The New Era of Ransomware

Organizations must understand the changes in cybercriminal business models and prioritize investments that limit financial loss.

Key and padlock on a pile of chains

Cybercrime continues to evolve at a rapid pace, but not in the way you might think.

Companies are demonstrating an increased resistance to ransomware, yet 2023 was one of the most financially damaging years ever for digital extortion. Upon evaluation of cyber insurance claims data from our customers at Resilience – alongside data from ransomware incident response company Coveware, blockchain analytics firm Chainalysis, cloud security firm Zscaler and security provider Sophos – one thing is clear: We’re entering a new era of ransomware, and companies need to keep up.

Following a dip in 2022 that correlated with the escalation of the conflict in Ukraine, ransomware re-emerged with a vengeance in 2023. We found that ransomware incident notifications for our clients reached 100% of 2022 levels halfway through 2023. But while ransomware notices may be up, the second quarter of 2023 saw the overall success rate of extortion payments fall to a record low of only 15% for our clients, and to 40% across the industry. Through factors such as more investment in ransomware defense and pressure from law enforcement, we are seeing that companies are increasingly avoiding making extortion payments. 

But cybercrime is a business, and ransomware actors are once again adeptly reacting to a change in their market. Despite lower success rates overall, companies still handed out nearly $900 million in extortion payments in 2023 – one of the most expensive years for ransomware on record. This points to a return of “big game hunting” tactics for ransomware gangs. As extortion becomes less effective as a tactic, cyber crime groups are emphasizing quality over quantity and focusing their efforts on bigger targets that can afford larger payouts – with some even setting minimum ransom demands. The shift appears to be working: According to a recent report, the average cost of an extortion incident nearly doubled from 2022 to 2023, and victims paid out higher demands (>$1 million) at a rate nearly 4X that of 2022. 

See also: Cybersecurity Turns Attention to IoT

Bigger targets don’t always mean bigger companies, though. As part of the shift toward big game hunting tactics, threat actors are increasingly targeting third-party vendors. This strategy allows them to attack vendors with the same level of access to data as victims themselves, while circumventing many known ransomware controls. As evidenced by the widespread effectiveness of the MOVEit attacks in 2023, ransomware groups can leverage the trusted access of third-party vendors to scale their extortion attacks to hundreds – if not thousands – of companies in a single maneuver. While the majority of victims in a given attack will likely elect not to pay extortion, some will, and often in large sums. 

In tandem with ransom demands growing in size and hackers increasingly targeting upstream vendors, we’ve identified a notable transition to more nefarious extortion tactics. Encryption-less extortion attacks – which provoke payment by threatening the release of sensitive or regulated data – have increased dramatically over the past year. These attacks bypass counter ransomware strategies, like immutable data backups, and ultimately result in faster and larger profit margins for ransomware gangs. They are also far less resource-intensive compared with traditional encryption-based attacks, as well as much harder to detect. Combined with the expansive access to downstream victims afforded by third-party vendor breaches, this attack vector creates a perfect storm for cybercrime actors – with devastating consequences for organizations.

See also: The Latest Trends in Cybersecurity

With this new focus by cybercriminals on third-party vendors, executives can do several things to make their organizations more resilient:

  1. Perform thorough cybersecurity due diligence when selecting third-party vendors.
  2. Continuously monitor intelligence on vendors before, during and after an incident. 
  3. Regularly practice your incident response plan (IRP) with executive and cybersecurity staff.
  4. Prioritize security investments based on financial analysis of your organization’s cyber value-at-risk.
  5. Work on connecting organizational silos across risk management, cybersecurity and financial leadership to align strategic objectives that focus on business goals. 

Many of the incidents Resilience tackles for customers could have been avoided or severely limited with organizational changes that improve cybersecurity governance. These are business process issues, not technical security challenges.

The data paints a clear picture: We’ve entered a new landscape for ransomware. As cybercriminals and their tactics continue to evolve, organizations must do the same. It’s no longer advisable – or even feasible – to attempt to effectively secure against all possible threats. Instead, organizations must shift their focus toward understanding the changes in cybercriminal business models and use that information to prioritize investments that are most likely to limit their financial loss. Only then will they be able to achieve true resiliency amid the constant evolution of the modern threat landscape.

Read More