Ransomware breach headlines have continued to come thick and fast in 2023. But how bad has the threat become, and what are we likely to see over the course of the year? Figures from 2022 show a dip in the number of leak site victims, from around 2900 to 2600. But the reality is that there’s no single source of truth to reveal the true scale of ransomware activity, and too many attacks still go unreported.
What we do know is that hostile nations continue to provide sanctuary for threat groups and that victim organizations keep paying their extorters. This will ensure ransomware remains a threat throughout 2023 and beyond. Yet, as law enforcement and cybersecurity measures begin to bear fruit, threat actors are forced to adjust their tactics again.
Ransomware Gets Tougher
The good news is that it is getting more difficult to make money through ransomware. Blockchain analysis of payments made to threat groups shows a steep 40% decline from 2021 to 2022, to $457m. Even then, the profits tend to be concentrated in the hands of mega groups – first Conti and Ryuk and most recently LockBit.
Governments are also more proactive at identifying and sanctioning malicious actors, such as the seven Russians accused of working on Trickbot, Ryuk and Conti. The US State Department has ramped up its reward schemes and now offers millions for information on the whereabouts and/or identities of key cyber-criminals. The Australian Government has been working diligently on its Ransomware Action Plan to stop, report, identify and recover from ransomware events.
Additionally, security teams have got better at defending their assets. In 2022 we observed some new ‘one-to-many’ countermeasures against threat actor TTPs, such as Microsoft’s blocking of Office macros by default and the replacement of vulnerable programming languages (RUST & Golang) at companies like Google and Meta. Organizations should be ramping up the adoption of anti-phishing multi-factor authentication tools such as security hardware keys, while cloud-native security teams are increasingly embracing the ‘DIE’ triad to enhance resilience.
Hitting Back
However, at the same time, ransomware actors are responding. First, they’re focusing attacks on those sectors and organizations they think will generate the biggest ROI and are easy targets. That has meant a surge in breaches at US schools, government entities, and organizations in areas like construction, car dealerships, and dental practices.
These groups are also using ‘as-a-service’ offerings on the cybercrime underground, which can lower the barrier to entry and help increase the volume of attacks. Access-as-a-service and phishing-as-a-service were particularly popular in 2022. However, the clustering impact this has had regarding shared attacker tactics, techniques and procedures (TTPs) may provide opportunities for network defenders to detect and contain such threats before damage is done.
Going forward, we can expect more of the same, plus a continued threat actor focus on the software supply chain – particularly developers’ sometimes necessary and often indiscriminate use of open source components, which are not always properly vetted. For example, one vendor observed a 742% increase in malicious open-source packages from 2019 to 2022.
Ransomware attackers will also increasingly focus on data leaks and DDoS to extort their victims. This is partly because they’re struggling to generate profits due to sanctions; there is closer scrutiny from insurers and the brand damage from negative media coverage.
When there’s no need to manage a sophisticated piece of malware capable of encrypting large amounts of data, less sophisticated actors can get into the game. Expect more extortion attempts relying only on data theft and leakage in 2023. Defenders must expand their efforts across an increasingly distributed attack surface to minimize cyber risk this year.