The COVID-19 pandemic has caused hospital systems’ resources to be strained to the breaking point, and in some cases, beyond. Those who manage and use information systems need to take action now.

In 2020, ransomware attacks increased in frequency and dollar amount. However, a one-time payment is not the attacker’s end game. Once an enterprise’s perimeter has been breached, the likelihood is it will be breached again as the attacker typically has established a backdoor into the network, maintained persistence, protected their territory, as well as a continuing funding source for their organization.

As it relates to significant enterprise-level financial damages, the “lone wolf” hacker is less of a concern. However, the potential rewards associated with ransomware is attracting organized crime syndicates. While healthcare records and clinical trial data are rarely sold in underground markets, they can be highly sought-after by foreign governments and frequently make their way back to hostile foreign nations. The future of cyber attacks will likely move from illicit to a professional marketplace.

Implementing Defense-in-Depth: multiple layers of defense instead of exclusively perimeter defenses, should be a goal for all organizations undertaking to fend off this new type of attacker.

This report, prepared by the OccamSec Intelligence Team, provides an overview of the current ransomware landscape and what the landscape looks like entering 2021.


Ryuk is one of the most prolific and dangerous strains of ransomware, and has been responsible for millions of dollars in financial damage (including over $61 Million in ransoms1) and, in a first for a cyberattack, a fatality, when a patient in Düsseldorf died in an ambulance while the nearest hospital had been victimized by Ryuk.

Two other ransomware strains are worth knowing: Trickbot and Emotet. Together, these three are continuously evolving to evade detection by signature-based anti-malware systems and appear to be borrowing code from one another while trading off Command and Control locations. Security professionals and law enforcement are still trying to determine the relationships between them. Ryuk and Trickbot have made recent changes and the name Ryuk may be dropped for a new strain, “Counti”. Trickbot has increased its reconnaissance functionality.

The threat actors responsible for these strains of malware are rapidly maturing and adapting as evidenced by the evolution of victim’s ransom notes. They have evolved from short, blunt statements to incorporate a customer service approach featuring well-written notes that are more financially lucrative and setting up call-centers to assist victims completing their ransom payments. By the time security professionals sift through all the data, Ryuk will have evolved.

However they brand their malware, the initial delivery of these attacks will remain. The use of commodity-grade exploit kits, and their delivery being sold as a service remains crucially important to threat actors’ profits.

Another tactic employed is to make the required noise to gain credentials for remote access and target Active Directory while appearing as completely normal traffic via the use of tools like Inveigh, a Windows variant of Responder (a common pentesting tool used once a foothold is established), revealing that attackers are learning from penetration testers. Attackers stick to the fundamentals: well-crafted emails sent from valid accounts, Excel macros and infected PDF files, powershell and batch files disguised as documents. Many pieces of malware are generated using common Red Team toolkits like Cobalt Strike. Interestingly, tools developed and utilized by the people who pretend to be attackers are now being viewed as the cutting edge in the field.

Key takeaways:
  • Expect the threat actors moving forward to continue gaining access and remaining inside organizations to establish deep levels of access, followed by siphoning sensitive information out of the organization and solidifying their profit-driven motive by holding the data ransom.
  • Expect more collaboration and outsourcing by the threat actors. The value of the data and the prices it commands are well established.
The Solution is Preparation

Preparing for the worst and hoping for the best is the most viable solution. Throughout 2020 governments have issued multiple warnings followed by best practices edicts. December 2, 2020, Interpol issued an alert to its 194 member countries that the COIVD-19 vaccine is being targeted by organized crime, physically and online. If your organization has any link to the vaccine, here are the necessary steps:

• Assess your organization’s risk to internal and external threats and determine how any entity would be affected if operations are disrupted or halted. Consider secondary and tertiary effects, for example, if a hospital in a small city is shut down by ransomware, this will impact emergency care at nearby hospitals.

• Conduct facilitated wargaming exercises that begin with problem-setting and produce real response plans. When done correctly, this has a proven record of success with minimal financial and labor investment.

• Assume you are a target. Consistently, our experience reveals that leaders undervalue themselves and their organizations as a target, while attackers conducting what’s called Crown Jewel Analyses to search deeply inside an organization, learning the value of their assets oftentimes better than the organization itself.

We recommend your organization consider which of these it can undertake with internal resources. Where this is not possible a company with expertise in both offensive and defensive security operations may be able to assist