Ransomware surged last year, but law enforcement struck back

31 Jan 2024

Image: © suebsiri/Stock.adobe.com

From criminals shifting their ransomware tactics to claims that less companies are paying ransom demands, it appears these types of cyberattacks had a transformative period last year.

Multiple reports suggest ransomware is on the rise and that mid-sized companies are becoming a key target.

A report by cybersecurity company Delinea suggests that ransomware criminals are changing tactics from the usual method of crippling a company for ransom to using stealth to exfiltrate private data. This report claims these hackers then threaten to sell the data to the highest bidder on the dark web.

This report conducted a survey of more than 300 IT and security decision-makers in the US to identify significant changes in the ransomware landscape. The results suggest ransomware has not reached peak levels witnessed in 2021, but the number of attacks doubled in 2023 compared to 2022.

Mid-sized companies appeared to be the most targeted, with 65pc of leaders for these companies stating they suffered a ransomware attack in the previous 12 months. This report also suggests organisations are paying ransoms more frequently, up to 76pc last year compared to 68pc in 2022.

The report reveals that data exfiltration surged by 39pc and was the preferred goal of many attackers with 64pc of respondents reporting this kind of attack, while traditional “money grab” attacks were reported by 34pc of respondents, down from 69pc in 2022.

Delinea president Rick Hanson said it’s no longer “just about the quick and easy payout” for ransomware attackers.

“Even as organisations are investing more in safety nets like cyberinsurance which often have ransomware payouts included in coverage policies, cybercriminals are finding that using stealth tactics to stay under the radar and access sensitive, valuable information to sell is the better investment of their effort,” Hanson said.

Police hit back

Another report that looked at ransomware’s impact last year suggests that attacks occurred at a “record-setting” pace, with an increase in attacks for the first three quarters of 2023, followed by a slight decline in the last quarter.

This report by Corvus Insurance claims ransomware activity last year was 68pc higher than it was in 2022. But it also claimed that significant law enforcement activity disrupted the ransomware ecosystem towards the end of 2023.

Some of the key actions by global law enforcement on ransomware activity included the takedown of the BlackCat ransomware gang and the elimination of Qakbot, a type of malware used to gain access to victims’ networks.

The report claims Qakbot represented 31pc of the total volume of ransomware attacks in the third quarter of 2023 – the same quarter in which it was taken down.

The report claims that attacks fell by 7pc in the fourth quarter of 2023 compared to the third quarter thanks to law enforcement activity. But this fourth quarter still had more ransomware attacks than the same quarter of 2022.

“While ransomware activity spiked to an all-time high in 2023, the real story here is the incredible impact law enforcement had on these groups as we closed out the year,” said Corvus Insurance CISO Jason Rebholz.

“Unfortunately, there’s no time to celebrate. Threat actors are resilient and have quickly pivoted to new malware, which means everyone must remain vigilant in their commitment to mitigating these threats.”

Less ransom payouts?

While the Delinea report suggests more companies paid ransom demands last year, a report from ransomware recovery firm Coveware claims the proportion of victims paying ransoms dropped to a “record low margin” of 29pc towards the end of 2023.

The company attributed this decline to enterprises being able to recover from incidents without decryption tools and a growing reluctance to pay ransoms – as less companies believe the promises the ransomware gangs make.

“The industry continues to get smarter on what can and cannot be reasonably obtained with a ransom payment,” Coveware said. “This has led to better guidance to victims and fewer payments for intangible assurances,” Coveware said.

Various cybersecurity experts have advised companies not to pay ransom demands, as there is never a guarantee that the criminals will return stolen data and the funding could be used to support future cybercriminal activity.

But Coveware also claimed in its report that government-issued bans on ransomware payments would cause extra problems, such as stopping companies from reporting ransom payments they made.

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Leigh Mc Gowran is a journalist with Silicon Republic