A couple of centuries ago, being robbed by highwaymen when traveling was so commonplace most people either wrote their wills before they left home or paid for hired escorts. But while the first flush of ransomware attacks were along the highwayman’s “stand and deliver” lines—"you’ve been attacked, so pay me”—recently, cybercriminals are using far more sophisticated approaches. New methods include not only being creative about how they infect businesses to demand ransomware, but also new ways they’re finding to influence victims to pay.

As our latest 2020 Cyber Threatscape report reveals, ransomware threat actors are seeing fresh success in 2020, having established these new profitable and scalable business models. As well as infecting businesses with ransomware, they are stealing company data—and announcing the data breach to public channels such as the news media. It means victims have to deal with an expensive ransomware recovery process and broader repercussions, such as brand reputation damage.

Threat actor groups Maze, Sodinokibi, and DoppelPaymer are the trailblazers who have found success using this model—but they are inspiring a spate of copycats around the corner as threat actors recognize what’s on the table.

<<< Start >>>


<<< End >>>

Ransomware recovery responders, Coveware, noted that in the first quarter of 2020 an average ransom payment rose to US$178,254 up 60% from the same period the year before.

The situation could become far worse. As threat actor profits increase, they can innovate and invest in more advanced ransomware and take advantage of the greater vulnerabilities of vast numbers of people working remotely.

Ransomware reinvented

Here are three things the Accenture team of Cyber Threat Intelligence (CTI) analysts have seen happening in the last year:

  • Maze ransomware changes the game, again: Ransomware has had several watershed moments over the years—moving from locking screens to encrypting systems, embracing cryptocurrency as a form of payment, or finding ways to become self-spreading (for example, WannaCry). Then in late 2019, threat actors behind the Maze ransomware strain changed the game again. Maze infected a large security staffing company, stole company data, and notified the media—eventually publicly releasing 700MB of data when the ransom was not paid. This “name and shame” approach adds pressure on victims to pay up, even though law enforcement and the cybersecurity industry have always advised against paying ransoms.
  • Data theft and extortion imitations increase victims’ pressures: Malicious actors are copying and adapting pre-existing ransomware strains, applying new tactics and incorporating the use of new strains of ransomware as they are created. For example, in April 2019, Maze repurposed pre-existing Sodinokibi (also known as REvil) ransomware adding data theft and extortion tactics, techniques and procedures (TTPs). At first it made threats via reputable Dark Web forums providing links to stolen data, and then it launched its own name-and-shame site—posting screenshots of sensitive files, documents, databases and customer data. By directly implicating business partners or customers in the data breach, Sodinokibi increases the pressure on the victim to pay or risk losing business from those affected.
  • New ransomware momentum upends cost versus disruption debate: Law enforcement authorities and cybersecurity industry leaders have always advised victims against paying ransom. But the success of new ransomware tactics has led to many incidents where victims are paying ransoms. They do this to avoid facing an expensive clean-up process, being subject to the penalties associated with a data breach,or finding that the negative press and reputational damage associated with the incident becomes public knowledge. Even so, compromises are often leaked to media, despite best efforts to pay the ransom quickly and quietly.

I expect 2021 to continue to be a troubling time for organizations in their attempts to defend against ransomware and data theft. With their sights set on financial gain, threat actors may be taking advantage of fear and economic uncertainty likely caused by the global COVID-19 pandemic.

It means that we could all be held up by the cyber highwaymen as they continue to evolve these tactics—and we should all think carefully about our response to the command to “stand and deliver.”

Take a look at the full report for more on the latest cybersecurity threats.

A special thanks to the following individuals who also contributed to 2020 Cyber Threatscape Report: Patton Adams, Omar Al-Shahery, Joseph Chmiel, Amy Cunliffe, Molly Day, Oliver Fay, Charlie Gardner, Gian Luca Giuliani, Samuel Goddard, Larry Karl, Paul Mansfield, Hannaire Mekaouar, Mei Nelson, Nellie Ohr and Kathryn Orme.


Accenture Security

Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence.  Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security

Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. All materials are intended for the original recipient only. The reproduction and distribution of this material is forbidden without express written permission from Accenture. The opinions, statements, and assessments in this report are solely those of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates. Given the inherent nature of threat intelligence, the content contained in this report is based on information gathered and understood at the time of its creation. It is subject to change. Accenture provides the information on an “as-is” basis without representation or warranty and accepts no liability for any action or failure to act taken in response to the information contained or referenced in this report.

Copyright © 2021 Accenture. All rights reserved.


Joshua Ray

Managing Director – Accenture Security

Subscribe to Accenture's Cyber Defense Blog Subscribe to Accenture's Cyber Defense Blog