On the surface, ransomware – malicious software designed to block access to a computer system until a sum of money is paid – appears to be off to yet another ruthless start in 2023 as one of the leading types of malware. Recent victims of public attacks in North America include industries such as health care, communication, education, and even government offices and municipalities.
While this all seems like business-as-usual for ransomware infections, this is not quite the case. Despite increasing ransom demands and the entry of several new ransomware gangs last year, one survey indicates that the likelihood that victims would pay cybercriminals decreased. Along with that, most organizations also indicated that they were well positioned to withstand and quickly recover from a ransomware attack.
Moving forward, ransomware won’t be stopped cold. Cybercriminals know where the money is, and ransomware is relatively easy to execute, especially amid the growth of ransomware-as-a-service, which reduces the barriers to ransomware because skill in writing code isn’t needed to launch a malware campaign. Nonetheless, last year showed that ransomware can be slowed.
In recent years, the ransomware headache has grown more severe as the number of attacks against large organizations has swelled, and double-extortion tactics have become common fare. But the U.S. government has taken action, and many companies have also started to take a firm stance against paying ransoms. Among other things, the government is putting less effort into legally charging foreign attackers, who may never wind up in a U.S. courtroom, concentrating instead on hindering ransomware’s impact.
Ransomware has reached a critical tipping point, one that leads directly to real-world consequences, not just a bothersome corporate hurdle. This initially became crystal clear two years ago, when the Colonial Pipeline attack created huge gasoline shortfalls throughout the Southeast, sabotaging the day-to-day lives of millions of Americans.
According to the latest IBM X-Force Threat Intelligence Index, the number of U.S. ransomware attacks decreased by four percent in 2022. This improvement isn’t all that much, but it contrasts with a whopping increase of 93 percent of ransomware attacks in 2021– 2,690 attacks, compared to 1,389 in 2020, according to the Annual Threat Monitor of NCC Group.
Tech savvy IT companies were the standouts last year, according to Delinea, a Silicon Valley based-extended privileged access controls company. In a survey of 300 U.S.-based decision makers about the impact of ransomware on their organizations, Delinea found that 25 percent of these organizations were victims of ransomware, contrasting with 64 percent reported being victims in 2021. In addition, the number of victimized companies that paid the ransomware declined from 82 percent in 2021 to 68 percent in 2022.
It’s important to note that a one-year decline could ultimately be merely an aberration. Indeed, the first quarter of 2023 saw a reversal in ransomware's decline. According to a report by an intelligence company that monitors external risk exposure and mitigation, there were 831 U.S. ransomware victims in the first quarter, up from 763 in the first quarter of 2022, an increase of nearly nine percent. This may or may not be meaningful, partly because quarterly trends are often unusually volatile.
Also noteworthy is that the U.S. government has been more aggressively fighting ransomware in tranches, which could reduce the first quarter’s increase in ransomware attacks in subsequent quarters. Just in March, for example, U.S. cybersecurity officials unveiled a new program to warn American companies that form part of the critical infrastructure that their systems are vulnerable to ransomware attacks before attackers can successfully strike.
There is a crucial window between when a malicious actor gains access to a network, and when the network is locked and the ransom is demanded. The new program instituted by the Cybersecurity and Infrastructure Security Agency (CISA) is trying to capitalize on this. CISA recently said it has already notified 60 organizations in key sectors, such as healthcare and water control systems, that they might be on the verge of falling victim to a ransomware attack. Reportedly, some of them were able to prevent their systems from being encrypted.
The upshot is that federal government entities and big companies are working harder to slow down ransomware. Here is what is occurring:
+ The FBI has found ways to recover some ransomware payments, including $2.3 million paid after the Colonial Pipeline attack. And this year, the FBI successfully disrupted Hive, a notorious ransomware group, preventing $130 million worth of ransomware campaigns that targets no longer had to consider paying. The FBI had managed to infiltrate the group’s network for months, essentially hacking the hackers by snatching up decryption keys and passing them on to victims whose data was locked up by the group.
+ According to Coalition Cyber Insurance, a leading provider of cyber insurance and security, the prevalence of offline backup systems at major companies is growing, enabling ransomware targets to simply restore their data without engaging with their attackers. According to a cyber extortion incident response firm, this allows victims to stop paying. It says 41 percent of victims paid ransoms in 2022, down from 76 percent in 2019.
+ More ransomware victims are also ignoring ransom demands because they don’t want to risk violating U.S. rules if they make ransom payments to entities that might be on the OFAC sanctions list. Victims are also thinking twice about paying because ransom price tags have escalated sharply. A few years ago, demands were in the lower six figures, sometimes even less, but more recently have been seven to eight figures. Companies are increasingly finding it less expensive to deal with recovery costs and possible law suits than to pay the ransom.
The evolution of ransomware has been relatively short, but incredibly alarming. As recently as a decade ago, it mostly targeted individuals and simply encrypted a victim’s files, usually demanding sums of only a few hundred dollars. It then grew naturally, becoming so problematic that it became the subject of U.S. Presidential actions. Most recently, in 2021, President Biden sternly told Russian President Vladimir Putin that attacks emanating in Russia, believed to be the single biggest source, must stop. That appears to have been inconsequential, but the White House has since taken additional steps toward mitigating ransomware.
More government measures are likely to unfold as 2023 winds on. Let’s hope that these and the aforementioned developments help mitigate ransomware for the second consecutive year.
About the Author:
Robert Ackerman Jr. is the founder and managing director of AllegisCyber Capital, an early-stage cybersecurity venture capital firm based in Silicon Valley. He is also co-founder and a board director of DataTribe, a seed and early-stage foundry, based in Fulton, Md., that invests in young cybersecurity and data science companies.
Bob has been recognized as a Fortune 100 cybersecurity executive and also as one of “Cybersecurity’s Money Men.” Previously, as an entrepreneur, Bob was the president and CEO of UniSoft Systems, a leading UNIX systems house, and founder and chairman of InfoGear Technology Corp, a pioneer in the original integration of web and telephony technology.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire.
Meet Fortra™ Your Cybersecurity Ally™
Fortra is creating a simpler, stronger, and more straightforward future for cybersecurity by offering a portfolio of integrated and scalable solutions. Learn more about how Fortra’s portfolio of solutions can benefit your business.