Surveys and reports from various sources have presented a paradoxical picture of the state of ransomware attacks in 2023 – a reminder that the threat landscape is complex and constantly evolving.
In a recent survey from BigID, Cohesity, and Tenable, 93% of 3,400 IT and SecOps leaders said they felt that ransomware attacks have increased this year. Additionally, 80% of respondents expressed concern about their organization’s cyber resilience strategy and whether it can handle today’s threats and challenges.
In the second quarter of 2023, ReliaQuest found 1,378 organizations named as victims on ransomware data-leak websites – a 64% increase from the record-breaking number of victims (838 organizations) named in the previous quarter.
Meanwhile, Comparitech’s real-time ransomware attack map paints a very different picture of ransomware attacks this year. While ReliaQuest’s numbers say that attacks are up, Comparitech’s numbers indicate that attacks are down.
How can these contradictory findings be accurate?
Interpreting Ransomware Attack Data
Both ReliaQuest and Comparitech’s assessments can be accurate depending on how you count attacks, said Steve Stone, head of Zero Labs at Rubrik. If you look at the sheer number of victims, attacks are up. However, if you consider specific attack families, such as MOVEit ransomware, attacks have actually decreased.
To better understand this, imagine two pools: One pool is deep and narrow, while the other is wide and shallow. The wide and shallow pool (the horizontal axis) represents ReliaQuest’s vast number of attacks based on total victims, but not the actual number of attacks. The deep and narrow pool (the vertical axis) represents Comparitech’s fewer actual attacks.
The Role of RaaS Providers
Stone attributed this contrast to a sharp increase in ransomware-as-a-service (RaaS) attacks. In the RaaS business model, ransomware service providers orchestrate large-scale attacks. This is because the business model involves not only operational tasks like obtaining email addresses and sending malicious emails but also requires technical support to assist victims in paying ransoms. Moreover, staff is needed to negotiate with victims and provide ransom decryption keys to unlock data. To streamline their efforts, many criminal groups and individuals specialize in their areas of expertise while outsourcing other tasks to RaaS providers.
”Previously, executing a ransomware attack required years of development, penetration testing experience, and cryptography, with only moderate profits,” said Gregory Monson, manager of the cyber threat intelligence team at Trustwave, in a written statement. “Ransomware-as-a-service programs have proliferated on illicit and underground web forums, making it easy and inexpensive for threat actors to partner with ransomware authors."
"[RaaS models] democratized access to ransomware tools, leading to a proliferation of different gangs,” noted Ani Chaudhuri, CEO of Dasera. “[Gangs like] Mallox, Cl0p, LockBit, DarkPower, and BianLian exemplify various strategies, each with its unique modus operandi and focus.”
The Rise in Double-Extortion Ransomware Attacks
What stands out this year, Chaudhuri said, is the surge in double-extortion ransomware, in which attackers encrypt files but also exfiltrate data. The fact that BianLian shifted from encrypting files to solely focusing on data-leak extortion shows how ransomware operators are becoming more adaptable and resilient. They can change their tactics when defensive measures make their previous methods less effective.
By finding new ways to make money from ransomware attacks, criminals don’t need to carry out as many attacks, Stone added. As a result, this reduces their overall business expenses and boosts the profitability of ransomware.
“Ransomware's integration with data exfiltration allows for even higher ransoms by threatening the potential risk of legal action against the victim corporation," Monson said.
Cyber Insurers React
Adding to the complexity for organizations is the recent trend among cyber insurers to exclude coverage for ransomware or cyberattacks orchestrated by state-sponsored attackers. This trend began with Lloyd’s of London in response to the costs incurred from the NotPetya attack. Other insurers have since followed suit and are reconsidering their coverage, according to attorney Mark Rasch at Kohrman Jackson & Krantz LLP.
CISOs Must Stay Vigilant
If CISOs think their defenses are “good enough” and that hackers wouldn’t dare breach their walls, they should be thinking again, said Kevin Kirkwood, deputy CISO at LogRhythm.
“A security program must constantly adapt to the changing landscape,” Kirkwood explained. “CISOs must constantly check their assumptions about what they know of their defenses and what is happening in the InfoSec space and develop a robust testing routine.” Testing should include attack and defense simulations that change with the introduction of potential zero-days, he added.