Ransomware attacks have been a persistent threat to organizations around the world. These attacks involve malicious actors infiltrating an organization’s computer network and encrypting critical files, rendering them unusable. The attackers then demand a ransom payment in exchange for a decryption key that can unlock the files. Ransomware has become one of the most lucrative forms of cybercrime, with attackers earning millions of dollars in payouts.
Security Week numerates the damage caused upon many smaller companies: 40% of compromised companies ended up laying off staff due to financial damage; more than half say their systems were not entirely restored (as opposed to the 78% payment refuseniks who stated that they restored their systems without paying for a decryption key); and 80% were targeted a second time after paying a ransom.
Today cartels operate affiliate networks that “harvest victims” using sophisticated automation tools and employ complex networks of partners that specialize in the disparate fields of “network penetration, detonation, and extortion.” According to TechTarget, “2022 was a breakout year for ransomware” (although most of the incidents the article mentions are actually from 2021). Supply chains displaced individuals as the main target for extortionists, and instigators drew a bead on previous payees as easier marks. aaS services began to appear, including Coding as a Service, Malware as a Service, and Ransomware as a Service—all marking the industrialization of what had hitherto been primarily a cottage enterprise, and phishing was identified as the root cause for most preliminary attacks.
Notwithstanding, recent reports suggest that the trend of ransomware payments has declined significantly in 2022. According to a report by CRN, the number of ransomware payments decreased by 18% between 2021 and 2022. The report also suggests that the average ransom payment decreased by 33% during the same period (although other sources disagree on this point). In addition, and more importantly, there is evidence that the percentage of victims paying up has dropped from 85% in 2018 to 37% at present.
Declining the offer
The decline in ransomware payments can be attributed to several factors. Because attackers often reside under the protection of rogue states and are therefore nearly impossible to prosecute, a major reason for the decline is the increased adoption of preventive measures by target organizations. A report by IBM X-Force highlights the massive improvement in ransomware prevention in 2022. The report suggests that adopting cybersecurity best practices such as multi-factor authentication, regular software updates, and employee training has made it harder for attackers to penetrate organizational networks.
X-Force focuses on the increased success of new tech stopping attacks in their tracks at the “backdoor stage”—the point at which the attacker attempts to bypass security upon entering a network. It also mentions phishing as remaining the top culprit for initial access—steady at 41% of incidents, after increasing from 33% between 2020 and 2021. One possible explanation for the decreasing success of phishing is awareness and tools to prevent phishing links from forwarding clients to phishing URLs.
Another contributing factor to the decline in ransomware payments is the increased efforts of law enforcement agencies and cybersecurity firms in tracking down and disrupting ransomware groups. The Wall Street Journal reports that the number of ransomware attacks declined in 2022 thanks to successful law enforcement operations that disrupted major ransomware groups, and that payment recoveries were also on the rise. Clearly, President Biden’s classifying of ransomware as a national security threat has helped motivate everyone.
An interesting derivative of the White House framework has also been shifting responsibilities, so that now, enablers can also be prosecuted, as in the case of Robinhood’s $30m fine for processing crypto transfers from victims to attackers. Robinhood was ultimately fined for both anti-money laundering violations and cybersecurity regulations.
Because ransom is usually paid in cryptos, law enforcement agencies are getting more adept at tracing the money route, as was the case in the Colonial Pipeline attack, instigated by the Russian-backed DarkSide gang. Consequently, through better understanding, insurance companies are better equipped to require specific cyber practices to allay the risk of ransom attacks.
Companies are now taking greater care to narrow down their attack surface, on the one hand, and prepare for the aftermath through immutable backups and systems redundancy, on the other. Thus, if the potential damage decreases, so does the value of the attack—lowering payout demands.
Organizations, on their part, are becoming increasingly aware of the risks associated with paying ransoms. A report by Security Intelligence suggests that a record-low number of ransoms are being paid, with only 19% of victims paying a ransom in 2022, down from 37% in 2021. This shift can be attributed to the growing understanding that paying a ransom only encourages attackers to continue their activities and provides no guarantee that the encrypted files will be unlocked.
The changing face of ransomware attacks may also have played a role in the decline of ransomware payments. A report by Panda Security suggests that ransomware attacks are becoming rarer, with the number of attacks decreasing by 23% between 2021 and 2022. The report suggests that attackers are now targeting high-value targets, such as large corporations, and are using more sophisticated techniques to evade detection—LockBit’s hack of the UK’s Royal Mail for an $80m ransom being a prime example.
However, it is important to note that despite the decline in ransomware payments, ransomware attacks are still a significant threat. According to a report by Barracuda Networks, 80% of organizations that paid a ransom in 2021 were attacked again, either by the same group or by a different attacker using different ransomware. This statistic highlights the need for organizations to adopt a comprehensive approach to cybersecurity that includes both preventive measures and incident response plans.
Security Intelligence claims that, with the decreasing number of willing payees, larger organizations are now adopting re-extortion techniques targeting former payees. Re-extortion is considered a less “honorable” tack and was formerly undertaken by smaller, less significant gangs.
Another report by CyberInt highlights some alarming trends in the ransomware landscape during the first quarter of 2023. The report suggests that the number of ransomware attacks has increased by 62% compared to the same period in 2022. The report also highlights that the average ransom demand has increased by 68% during the same period. These statistics indicate that while ransomware payments may be declining, the threat of ransomware attacks remains significant.
In conclusion, the trend of ransomware payments has declined significantly in 2022, primarily due to increased adoption of preventive measures, successful law enforcement operations, and growing awareness of the risks associated with paying ransom. The ransom groups are apparently hurting, as evidenced by Conti’s layoffs of call center attendants illustrates. Moreover, due to the decreasing return on investment, the cost of attacks is increasing, leading to consolidation and the elimination of smaller actors. The result is larger more organized attack groups, which are accordingly easier to track, attacking higher-value targets with increasing demands, which increases the defenders’ vigilance and retribution.
TechTarget has these suggestions for companies to protect their assets:
- Maintain a multi-layer defense strategy.
- Consider advanced detection technology.
- Educate employees against social engineering—phishing.
- Patch known vulnerabilities, and regularly update software and firmware.
- Back up critical data frequently. Ransomware’s target is data. By having reliable backups, the risk of losing data can be minimized.
- Initiate tabletop exercises to ensure the right mitigation & recovery processes are in place.
Whichever way the trend may develop, ransomware attacks remain a significant threat, with attackers using more sophisticated techniques and targeting high-value targets. Organizations must continue to prioritize cybersecurity best practices, including regular software updates, employee training, and incident response planning, to protect themselves against ransomware attacks. According to Security Week. Two-thirds of companies believe that they were infiltrated through a business partner or supplier.
And, individuals should ensure that they are not the weak link in the chain of attack — a ransomware-attacked hospital may be the next hope of someone you cherish.