Part 1 of 3 in a Series
In 1989, the first-ever malware extortion (ransomware) attack known as the “AIDS Trojan” arrived via floppy disk. The attackers asked victims to send a mere $189—worth about $450 in 2023—via check through the mail in exchange for a decryption key.
Cybersecurity professionals must keep up with the changing ransomware landscape to help prevent these costly attacks. Below, we’ve gathered the top five ransomware trends Proofpoint has recently observed that organizations should know about.
1. Ransomware persists with more attacks on critical infrastructure
Global ransomware attacks may seem to be stagnating lately, but they remain a persistent threat. The appearance of a lull may be connected to the shutdown of several prolific ransomware gangs by law enforcement. Plus, other groups have recently been dissolved or reorganized. These developments have temporarily shaken up the market. Additionally, ransomware-as-a-service (RaaS) organizations have been consolidating. RaaS groups develop ready-to-execute ransomware tools and sell them on a subscription model. By lowering the cost and level of technical expertise needed to launch ransomware attacks, these groups have opened the market to less experienced threat actors.
Today the pool of potential victims is shrinking because many potential targets are strengthening their security posture. As a result, attackers have moved on to easier targets. Frequently, this means going after critical infrastructure, like transportation, communication, healthcare and education. In 2022 alone, these organizations made 870 complaints to the FBI about ransomware attacks, which is an increase of 34% year over year (YOY).
In the 2022 Cost of a Data Breach Report, IBM notes that critical infrastructure organizations often lag when it comes to implementing a zero trust strategy and investing in security technology. So when they are breached, costs can be up to 23% higher than their peers. This makes them an attractive target for ransomware groups. Education and healthcare organizations were particularly impacted by this trend in the later part of 2022.
Not only are ransomware attacks to critical infrastructure incredibly expensive, but they’re now also considered a threat to national security. The White House recently released its National Cybersecurity Strategy, which reclassifies these attacks as threats to “national security, public safety, and economic prosperity.”
2. Growth in multistage extortion techniques
The days of simple system lockdowns and encryption after a ransomware attack are over. Threat actors are now focused on increasing their payouts. This means they’re asking for multiple payouts, carrying out multiple data breaches, publicly shaming their victims on leak sites and blackmailing consumers in double- and triple-extortion schemes.
In our 2023 State of the Phish report, Proofpoint observed that 64% of organizations infected by ransomware agreed to pay the ransom. Of that group, 41% were forced to pay more than once. And a small and unlucky percentage of this group never got back access to their data; unfortunately, this situation is not uncommon.
In the last few years, we’ve seen ransomware attackers employing double extortion more frequently. This entails exporting customer data and using it for leverage instead of simply halting company operations. Sometimes, these threat actors skip encryption and go straight to extortion tactics.
The number of malicious actors that favor data theft and extortion attacks—and don’t use ransomware—are growing. In the 2023 Global Threat Report, CrowdStrike reported that this group grew by 20% in 2022. Extortion techniques have also progressed, giving rise to triple extortion. In this case, ransomware gangs bypass organizations and go directly to consumers with their stolen data to alert them of a breach.
The goal of triple extortion is to convince customers to apply additional pressure on the victim company and, rarely, to extort the customers themselves. An example of this criminal technique occurred in the United States in December 2022 at Knox College in Illinois. The recently disrupted ransomware group known as Hive gained access to sensitive student information and contacted students directly, saying, “For us, this is a normal business day. For you, it’s a sad day,” before listing their demands.
3. As security postures strengthen, ransom prices plateau
Years of combatting ransomware on multiple fronts appears to be having a positive effect. In January, Chainalysis estimated ransomware payments significantly declined in 2022, falling from $5.7M to $4.1M. Rather than a substantial decrease in ransomware threats, this decline can likely be attributed to progress on several fronts. Today, companies are better equipped to avoid ransomware attacks. Plus, it’s harder for attackers to receive payment due to turmoil in the cryptocurrency markets. Companies are also heeding law enforcement pleas to forego payment.
This is good news for any company that’s infected with ransomware in the future. But paying a ransom remains a concern, especially for organizations that rely on cyber insurance to recoup their costs. In our 2023 State of the Phish report, of the 82% of organizations who suffered a ransomware incident and requested coverage from their cyber insurance policies, less than 40% received full compensation. Cyber insurance is also becoming increasingly more expensive and difficult to buy. In 2022, Forrester reported that only one in five organizations had a cyber insurance policy that covered more than $660,000. This figure is far less than the average $2.2 million ransom demand seen by Palo Alto Networks.
This once again proves how crucial the “shift left” in preparedness to prevent initial payloads has become. Another bright spot in this trend is that the average discount on ransomware payments appears to be increasing, too. Victims can traditionally expect a 20% to 25% discount on payments, with many realistically seeing discounts of up to 60%.
4. Ransomware groups become more targeted and sophisticated
As more companies resist paying, ransomware groups are becoming more strategic about their mode of attack and their choice of victim.
Ransomware groups have also expanded their attack channels to include messaging apps, text messages, and phone calls. We group these threats as Telephone Oriented Attack Delivery (TOAD) threats. By December 2022, Proofpoint was observing an average of 300,000 to 400,000 TOAD threats per day. These communication channels often go unprotected. And some victims continue to receive ominous text messages and threatening voicemails even after the attacker’s ransom request has been delivered.
Ransomware groups are also continuing to directly recruit employees to compromise their employers. Six-figure payouts are promised if they’re successful. Previously, such requests were made privately via email or LinkedIn messages. More recently, ransomware groups, such as Lapsus$, have posted “help wanted” ads on Reddit and the deep web, asking for access to specific companies. These tactics mark a disturbing turn in the rise of insider threats.
When attackers breach an organization, they move laterally through its network. As they move, they search for sensitive data and take over privileged accounts to access it. Attackers rely on this tactic of compromising identities. That’s why analysts have coined a new security term, Identity Threat Detection and Response (ITDR), to highlight this growing problem. IDTR describes strategies and solutions, like Illusive, that detect and stop attackers from gaining account access, stealing credentials, and other identity-related threats.
When their hold on a system has been fully established, some ransomware groups, such as Lorenz, are doing extended reconnaissance on their victims. The malware they use to compromise a victim’s system is more and more likely to be highly targeted and custom-coded. This strategy boosts their likelihood of success and helps to maximize each attack effort.
5. Ransomware evolution picks up the pace
As an industry, ransomware is moving faster than ever. According to Ivanti, known system vulnerabilities associated with ransomware are up 12% YOY as of the third quarter of 2022. And many ransomware groups are becoming more agile and flexible to take advantage of these vulnerabilities once they are publicly known—or even before.
These groups also use this flexibility to improve their products and evade law enforcement. Arete and Cyentia noted in their combined ransomware report that 70% of the most common ransomware strains in 2022 didn’t exist in 2021. This indicates an extremely turbulent environment. It may also be due, in part, to rebranding, which is common in the industry.
Certain ransomware groups, like BlackCat, are known to go quiet to avoid detection, only to improve their malware and reemerge under an entirely different moniker. This practice makes tracking and stopping these groups much more difficult.
Is your company preventing ransomware?
Ransomware had a busy year in 2022. And in 2023 the threat landscape continues to change daily. Threat actors are finding more ways to secure larger payouts while returning less data. That’s why it’s critical to focus on preventing ransomware rather than finding it after an attack.
With our layered approach to security and advanced detection algorithms, Proofpoint shifts the attack chain left to stop ransomware attacks before they land in your users’ inboxes.
How do you know if your company is successfully stopping ransomware attacks? Take the free Email Rapid Risk Assessment from Proofpoint to see ransomware and malware threats in your environment. In less than five minutes, you can:
- Uncover the threats your email security solution is missing
- Visualize the people at your organization who are being targeted, like your Very Attacked People™ (VAPs)
- See how Proofpoint provides the best integrated, layered protection against evolving threats