Skip to content

Recent Ransomware Attacks 2020 Explained

€16.7 billion. That is the estimated cost of ransomware attacks in 2020. If you do not understand the ransomware ecosystem, then how can you potentially shrink the risk of this threat? Ransomware has become a prevalent weapon in the hands of cyber criminals who threaten not only businesses and individuals but also governments on a daily basis. Cybersecurity Ventures predicts that ransomware is expected to attack businesses every 11 seconds by the end of 2021. The harsh reality is that ransomware is not going away, instead, it continues to take thousands of organisations hostage. Stay aware of recent ransomware attacks 2020 and better understand how recent ransomware attacks are being deployed.

How do ransomware attacks happen?

Ransomware is a sophisticated form of malware that is capable of encrypting all data saved within a victim’s computer and of holding the files ‘hostage’ until the demanded ransom is paid. There are several ways that ransomware can enter your network. One of the most popular delivery systems is phishing emails that contain malicious attachments (e.g. PDFs, Word documents, etc.). Ransomware creators make these spam emails look like they are coming from a legit email address. Please also be informed that these emails sometimes contain links to malicious websites.

The second way that the ransomware attacks are disseminated is through ‘malvertising‘. Kaspersky defines malvertising as malicious online advertisements, some of which cause malware infection while others track user behaviour.

Malvertisements are spread through the same methods just like normal online advertisements. Malvertising campaigns are popular simply because infecting an ad requires less effort than discovering a vulnerability in the website. Do you remember when Spotify, one of the world’s most popular audio streaming service providers, fell victim to a malvertising attack back in 2011?

3 latest ransomware attacks

Below we discussed 3 latest ransomware attacks, in no particular order, that has occurred in 2020.


The Avaddon malware campaign is known to be started in February of 2020, but it fully emerged in June of 2020. Avaddon is a ransomware written in C++ that was offered as an affiliate program in a Russian underground forum, which was only accessible by invitation or upon the payment of a registration fee. This ransomware is best known for encrypting files and changing the file extension to .’avdn‘. Avaddon ransomware is propagated via phishing emails that contain malicious attachments IMG{6 random number} with malicious JavaScript code. But remain very wary that other distribution methods include torrent websites and malicious ads.

The ransomware deletes system backups and usually demands a ransom amount ranging between $150 and $900, and gets doubled if not paid in time (yet, recovery is not guaranteed!). Since the ransomware uses solid encryption algorithms such as AES256 and RSA2048, any decryptor is not available and it is impossible to decrypt the file without the key that was utilised to encrypt the files. Other features of Avaddon are as follows:

  • multi-threaded file encryption for max performance.

  • regularly encrypts newly written files along with newly connected media.

  • numerous delivery options, including script, PowerShell, and .EXE payload.

  • removes trash, Volume Shadow Copies (VSS), or other restore points.

Avaddon Ransomware Attack

Ransomware can put any company at risk. There are still some measures you can take today to protect your or your organisation’s files from ransomware. Following are 3 best practices to protect files from ransomware:

  • periodically patch applications and software, as it fixes vulnerabilities that are susceptible to cyberattacks, helping your organisation minimise its security risk.

  • consider enhanced and real-time detection capabilities such as machine learning or behaviour monitoring technologies.

  • for the most optimal results, use sandboxing technologies which are comprehensive tools that enable the investigation of an object’s origins and the detection of malevolent objects not previously encountered.


Egregor is a new sophisticated ransomware that was first spotted in September of 2020. Egregor earned its destructive reputation after successfully infiltrating the video game developer Ubisoft in October of 2020. Since its operation, this ransomware also penetrated the globally-known recruitment organisation Randstad and a Canadian public transportation agency TransLink.

“Like most current ransomware variants used, Egregor uses double extortion,” says CSO. Double extortion means that criminals steal data from organisations besides encrypting files, meaning that threat actors maximise their chance of gaining profit by giving their victims extra incentives to pay the ransom. Some incentives include selling or even auction the encrypted data.

According to TrendMicro, Egregor ransomware is typically distributed as a payload along with remote access trojans like QAKBOT. Yet, there is no specific information on how precisely Egregor obtains initial access. But it is highly likely that it deploys techniques that are similar to other targeted ransomware such as remote desktop protocol (RDP) hacks or stolen accounts.

egregor ransomware

As regards the ransom demand, it may vary based on the size of the target organisation. Demands can easily exceed the ransomware marketplace average because of the fact that Egregor is known to penetrate data as well. The image above shows what Egregor ransomware notice looks like.

There are a number of mitigation techniques you may want to consider. Firstly, regularly monitor for Qakbot and Ursnif malware infections, as these malware groups inject Egregor ransomware. Secondly, educate your employees on the signs of phishing attacks, because these attacks are a common attack vector for injecting ransomware.


Another notorious ransomware family is the NetWalker ransomware. It is a Window’s specific ransomware, encrypting and exfiltrating all of the data it breaches. “The secret behind this ransomware family’s pay-out success lies in their double-extortion approach” says UpGuard.

Among major targets of NetWalker ransomware are educational institutions, healthcare providers and private companies. For example, NetWalker launched an attack against the Austrian village of Weiz through a phishing email. Also, this group has successfully attacked the University of California San Francisco (UCSF) and encrypted their computers.

Technically, the NetWalker ransomware is spread in 2 ways. One way is through an executable document that haas been spread on the network. Once this file has been executed by the user, if immediately infects the system. The second way is known to be through VBS scripts, attached to COVID-19 related phishing email that contains a link to a malicious ZIP archive.

netwalker ransomware

Varonis says that NetWalker continues to become more advanced and difficult to defend against due to the fact that they expand their affiliate network. That said, you may want to consider the following three practical tips.

  • always be sure to back up your most important files. Backups must be stored in places not obtainable through your network connection or must use network segmentation to restrict access.

  • if possible, regularly update spam settings to block attachments with an .exe.vbs, or .scr extensions.

  • do not forget to educate your employees on the danger that comes with opening emails or clicking the attachment from unknown senders.

Final thoughts on recent ransomware attacks 2020

Unfortunately, ransomware is so effective and organisations are not fully prepared for its resurgence. Above we outlined the 3 latest ransomware attacks and how they usually deliver malware. Do you want to stay protected from ransomware? Be proactive and consider the measures we shared above to decrease your risk of being held hostage by ransomware.