AMID A CONCERTED effort by global law enforcement to crack down on ransomware attacks, payments to hackers and even the volume of attacks fell in 2022. But the trend doesn’t seem to be holding for 2023, and attacks have shot up again.
Data from cryptocurrency tracing firm Chainalysis indicates that victims have paid ransomware groups $449.1 million in the first six months of this year. For all of 2022, that number didn’t even reach $500 million. If this year’s pace of payments continues, according to the company’s data, the total figure for 2023 could hit $898.6 million. This would make 2023 the second biggest year for ransomware revenue after 2021, in which Chainalysis calculates that attackers extorted $939.9 million from victims.
The findings track with general observations from other researchers that the volume of attacks has spiked this year. And they come as ransomware groups have become more aggressive and reckless about publishing sensitive and potentially damaging stolen information. In a recent attack against the University of Manchester, hackers directly emailed the UK university’s students telling them that seven terabytes of data had been stolen and threatening to publish "personal information and research" if the university didn’t pay up.
“We think as a result of their budgetary shortfalls in 2022 we’ve seen these more extreme extortion techniques, ways to kind of twist the knife,” says Jackie Burns Koven, head of cyber threat intelligence at Chainalysis. “In 2022 we were very surprised to find that decline. Then we talked to external partners—incident response firms, insurance companies—and they all said, yeah, we’re paying less, and we’re also seeing fewer attacks.”
Chainalysis and other organizations attributed the slump in 2022 to a number of factors. Expanded security protections and preparedness played a role, as did the availability of decryption tools offered by private companies and the FBI to help ransomware victims unlock their data without paying attackers. Chainalysis also believes that Russia’s invasion of Ukraine impacted the day-to-day operations of a number of prominent ransomware groups, which are primarily based in Russia.
Improvements in how potential victims defend themselves along with government deterrence initiatives haven’t fallen off in 2023. But Chainalysis researchers suspect that the evolving state of Russia’s war in Ukraine must explain this year’s increased ransomware activity, or at least be playing a role.
“I really think the tide of the Russia-Ukraine conflict has impacted these numbers,” Chainalysis’ Koven says. “Whether that’s actors have settled into safe locations, whether their year of military service has finished, or whether perhaps there’s a mandate to release the hounds.”
Chainalysis specializes in cryptocurrency surveillance and tracking, so researchers at the company are well positioned to capture the scope and scale of ransomware payments. The company says it takes a conservative approach and is rigorous about continuing to retroactively update its annual totals and other figures as new data comes to light about historic transactions. In general, though, many researchers emphasize that true totals for ransomware attacks or payments are virtually impossible to calculate given available information, and that numbers like those from Chainalysis or government tracking can be used only as broad characterizations of trends.
"We still have such poor insights on the actual number of attacks," says Pia Huesch, a research analyst at the British defense and security think tank Royal United Services Institute. She adds that companies are still reluctant to talk about attacks, fearing reputational harm.
In May, officials at the UK's National Cybersecurity Center and data regulator the Information Commissioner's Office said they were increasingly concerned about companies not reporting ransomware attacks and “the ransoms paid to make them go away.” They warned that if incidents are “covered up,” the number of attacks will only increase.
"Individuals who engage in cybercrime, to them the benefits still massively outweigh the risks of perhaps being prosecuted," Huesch says.
Regardless of their ability to independently validate ransomware revenue totals like those put forward by Chainalysis, researchers agree that ransomware represents a dire threat in 2023 and that the most prolific groups, most of whom are based in Russia, are evolving to counter defenses and meet the current moment.
“The ransomware groups who are still around are really good at what they do, and it is hard for organizations to secure against all possible points of entry,” says Allan Liska, an analyst for the security firm Recorded Future who specializes in ransomware. “And what’s worse, the groups seem to be mastering new techniques.”
One such tactic that researchers and governments have their eye on is mass exploitation campaigns in which a ransomware group finds a vulnerability in a widely used product that they can exploit to launch extortion campaigns against many organizations at once. The Russia-based gang Clop, in particular, has refined this technique.
All of this bodes poorly for anyone who hoped after last year that the tide was turning against ransomware actors.
No comments:
Post a Comment