Ransomware shows no signs of slowing down while its business model has changed. Read more about the state of ransomware in 2022.
Ransomware is a form of malware that seeks to deny users access to data and IT systems by encrypting the files and systems—thus locking out users. To decrypt the data, criminals usually extort their victims for a payment, typically in cryptocurrency. Recently, ransomware attacks have been accompanied by data breaches in which perpetrators also steal victims’ data. In addition to locking users out of their data, hackers notify victims that they have copies of their data and will release sensitive information unless a ransom is paid, sometimes extorting them twice. More information about the nature and state of ransomware, general infections vectors, and ways to protect from this threat can be found in our article Roadmap for Ransomware Protection.
In this article, we are going to highlight the state of ransomware in 2021, predict some tendencies for 2022 and provide recommendations on how to resist the ransomware threat.
In our previous post – 2022 Cybersecurity Trends – we wrote that ransomware shows no signs of slowing down while its business model has undergone some changes. The point is that ransomware is shifting from a “vertically oriented” model, in which threat actors attack organizations using their custom ransomware, to Ransomware-as-a-Service (RaaS) when one group builds the ransomware and then rents out its use. In other words, a single attack may involve several cybercriminal groups responsible for different steps of the attack. One group might specialize in exploiting vulnerable services like Remote Desktop Protocol (RDP), while another might “buy” access to an organization previously compromised by a different cybercriminal group. The threat actors also create guidelines to instruct attackers’ “affiliates” on the steps required to conduct a ransomware attack. One such “guidance” was developed in 2021 by an affiliate of the Conti RaaS service.
To adequately assess the real state of the ransomware threat in 2022, one should understand the main tendencies formulated in 2021. Surveying 5,400 organizations, Sophos lab estimated that over a third of those (37%) were hit by ransomware in 2021. While this number is high, the good news is that it is significantly lower than in 2020, when 51% of organizations were affected. The reduction in the number of attacks could be explained by evolving attack approaches. For instance, as the Sophos experts report, many attackers have moved from larger scale, generic, automated attacks to more targeted attacks that include human-operated, hands-on- keyboard hacking. However, while the overall attack number is lower, the potential for damage from these targeted attacks is much higher.
There are interesting by-country data regarding the number and severity of ransomware attacks. The list of countries most affected by the attacks in 2021 is led by India, Austria, and, not surprisingly, the United States. Over half – 51% – of US respondents report being hit last year, which is explained by the perceived potential to demand high ransom payments. At the same time, ransomware actors are often based in China, North Korea, and Russia. To answer why these countries are the “headquarters” of hacking, read one of our previous posts, Cyberthreats and National Security.
Japan demonstrates the lowest level of ransomware attacks among the developed countries – only 15% of Japanese businesses were hit in 2021. Two main factors contribute to this state of things. First, Japanese organizations have invested and continue investing heavily in anti-malware defenses. Second, the unique nature of the Japanese language makes it a more challenging target for adversaries, even in cyberenvironment. Some of the lowest levels of ransomware are also reported by Poland, Colombia, Nigeria, South Africa, and Mexico. These countries simply do not attract cybercriminals as their financial possibilities to pay a hefty ransom are limited
2021 has also distinguished itself by the significant drop in the criminals’ attempts to encrypt files. At the same time, the amount of cases when the attacks were stopped before data could be encrypted has increased. Thus, compared to 2020, successful encryption attempts declined by almost 20 points – 70% vs. 54%. The number of attacks stopped before the encryption increased accordingly – from 24% to 39%. These data indicate that the adoption of anti-ransomware technology is paying off.
The second half of 2021 was rich in ransomware gang activities. Along with the unprecedented hacker activity, there was an increased aggressiveness in the actions of cybercriminals. For instance, the Ragnar Locker ransomware group announced that they would publish all stolen data immediately if the victim involved any kind of professional help or tried to talk to the police. In addition, the criminals often intimidate their victims claiming that skilled ransom negotiators would make matters worse. Last year, Ragnar Locker compromised the Campari company and ordered Facebook ads to publicly pressure their victim to pay a $15 million ransom, or else 2TB of stolen data would be given to the public.
Industry and law enforcement officials have put up a real fight with unprecedented ransomware activation. In October 2021, two ransomware operators were arrested with the aid of the FBI, Europol, the French National Gendarmerie, and the Ukrainian National Police. The criminals have made multimillion-dollar ransom demands following hacks of European and US organizations. The operation ended with the seizure of $375,000 in cash, two luxury cars, and the freezing of $1.3 million in cryptocurrencies. Later on, in January 2021, a hacker affiliate of the REvil ransomware group was revealed in Russia. The group is believed to be responsible for the May of 2021 ransomware attack on Colonial Pipeline was arrested in Russia.
These are just two of many law enforcement operations carried out against ransomware groups. However, despite the investigation and enforcement successes, there are multiple obstacles when dealing with ransomware threats. While some members of different hacker groups have been arrested, they often either resurface or change their names after a couple of months to continue their malicious activity. And this is beside the hundreds of ransomware operators that continue to proliferate in the cyberenvironment. Thus, a lot of investigation and enforcement work is still ahead.
Although many organizations haven’t been hit by ransomware yet, some do not exclude the ransomware threat in the future. These “great expectations” are explained by the sophistication of ransomware attacks. At the same time, the mere fact that most organizations understand that ransomware is the real issue is a positive signal. In practice, this understanding contributes to rising efforts to block any potential ransomware attack in the future.
Organizations should have trained IT staff and advanced anti-ransomware technologies to prevent or block ransomware attacks. Many sophisticated ransomware attacks could be prevented or even stopped if organizations had trained IT staff. Other essential factors that help deal with ransomware are applying anti-ransomware technologies or hiring a reliable cybersecurity company to run a Security Operation Center (SOC). Many organizations wrongly believe that the ransomware threat can be minimized or mitigated through data backups or cybersecurity insurances. However, do not make mistakes thinking that data backups or cybersecurity insurance against ransomware can minimize the possibility of the ransomware threat. In fact, these factors can help restore data or deal with the aftermaths of ransomware attacks but cannot prevent or stop it.
Responding to a ransomware attack is stressful while having an effective incident response plan can help reduce the stress of dealing with an attack. Therefore, most organizations should have a detailed malware incident recovery plan. Sophos Report provides parallels between recovering from malware and recovering from a natural disaster. Hence, in both cases, a victim should be able to start again from scratch. The Philippines, which suffers frequent natural disasters like flooding and earthquakes, is the most prepared for a malware incident, with 83% of organizations having full and detailed malware incident recovery plans. The same thing should work with ransomware recovery: the bigger the ransomware threat is – the more prepared the organization should be.
Therefore, with the evolving attack approaches and technological interdependence, the state of ransomware threat is real and highly possible for all organizations. There is no way to eliminate the ransomware threat, but there is a possibility to prepare the organization to react to the ransomware risks.
For more information about the ransomware threat consult the Planet 9 team. We’ll be happy to assist: