a VPN user's session identifier and access](https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-info-disclose-9eJtycMB)

a company's internal network. To eliminate the vulnerabilities, update Cisco ASA to the most

recent version.

Signs of compromise of remote access systems include multiple failed VPN connection at
tempts, attempts to connect to hosts of critical subsystems from the VPN, enabled RDP ac
cess on the firewall, and concurrent connections (parallel sessions). To detect such incidents,

use SIEM systems with fine-tuned security incident correlation rules.


-----

_[Figure 24. MaxPatrol SIEM detects connections to critical resources from VPN](https://www.ptsecurity.com/ww-en/products/mpsiem/)_

Once information about a severe vulnerability is published, criminals immediately try to exploit

[it. Only a few days after announcement of vulnerability CVE-2020-5902, uncovered by our](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5902)

company's expert in the F5 Networks BIG-IP application delivery controller, hackers tried to

[exploit it. The vulnerability has the highest CVSS score. Note that APT groups may also be](https://blog.cloudflare.com/cve-2020-5902-helping-to-protect-against-the-f5-tmui-rce-vulnerability/)

interested in exploiting this flaw, meaning that companies that have not yet installed the vendor

updates are at risk. To block attacks aimed at exploiting these vulnerabilities, we recommend

using a web application firewall (WAF).

### Ransomware collaboration

Ransomware is one of the fastest-growing varieties of cybercrime. It has become a common

practice for attackers to threaten to disclose the stolen data unless the victim pays a ransom.

Maze and Sodinokibi operators were the most active perpetrators of such attacks in Q2 2020.

DoppelPaymer, NetWalker, Ako, Nefilim, and Clop are also among the leaders by number of

[cyberextortion attacks. Some of them, like Ako, even implement a "double extortion" scheme](https://www.databreaches.net/ako-ransomware-operators-put-some-hurt-on-pain-management-doctors/)

by demanding separate ransoms for decryption and non-disclosure of data.

[To sell the stolen data, many ransomware operators create special data leak sites where they](https://www.bleepingcomputer.com/news/security/list-of-ransomware-that-leaks-victims-stolen-files-if-not-paid/)

publish a list of victims and the stolen information. Others publish the data on hacker forums.

LockBit and Ragnar Locker went even further, teaming up with the "industry leader" hacking

group Maze. The Maze operators now publish data stolen by other gangs on their data leak site.

[Together, the gangs have formed the so-called Maze cartel.](https://www.bleepingcomputer.com/news/security/ransomware-gangs-team-up-to-form-extortion-cartel/)

[However, this is not the only possible collaboration scheme. Ransomware attackers often buy](https://www.ptsecurity.com/ww-en/analytics/access-for-sale-2020/)

[access to victim companies' networks from other criminals. The operators of NetWalker are](https://www.ptsecurity.com/ww-en/analytics/access-for-sale-2020/)

[recruiting affiliates to spread their ransomware by offering a commission on the ransom.](https://www.bleepingcomputer.com/news/security/ransomware-recruits-affiliates-with-huge-payouts-automated-leaks/)


-----

24%

3%

3%
4%


10% 25%

14% 17%


Manufacturing and industry

Healthcare

Government

IT

© Positive Technologies


Finance

Retail

Other

Multiple industries


_Figure 25. Ransomware victim categories among organizations_

Despite the need to share the proceeds, ransomware owners are still profiting handsomely. In

[Q2 alone, they reaped millions of U.S. dollars. The University of California San Francisco paid](https://healthitsecurity.com/news/ucsf-pays-1.14m-to-netwalker-hackers-after-ransomware-attack)

[$1.14 million in ransom after an attack by NetWalker ransomware. The Sodinokibi ransomware](https://healthitsecurity.com/news/ucsf-pays-1.14m-to-netwalker-hackers-after-ransomware-attack)

[group hacked American law firm Grubman Shire Meiselas & Sacks (GSMS), which represents](https://www.bleepingcomputer.com/news/security/revil-ransomware-threatens-to-leak-a-list-celebrities-legal-docs/)

a long list of international celebrities. The ransom, set at $21 million, was not paid. The hackers

[then doubled the ransom and started to offer the data of A-list stars for sale. Criminals claim](https://www.bleepingcomputer.com/news/security/revil-ransomware-found-buyer-for-trump-data-now-targeting-madonna/)

to have a buyer ready for information about Donald Trump. In May, Sodinokibi held an online

auction of the stolen data, the first lot being documents relating to Madonna.

_Figure 26. Auction announcement on the Sodinokibi website_

### Ransomware owners are not the only ones to demand ransom

Other criminals have quickly caught up with the trend of demanding ransom for non-disclo
[sure. For example, hackers are demanding a ransom from stores in order to not sell the stolen](https://www.bleepingcomputer.com/news/security/hacker-extorts-online-shops-sells-databases-if-ransom-not-paid/)

data to third parties. The $500 ransom they are asking is relatively modest compared to what

the Sodinokibi operators are trying to extort. Nevertheless, this business model can offer sig
nificant profits: database owners are often willing to pay to protect their reputation, while the

criminals never run out of potential buyers.


-----

About Positive
Technologies


[Another cybergroup is breaking into LenovoEMC network-attached storage devices, deleting](https://www.zdnet.com/article/a-hacker-gang-is-wiping-lenovo-nas-devices-and-asking-for-ransoms/)

files, and demanding ransom of $200 to $275 to restore the data. Similar campaigns hit poorly

[protected MongoDB databases in Q2. Attackers wipe the compromised databases and then,](https://www.zdnet.com/article/hacker-ransoms-23k-mongodb-databases-and-threatens-to-contact-gdpr-authorities/)

just like ransomware operators, frighten victims with the potential of GDPR penalties unless a

ransom of $140 is paid. Note that even unskilled hackers can perform such attacks by using

ready-made scripts that allow them to search the Internet for devices with weak passwords or

without password protection. It is therefore vital to ensure secure configuration of your sys
tems and use strong passwords and two-factor authentication for critical resources

### About the research

In this quarter's report, Positive Technologies shares information on the most important and

emerging IT security threats. Information is drawn from our own expertise, outcomes of nu
merous investigations, and data from authoritative sources.

In our view, the majority of cyberattacks are not made public due to reputational risks. The re
sult is that even organizations that investigate incidents and analyze activity by hacker groups

are unable to perform a precise count. This research is conducted in order to draw the atten
tion of companies and ordinary individuals who care about the state of information security

to the key motives and methods of cyberattacks, as well as to highlight the main trends in the

changing cyberthreat landscape.

In this report, each mass attack (in which attackers send out a phishing email to many address
es, for instance) is counted as a single incident. The terminology used in this report can be

[found in our glossary.](https://www.ptsecurity.com/ww-en/analytics/glossary/en/a/)

For 18 years, Positive Technologies has been creating innovative solutions for information security. We develop products and ser
vices to detect, verify, and neutralize the real-world business risks associated with corporate IT infrastructure. Our technologies


[ptsecurity.com](https://www.ptsecurity.com/ru-ru/)
[pt@ptsecurity.com](mailto:pt%40ptsecurity.com?subject=)
[facebook.com/PositiveTechnologies](http://facebook.com/PositiveTechnologies)
[facebook.com/PHDays](http://facebook.com/PHDays)


are backed by years of research experience and the expertise of world-class cybersecurity experts.

Over 2,000 companies in 30 countries trust us to keep them safe.

[Follow us on social media (LinkedIn, Twitter) and the News section at ptsecurity.com.](https://www.linkedin.com/company/positive-technologies/)


Cybersecurity threatscape 2020 Q2 A4 ENG 0003 02


-----