White Paper: Tsunami of Ransomware attacks in the era of COVID-19 Pandemic — Proposed countermeasure solutions

Han Solo
10 min readJan 19, 2021


Table of Contents

1. The COVID-19 era and the arrival of a New Normal

2. Increased working from home and subsequent security-related concerns

3. Ransomware incident statistics since the onset of the pandemic

4. Analysis of types of ransomware incidents during the pandemic and limitations of existing antivirus solutions

5. Proposed defense and response methods and technologies against ransomware attacks

6. The ZombieZERO’s ransomware response and defense solutions

Over the past few years, ransomware criminals have adopted advanced persistent threat (APT) techniques, including targeted delivery mechanisms, manual hacking using management tools and utilities, covert network reconnaissance, and other associated attack processes. However, anti-virus tools, which match executable patterns in order to detect, respond to, and block only known security threats, is helplessly vulnerable in an environment where ransomware and hundreds of thousands of new malware and malware variants are born (zero-day attacks) per day. In most cases, the anti-virus solution itself is ‘like fixing a barn after a cow is lost’. A pattern signature that anti-virus detects is created only after a person gets infected with malicious code. Therefore it cannot pre-emptively protect against unknown threats. With antivirus, what most companies are doing is just hoping that nobody gets infected with a virus.

  1. The COVID-19 era and the arrival of a New Normal

“Humankind is now facing a global crisis. Perhaps the biggest crisis of our generation. The decisions people and governments take in the next few weeks will probably shape the world for years to come. They will shape not just our healthcare systems but also our economy, politics, and culture. We must act quickly and decisively. We should also take into account the long-term consequences of our actions. When choosing between alternatives, we should ask ourselves not only how to overcome the immediate threat, but also what kind of world we will inhabit once the storm passes. Yes, the storm will pass, humankind will survive, most of us will still be alive — but we will inhabit a different world.”

- Israeli historian, Yuval Noah Harari, contributed “The World After Coronavirus”

The ‘New Normal’ has arrived. The ‘COVID-19’ pandemic that began early in 2020 shook the world and radically altered its social and economic structure. Many scholars predict we can no longer go back to the same world as before. Whether we want it or not, we are forced to find a way to respond to the drastic winds of change.

2. Increased working from home and subsequent security-related concerns

The number of people working from home has dramatically increased in the COVID-19 era and it has become a new normal to how we work. This somewhat forced transition was possible due to the advancement of IT technology which has enabled mankind to respond to massive changes. Human beings have developed IT to improve the quality of life, and this has proven to be essential and responsible for our new normal. Telecommuting, while still in the discussion stage when pre-COVID, has now been adopted worldwide. According to a survey of 127 human resources managers conducted by market research firm Gartner in June 2020, 82 percent of companies and organizations surveyed said they allow at least some work from home, while 47 percent said they allow work exclusively from home.

Source: Gartner, Company leader intentions regarding flexible working after COVID-19

New security issues and cases caused by working from home

As the proportion of working from home during COVID-19 has increased, cybersecurity threats have also been increasing to take advantage of the changing working environment. In particular, according to a recent announcement by the FBI, about 3,000 to 4,000 cybersecurity-related reports have been received every day since COVID-19. These numbers are 3 to 4 times higher than pre-pandemic. Most of the reports are of attacks attempting to manipulate the COVID 19 situation, with attacks often taking advantage of the remote working environment, which has higher security vulnerabilities than when working inside companies. The remote working environment that is vulnerable for security threats can be summarized into the following three types.

  • If a user’s device, that generally has weak security, gets infected with malicious code, unauthorized users (hackers) can enter the company’s internal network and cause widespread damage.
  • Unsecure network environments (such as Wi-Fi equipment) at home could lead to the leakage of communication content or data
  • If the access authentication procedure of the business processing system is poorly established, unauthorized devices can access the company’s internal network.

This is why endpoint security is critical for the devices of employees working from home that connect to the corporate internal network .

3. Ransomware incident statistics since the onset of the pandemic

Dark web ransomware cases targeting large corporations

Since June 2020, when an organization attacked LG Electronics and Xerox with ransomware called Maze and released data on the Dark Web, similar cybersecurity crime cases have soared. The Darkside ransomware organization also released to the Dark Web data stolen from Brookfield, an asset management firm. According to the Dark Web Intelligence Service, data from 11 groups and 252 companies were released on the Dark Web this year. Traditional ransomware organizations previously encrypted personal data and asked for small negotiation payments. More recently, however, attackers have stolen and even released data from large global companies, demanding large amounts of money as a negotiating tactic.

Screenshots after Maze Ransomware attacked

The first case of death due to a ransomware attack in the hospital

On September 10, 2020, the Dusseldorf University Hospital in Germany became the target of ransomware attacks that limited access to the patients’ reception system, which infected 30 servers in the hospital with ransomware. A patient who was being transported to another hospital 30km away from Dusseldorf University Hospital died because he could not be registered as a patient. This was the first direct death case from a cyber-attack on a hospital. Investigations have determined that the ransomware exploited a vulnerability in commercial add-on software used widely in hospitals.

Industry-specific ransomware damage distribution in the UK during COVID-19

When considering the distribution of ransomware damage by industry in the UK during the COVID-19 crisis, the number of ransomware incidents targeting industries related to healthcare (insurance and pensions, etc.) has greatly increased. A total of over 2,100 incidents and more than £5 million in fraud have been reported in the UK since February, 2020. On average, pension scam victims lost £82,000, with pension scams being classified as one of the most common types of scams experienced by the British during COVID-19. The pension authorities have warned citizens that anyone can be a victim and have asked them to be wary of financial transactions and demands for savings and retirement funds during this time.

Industry-specific damage distribution table by ransomware during COVID-19 period in the UK, Source: Beazley Breach Response (BBR) Services

4. Analysis of types of ransomware incidents during the pandemic and limitations of existing antivirus solutions

Ransomware attacks becoming more and more intelligent and diverse

In 2019, ransomware attacks seemed to have slowed compared to other types of cyber threats, but there were still cases of and concerns for ransomware. Attacks using GandCrab and Anatoba, which were popular in 2018 and the first half of 2019, declined, but Sodinokibi and Nemty took their places. Sordinokibi, first detected in April 2019, uses browsing by malicious attachments disguised as normal files inside mail, similar to how Gandcrap operates, and encrypts the user’s files while demanding virtual currency in exchange for decryption. Meanwhile, Nemty uses a different ransomware approach that appeared at the end of August, 2020. It was distributed through phishing emails and is now considered the most distributed ransomware along with Sordinokibi. TeslaCrypt, SimpleLocker, WannaCry, NotPetya, SamSam, and Ryuk are all large-scale ransomware attacks that have occurred in the past five years. Among them, WannaCry and NotPetya caused enormous damages to numerous companies around the world, including paralyzing systems of large corporations. While the activities of ransomware seemed quiet in 2019, the strain is spreading rapidly in 2020, and experts predict that the damage will double if another attack of the same type occurs.

Source: SafetyDetectives.com, The most prominent types of Ransomware in North America in 2019

Ransomware tailored to specific targets, and attacks that are operated in real time by sophisticated controllers such as SamSam and Ryuk, are on the rise. Accordingly, in 2021, ransomware attacks are expected to gradually decrease along with the number of affected organizations. Instead, attackers are expected to increase their success rate by targeting companies on they can make a significant profit. Thus, a reduction in the number of ransomware infection cases does not mean a reduction in the amount of damage, but could even be the inverse. When a large business gets attacked while not properly prepared, they may have to spend billions of dollars to remedy the damages.

The table below shows the ransomware that may be the most threatening to companies and organizations in 2020 and 2021.

Top 11 ransomware attacks that were most prevalent in 2020 and most expected in 2021

5. Proposed defense and response methods and technologies against ransomware attacks

Essential ransomware defense strategies

The most basic defense against ransomware attacks is to pre-classify all critical data to create and maintain the latest backups. Organizations then need to conduct internal and external penetration tests to identify systems or servers that may be exposed to the Internet and reduce the number of vulnerable attack targets. Network remote connections such as VPN or Remote Desktop Protocol (RDP) must also have strong and unique credentials and dual authentication (2FA). Inside the network, companies need to ensure that operating systems and software on endpoints and servers are up to date with patches. The network should be subdivided based on the principle of least privilege so that even if one department’s workstations are hacked, it does not easily lead to the entire network. One needs to carefully monitor for abnormal access from domain controllers in the Windows network.

Organizations using MSP (Managed Services Providers) or MSSP (Managed Security Services Providers) must monitor and log connections from those third parties, and the software they use must also have 2FA set up. Network and system access provided to third parties should not be limited to those required to do their job. Organizations must have a clear inventory of data that is critical to business operations. The system that stores the data must be tightly controlled. Since most ransomware infections starts with workstation infections, it is important to use endpoint anti-malware software. You should remove unnecessary plug-ins and extensions from your browser, keep your software up-to-date, and give employee accounts limited privileges.

Recently, ransomware attacks target in various ways with an uneven pattern. Therefore, it is difficult to guarantee that any method is 100% safe against unknown new ransomware and ransomware variants attacks. Also, depending on the policies and performance of security solutions, detection may be unintentionally bypassed. Therefore, users need to manage important data and less essential data separately, and develop a habit of periodically performing backups using a secure folder that the ransomware process cannot access. It may also be a good idea to use a separate backup solution or use the backup function included in the security product. Employees should be trained to detect phishing emails and not respond to requests to open files or click links. Security teams need to create special email addresses so that they can deliver emails they suspect.

Finally, organizations must develop an incident response plan to ensure that in the event of an incident, everyone involved in communication with security vendors, MSSPs and law enforcement agencies are familiar with their roles and what to do. Even common malware infections can become an intrusion vector for serious threats, so don’t treat them lightly and they should be thoroughly investigated. Both IC3 and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) provide recommendations for preventing or responding to ransomware attacks. In February 2020, the National Institute of Standards and Technology (NIST) published two drafts of best practice guidelines for dealing with ransomware. These draft guidelines are <Data Integrity: Identifying and Protecting Assets from Ransomware and Other Destructive Events> and <Data Integrity: Detecting and Responding to Ransomware and Other Destructive Events>.

6. The ZombieZERO’s ransomware response and defense solution

Method and technology for ransomware defense and response

In line with the essential ransomware defense strategies presented above, “ZombieZero” products offer robust response to ransomware and new malware and malware variants in the following ways.

First, based on IOC (infringement indicators), the user’s PC is constantly monitored for threats (process, file, network, registry). If an infringement attack occurs, the system is notified, and actions such as network quarantine or isolation immediately take place according to policy. Secondly, ZombieZERO products determine the execution safety of a process based on a blacklist/whitelist policy, and if an unknown process is executed, first the execution pending function is activated to hold the process, and then the multi-tier analysis (anti-virus, static analysis, dynamic analysis) is carried out to verify the safety of the process. Third, ZombieZERO products detect and block malicious C&C server access attempts such as dropper attacks and backdoor attacks that may occur on the user’s PC. Fourth, ZombieZERO products detect and block file tampering and encryption behavior by ransomware, and also detect, block, and quarantine the process that is the subject of ransomware attacks. Fifth, ZombieZEERO products operate a secure folder that malicious codes (including ransomware) cannot access and provide instant file backup function, so users’ important files can be safely stored. A main feature of ZombieZERO products is the integration and application of various technologies and functions in one product that enables detection and response to threat blind spots and unknown attacks at the endpoint.



Han Solo

I have served as CEO of NPCore, Inc. from November 2008 to the present with an extensive career of more than 20 years in the cybersecurity industry.