Over the last few years, ransomware attacks have steadily increased in volume, sophistication, and ransom sought. The education and retail industries, according to public records, are the most targeted.
The energy, oil, and gas industries, as well as local governments, are the most likely to pay a ransom demand, while manufacturing and production are the most capable of restoring systems from backup, while local government and healthcare are the least capable.
The State of Ransomware Attacks Report 2022, released by risk management firm CyberSaint, has these details (PDF). Padraic O’Reilly, CyberSaint’s co-founder and CPO, adds the caveat that this technique of data collection has an inherent and inevitable bias: the figures do not and cannot account for those victims who discreetly pay the ransom without reporting the breach.
Following the arrest of REvil members by Russian police in January 2022, there was a burst of optimism. The hope was that the rise in international law enforcement cooperation would lead to a decrease in ransomware activities. While several variables contribute to success in the fight against data extortion, the threat still exists. O’Reilly told that he hopes for a better outcome but does not expect one.
CISA, the FBI, the NSA, Australia’s ACSC, and the UK’s NCSC issued a combined cybersecurity advisory on February 9, 2022, warning about trends indicating a globalised threat of ransomware. “Ransomware attacks will become more frequent if the ransomware criminal business model continues to produce financial benefits for ransomware operators,” it said.
The ransomware model is still evolving, and it doesn’t appear to be growing less profitable for crooks. “This malware economic model allows authors to generate money by selling kits and receiving a part of the desired ransom,” the CyberSaint research said, referring to the emerging ransomware as a service (RaaS) model. As the market for malware kits develops, the profit potential is limitless.”
“There will always be evil actors,” O’Reilly remarked. “I don’t feel that the implicit permission of one nation state or another is the major concern here,” he continued, referring to the REvil event. There are a number of other countries where tech-savvy criminals may likely operate without fear of being caught. Iran is believed to be ramping up its ransomware operations, while North Korea’s Lazarus umbrella group has long been linked to it.
“The broader concern,” O’Reilly explained, “is that some very important critical infrastructure businesses’ protection mechanisms have major flaws.” There will be bad actors who take advantage of these shortcomings as long as they exist.” He doesn’t expect much activity against critical infrastructure from governments since they are wary of anything that may be construed as direct cyberwarfare – but criminal gangs are unafraid.
And there will always be accidents as long as the RaaS paradigm is in use. The attack on the Colonial Pipeline, for example, was allegedly carried out by a DarkSide RaaS affiliate rather than DarkSide itself.
We shouldn’t be concerned about the geopolitics of ransomware assaults, nor should we wait for an improvement in international law enforcement collaboration, according to O’Reilly. Instead, we should focus on getting the foundations of ransomware prevention right. “At the very least,” he told, “we need to add effective backup and lock the RDP door using MFA.”
Backup is a part of the solution, but it isn’t the whole picture. “Our statistics demonstrate a link between the presence of backup and the victims’ unwillingness to pay the ransom,” he stated. Manufacturing and production industries are the least likely to pay a ransom, but they are the most likely to have adequate backup. Healthcare and local government, on the other hand, are two of the most likely industries to pay a ransom, but they are also the least likely to have adequate backup.
Backups, on the other hand, will not protect you from extortion based on exfiltrated PII.