The rise of ransomware attacks
Are ransomware attacks on the rise?
Definitely yes.
Ransomware attacks are on the rise, and they will only get worse soon.
This claim can not be proven only by numbers and graphs due to the following consideration:
- Most of the public ransomware statistics have become practical and relevant, especially after increasing the attacker’s publication (on the darknet websites) in 2020.
- The number of incidents is not the only factor because the ransom price has increased over the years and can differ for each incident.
- Some ransom groups have stopped publishing their victims, so there are some “hidden” incidents.
- Paid ransom incidents are hard to measure.
Based on Ransom-DB.com statistics, which are pretty close to other publications and also affected by the same consideration:
- The number of incidents in 2020 is 1396.
- The number of incidents in 2021 is 2699.
- 2022 already has 577 incidents.
We also know that the attackers are getting more sophisticated, and the attacks spread most commonly, mainly based on significant public vulnerabilities like the Log4j one.
Ransomware Incidents \ Victims Over Time
Ransomware Statistics for 2022 (Ransom-db.com)
For more useful ransomware statistics:
https://www.ransom-db.com/ransomware-statistics
Who’s behind the ransomware attacks?
We will address this question to the most significant ones.
The groups consist of professionals, both business and technology members.
Based on their work, we can say their technology skills are high. They know how to do their job and maintain their operations very well.
Also, they know how to keep themselves behind the scenes.
The primary motivations of ransomware groups are:
- Financial
- Political
- Hacktivism
- Cyberwarfare
What are the countries from which the most attacks come?
We prefer to avoid specifying specific countries.
The countries with the minimum enforcement, punishment, and extradition agreements on computer crimes will be the best place for ransomware groups.
Also, there are state-sponsored cyberattacks as a part of global cyberwarfare. The more the country is involved with state-sponsored cyberattacks, the more chance ransomware groups will be there.
It is often even possible to link the type of regime and the nature of the government to the ability of ransom groups to operate from the same country.
Now you can do your math :)
What are the success rates in ransomware attacks, and how many victims pay?
Let’s start with the fact that there is no precise data on this issue in advance since when a victim pays the ransom, the ransom group hides it as part of the deal, and the victim who paid it tries to stay behind the scenes.
When the business understands that the damage value is higher than the ransom price, the chance he will pay the ransom is higher.
The rise in cyber insurance only increases the victims’ ability to pay the ransom with a minimum of economic damage.
Public reports are showing that between 35% to 40% of the victims paid the ransom.
Besides the success rate of paid ransomware, the success rate of compromising victims is very high.
Not all ransomware attacks are targeted attacks, significantly increasing the attack surface and the success chance.
How much money do ransom groups earn?
Accurate data is challenging to measure on this issue.
Most statistics are based on the main two measures:
- “Known” incidents can only be measured from public data and do not estimate the “unknown” incidents.
- Voluntary sharing of information by companies.
When available, there is a way to monitor the transactions of the wallet addresses.
In the early days of cryptocurrency, it was much easier to do so. Nowadays, cryptocurrency “Mixing” services make the process harder by moving the coins between wallets.
How can companies prevent ransomware attacks?
It all starts with awareness. Organizations must know the risks of a ransomware attack and prepare themselves for it. They need to protect and avoid cyber-attacks and handle and contain such attacks with the proper response.
The main steps organizations need to take action are:
- Conduct cyber awareness training for users.
- Conduct penetration testing & red team assessments on the organization’s assets.
- Vulnerability scanning.
- Use known and updated antivirus software on all computers.
- Keep all computers fully patched.
- Secure web filtering.
- Hardening computers and servers
- Enforce secure organization policy based on best practices
- Restrict and enforce “Bring your own device” (BYOD).
- Restrict personal usage of the organization’s equipment.
- Avoid opening files, clicking on links from unknown sources (especially in the email channel).
- Implement security countermeasures like Firewall, Email Security Gateway, Anti-Virus, EDR (For more mature organizations), IPS.
- Monitor and respond to any security incident that accrues on the network.
- Keep the extra focus on legacy systems.
- Enforce Multi-Factor Authentication where possible.
- Back up data frequently and automatically to a place that is independent of internal computer systems.
Does the authorities’ arrest of significant ransom groups impair the continuity of ransomware attacks?
We can say that law enforcement has been disrupting ransomware attacks and groups more than once.
The history and what happens can tell us that it’s not over and not necessarily significantly affected. Moreover, the ransomware landscape is only intensifying.
The extent to which countries are involved in ransomware attacks?
To a considerable extent, it should be understood that this is not necessarily only related to ransomware attacks. We have long been in a day-to-day cyber-warfare that is only intensifying. It is impossible to avoid entering cyberspace as a nation-state.
We do not always know what is happening behind the scenes between nation-states in cyberspace. When nation-states invade other nation-states, they cannot hide it in the physical space.
In cyberspace, the way to stay under the radar is much easier. As time goes on, we will increasingly understand the significance of the nation-state’s involvement in cyber-warfare.
If you want to be updated with the last ransomware attacks news, please visit ransom-db.com
