As a cybersecurity professional, I work with organizations to help them to protect their most sensitive data, improve their resilience, and continue operations. This involves being aware of the threat actors and knowing how to include their motivation and methods in security preparation.
Ransomware is one of the most common cyberattacks, targeting a variety of industries and organizations, often used by overseas, state-sponsored, organized crime groups. According to the 2022 Cost of a Data Breach Study by IBM and the Ponemon Group, 11% of reported breaches were from ransomware attacks, up from 7.8% in 2021.
The FBI describes ransomware as, “a type of malicious software, or malware, that prevents you from accessing your computer files, systems, or networks and demands you pay a ransom for their return.” These attacks cause massive disruption to operations, preventing organizations from performing core functions.
Traditionally, ransomware was a means to hold data hostage for a payout. It has proven to be big business and has encouraged the evolution of criminal organizations known as ransomware groups. Starting with just three in early 2020, we have seen a 600% increase in the number of active groups. These organizations often disband and later reform under different names.
In addition to their rise in numbers, ransomware groups’ methods and tactics have evolved. The release of LockBit 3.0, also known as LockBit Black, propagated the double extortion method against victims. Double extortion means that the cybercriminals are both encrypting and exfiltrating (transferring) data from their victims. These malicious actors threaten that if the ransom is not paid within the allotted time, they will not only refuse the decryption key but also expose and sell the stolen data on the dark web.
Surefire Cyber is a CAI partner specializing in pre-incident planning, incident response, and post-incident services. Brian Dykstra, Director of Forensics at Surefire, has over twenty years of experience in cyberattack investigations. He provides digital forensics, e-discovery, expert witness, and cybercrime services to corporate and government entities. Based on his expertise, Dykstra shared some insights into common ransomware sources.
“Ransomware is very popular with Eastern European organized crime groups that target U.S. businesses, as well as state and local government,” says Dykstra. He adds that “In many countries, there are likely state supported – through bribery of government officials – but not necessarily state directed ransomware groups.”
Since the early 2000s, thirty-four countries have been suspected of sponsoring cyber operations. China, Russia, Iran, and North Korea sponsored 77% of all suspected operations. Gaining access to virtual private servers (VPS) in these countries is easily attained through anonymous Bitcoin payments. Because of this, “Ransomware threat actors – from anywhere – can then mask their activities behind these false front virtual servers,” says Dykstra.
In my own experience, I have seen that threat actors accessed their victim’s network for weeks, and even months, in advance of the attack. This gave them considerable time to explore the environment before releasing the ransomware. According to the Ponemon IBM study, it takes 207 days to identify a breach, with another 70 days to contain it. That allows cyber criminals ample time to map the victim’s network, collect information, and strategically plan an attack.
Are Ransomware Attacks Declining?
In 2021, there was a record number of ransomware attacks, rising by about 92.7% from the previous year. However, the upward trend has not continued. According to Digital Shadows, Q3 of 2022 saw ransomware activity decline as much as 10.5% from Q2.
The drop in reported ransomware attacks does not mean they are going away. In an August article from the Washington Post, experts warned that ransomware is still active. The article provides theories on why these numbers appear to be down, including the disbandment of the Conti group (a large ransomware organization), sanctions against Russia, or criminal organizations focusing on smaller targets that are not likely to report.
While the number of reported ransomware attacks may be fewer, they have become more robust. The double extortion tactic is a prime example, making victims more compelled to make the ransomware payment.
But, should the ransom be paid? If so, what are the benefits?
This is a topic we will discuss in our next article.
End Notes IBM. “Cost of a data breach 2022.” November 15, 2022. https://www.ibm.com/reports/data-breach
 FBI. “How we can help you – ransomware.” November 15, 2022. https://www.fbi.gov/how-we-can-help-you/safety-resources/scams-and-safety/common-scams-and-crimes/ransomware
 Crane, Hassold. “A Deep Dive into Active Ransomware Groups.” Abnormal Security. May 27, 2022. https://abnormalsecurity.com/blog/deep-dive-active-ransomware-groups
 Rees, Katie. “What Is the LockBit 3.0 Ransomware and What Can You Do About It?” MUO, Make Use Of. August 12, 2022. https://www.makeuseof.com/what-is-lockbit-ransomware-what-can-you-do-about-it/
 Council on Foreign Relations. “Cyber Operations Tracker.” CFR, Council on Foreign Relations. November 15, 2022. https://www.cfr.org/cyber-operations/
 IBM. “Cost of a data breach 2022.” November 15, 2022. https://www.ibm.com/reports/data-breach
 Security Magazine. “Ransomware attacks nearly doubled in 2021.” Security Magazine. February 28, 2022. https://www.securitymagazine.com/articles/97166-ransomware-attacks-nearly-doubled-in-2021
 Kim-McLeod, Riam. “Ransomware In Q3 2022,” Digital Shadows, Cybercrime, and dark web research. October 19, 2022. https://www.digitalshadows.com/blog-and-research/ransomware-in-q3-2022/ https://www.digitalshadows.com/blog-and-research/ransomware-in-q3-2022/
 Starks, Tim. “Is the drop in ransomware numbers an illusion?” Washington Post, The Cybersecurity 202. August 17, 2022. https://www.washingtonpost.com/politics/2022/08/17/is-drop-ransomware-numbers-an-illusion/