Recent insights from cybersecurity vendors indicate a ransomware decline in 2022. But experts caution the reality of the situation is more complicated.
IBM's X-Force last month published their annual Threat Intelligence Index report, which claimed defenders were getting better at stopping ransomware attacks. IBM found that a slightly smaller percentage of threat actors managed to successfully execute a ransomware attack in 2022 than the previous year. IBM X-Force's head of research John Dwyer told TechTarget Editorial the drop is the first he has seen in five years.
Ransomware incident response vendor Coveware said in January that it had seen a considerable drop in the percentage of victims deciding to pay the ransomware ransom, from 85% of victims in Q1 2019 to 37% of victims in Q4 2022. Mandiant, meanwhile, told TechTarget Editorial it responded to 15% fewer ransomware incidents in 2022 and saw a 7% decline in the number of victims it tracked on data leak sites.
The Wall Street Journal in February published an article about a possible decline in ransomware that cited the Mandiant figure as well as one from CrowdStrike. The latter showed a drop in the average ransomware payment demand from $5.7 million in 2021 to $4.1 million last year.
Jeremy Kennelly, Mandiant senior manager of financial crime analysis at Google Cloud, said he believes multiple shifts in the ransomware ecosystem likely contributed to the stats. These shifts included ongoing law enforcement efforts targeting ransomware operations, Russia's invasion of Ukraine, and threat actors adjusting their initial access operations "to a world where Microsoft Office macros may often be disabled by default."
Ransomware is still a threat
Even with optimistic data points from 2022, experts say the present state of ransomware remains troubling and complicated.
For one, ransomware is not a one-size fits all problem, and not all sectors are created equally. Operational technology (OT) security vendor Dragos said in its February "Year in Review 2022" report that ransomware attacks against industrial organizations were up 87% year-over-year. The vendor also found a 35% increase in the number of ransomware groups attacking organizations using OT in 2022 over 2021.
Another possible explanation for a slight ransomware decline could be threat actors changing tactics. CrowdStrike recently reported a 20% year-over-year increase in the number of threat actors using data theft and extortion without deploying ransomware.
Adam Meyers, senior vice president of intelligence at CrowdStrike, told TechTarget Editorial that he felt stats suggesting a ransomware decline reflected on threat actors' ability to "adapt, splinter, regroup and flourish in the face of defensive measures." He added that while CrowdStrike saw ransom payments dip slightly in 2022, the vendor also saw a "huge uptick" in data extortion and ransomware as a service.
Sophos senior manager of threat research Christopher Budd similarly expressed caution at the idea of a decline in ransomware. He referenced the security vendor's own 2023 threat report, saying that while Sophos observed a relatively stable volume of attacks year over year, "our incident responders continue to react to and remediate significant ransomware activity around the world."
"Defenders should not let their guard down in any way because of any perceived 'reduction' in attacks," Budd said. "In fact they should heighten defenses, because any lull in a certain type of cyberattack typically indicates that adversaries are working on some other form of attack or tweaking their [tactics, techniques and procedures] to be more effective and successful with ransomware or data breaches."
Budd said attack volumes have remained consistently high since 2020 and that Sophos doesn't expect ransomware attacks to materially slow down in the future.
Some cause for optimism
Even still, there is some reason to be optimistic. Echoing IBM X-Force's stats, Kennelly said defenders are continuously improving.
"Defenders are always getting better at detecting and preventing the tactics, techniques and procedures that attackers are actively using, However this process of continual improvement drives a parallel cycle of improvement in the criminal ecosystem," he said. "Certain defense strategies may cause more pain than others and help contribute to an aggregate decrease in cybercriminal activity, though it is difficult to directly correlate the action to a particular outcome."
Elizabeth Cookson, director of incident response at Coveware, said her optimism toward ransomware "is the highest it has been since I started in ransom negotiations nearly eight years ago." This is due to strides made by law enforcement as well as defenders like enterprises learning from their own -- and others' -- mistakes in the past.
To that point, the U.S. government has begun to show a more aggressive approach to ransomware. The White House last week released a 39-page National Cybersecurity Strategy that, in part, declared plans to take the fight to ransomware by both promoting international cooperation and utilizing authorities to disrupt cybercriminal operations.
The strategy's plans are reflected in a January bust of the Hive ransomware gang. The FBI led a joint law enforcement investigation that included a months-long infiltration into the gang and was disclosed following the seizure of servers containing Hive's critical information, including decryption keys for current and past victims. On the flip side the strategy unveiling also shortly followed the U.S. Marshall's Service confirming it suffered a ransomware attack.
Cookson said that while enterprises have steadily improved their cybersecurity hygiene in recent years, it hasn't made ransomware obsolete. However, it has forced threat actors to "expend far more resources on attacks and develop more creative ingress and persistence mechanisms to have any success." Those creative shifts include ditching actual ransomware altogether.
"I think it's fair to say businesses today are significantly more likely to either (a) detect and thwart an imminent attack before it begins or (b) contain an active attack so that it has little operational impact," she said. "The main way threat actors have responded to these resiliency measures is to pivot more toward data-exfiltration-only attacks, which don't rely on business interruption to coerce a payment but instead on the threat of reputational harm resulting from a public data leak."
Cookson warned that ransomware actors pivoting to data theft only doesn't make them less dangerous.
"Even the most well protected companies are susceptible to data theft attacks."
An inflection point
In the aforementioned Threat Intelligence Index, IBM's X-Force found that two thirds of the backdoor activity it tracked from threat actors in 2022 had the makings of a ransomware attack. But it was successfully thwarted by defenders and incident responders before the activity could progress to a full-scale attack.
Dwyer told TechTarget Editorial that X-Force's positive stats should not be taken as a sign that defenders should rest easy, as ransomware still drives a large part of the cybercrime ecosystem. Rather it tells an interesting story about the different directions ransomware could go in the future.
"There are two opposing trends. If threat detection and response continues to get better, then you're going to see adversaries' money decrease, and their percentage of successful ransomware attacks is going to go down as well. They'll be forced into innovating," he said. "Alternatively if detection and response stagnates and flatlines, threat actors are just going to be motivated to carry out even more attacks."
He added, "2023 is a potential inflection point for ransomware. 2022 was so interesting, even though I think a lot of folks may look at these stats at face value to say, 'Well, nothing much has changed.' But there is a lot that has happened in 2022. That makes me very interested in the future of ransomware."
Alexander Culafi is a writer, journalist and podcaster based in Boston.