Emsisoft: U.S. ransomware attacks declined during pandemic

There may be a small silver lining to the COVID-19 pandemic in terms of ransomware attacks.

New research from Emsisoft shows that in the first quarter of 2020, the number of successful ransomware attacks on state and municipal entities, healthcare and education sectors in the U.S. declined significantly.

The antimalware vendor on Tuesday released a report titled "The State of Ransomware in the US: Report and Statistics for Q1 2020" which determined that "a total of 89 organizations were impacted by ransomware in quarter one, however as the COVID-19 crisis worsened, the number of successful attacks reduced to a level not seen in years."

This is a stark difference compared to the 966 government agencies, education establishments and healthcare providers Emsisoft observed impacted by ransomware in 2019. The report is based on data from multiple sources, both public and non-public.

The vendor cited a combination of factors that contributed to the decrease. "The suspension of non-essential services during the COVID-19 pandemic may have effectively reduced organizations' attack surface and working from home may have created challenges for ransomware groups," Emsisoft Malware Lab researchers wrote in the report.

People working from home are less valuable targets, according to Emsisoft threat analyst Brett Callow.

"Ransomware is usually deployed through Emotet or Trickbot and those both have plug-ins which automatically check to see whether the malware has landed on a potentially valuable target," Callow said. "One thing they look for is if a system is connected to an Active Directory. A workplace system will absolutely be connected to an AD, but a person working from home using a personal device is less likely. Initially there was a lot of talk about how working from home would increase security risks, but when it comes to ransomware, the opposite may be true."

Ransom payments also decreased, most likely due to the fact that companies are in financial distress due to COVID-19 and less able to pay large ransoms, according to the report.

However, attacks on one area remained steady during the pandemic: private sectors.

"It's possibly due to the fact that there are a lot more private sector companies than public. Also, more of the public sector is now working from home," Callow said.

When enterprise security teams were alerted to an increase in remote work, they may have taken that time to bolster the security around remote access, which is one of the things that actors use to gain access to networks, Callow said.

Similarly, VMware's Carbon Black researchers Patrick Upatham and Jim Treinen also observed a drop in attacks on the healthcare sector, which usually falls in the top three verticals for targeting by malicious actors. It ended March as the seventh most frequently attacked industry. Instead, cybercriminals shifted targets to banks and other financial organizations.

According to the Emsisoft report, this downward trend is continuing into the second quarter. Between April 1 and April 20, Emsisoft observed three attacks against government entities and two attacks against education and healthcare. It's unclear why healthcare attacks may have declined; some ransomware gangs such as Maze announced they would no longer target healthcare organizations during the pandemic, but Callow and other security researchers have expressed skepticism about those pledges.

"The decline in successful attacks, and especially attacks on healthcare providers, is obviously a positive, but the relief is likely only temporary," Emsisoft wrote in the report. "Once organizations resume normal operations, we expect the numbers to return to their previous levels."