Ransomware trends: The number of known victims remains stagnant

“Fast quarter of 2021 sees highest number of victims in US in last two years,” tweets crane hasselthe firm’s Director of Threat Intelligence.

Important focus of US officials #ransomware Little seems to have been done to prevent actors from targeting US companies in the first half of 2021. The last quarter of 2021 saw the highest number of victims in the US in two years (+43% from the previous quarter). pic.twitter.com/sYKsqkBICH— CraneHassold (@CraneHassold) 25 January 2022

All of the above numbers give warnings. For starters, they are based on attacks that have come to public light, usually either because the victim reveals them, or because the attackers post the victim’s name on a data-leaked site to pay them a ransom. to be pressured to pay. But cyber security firm Group-IB estimates that only 13% of the victims of the ransomware operation running the data leak site will be listed there.

Otherwise, many victims of a ransomware attack would never publicly admit a fallen victim, or specifically say that they were affected by crypto-locking malware.

seasonal decline

Based on publicly known ransomware attacks, the number of new victims declined at the end of last year. Cybersecurity consultancy NCC Group reports that based on victims posted on publicly accessible data-leak sites, it counted 318 victims in November 2021, compared to 200 in December 2021, meaning that the total number of Nearly a third has declined.

While any shortfall is welcome, unfortunately, the NCC group says such a shortfall is likely just a seasonal trend.

Meanwhile, two long-running operations dominate. “Out of the decreased overall activity, LockBit and Conti remain the two most prevalent threat actors in the ransomware space, with 47 and 32 attacks respectively in December,” it said.

Missing Too Often: Basic Defenses

If the known amount of fresh ransomware victims isn’t decreasing, one question remains why organizations aren’t successfully quelling more attacks.

An obvious culprit, Callow says, is a persistent, widespread failure to implement multi-factor authentication wherever possible, despite cybersecurity experts — including Cyber ​​Security and Infrastructure Security Agency director Jane Easterly — to all organizations. Calling it a hug.

“I’ve said it before, and I’ll say it again: Enabling multi-factor authentication reduces your chances of getting hacked by 99%,” Easterly tweeted,

Anecdotal examples of organizations failing to use MFA abound. Illinois NPR affiliate WGLT reported Wednesday that the state’s District 87 school board saw a 334% increase in its cyber insurance premiums a few years ago, from about $5,000 to $22,000 a year. But what a school district’s insurance policy will pay in the event of an incident remains low until the school district implements the MFA, which it plans to do by April, WGLT reports.

Incident response experts say that too many organizations are failing to use MFAs specifically to port the Remote Desktop Protocol (see: Why are we so stupid about RDP passwords?,

“I still see RDP, or social engineering and phishing, as the route for the majority of ransomware gangs,” says CISO Joseph Carson, chief security scientist and advisor at cloud identity security vendor ThycoticCentrify.

Fresh Steps to Combat Ransomware

While the volume of successful ransomware attacks remains relatively constant, many forces can – potentially – take a bite out of this type of cybercrime.

The Biden administration launched a new task force to combat ransomware last spring, and is working to increase the cybersecurity resilience of American businesses as well as pressure countries to provide safe havens for cybercrime .

“In the post-colonial pipeline, the US government has ramped up its ransomware efforts, including creating a $1 billion federal cybersecurity grant program as part of a bipartisan infrastructure deal – and the lack of funding is something that local Governments have long recognized this as a barrier to improved cyber security,” says Emsisoft’s Callow. “While the fight is far from won, these and other measures will have a real impact and we will see a reduction in the number of incidents in the coming months and years.”

Earlier this month, Russia’s federal security agency, the FSB, said it had acted on intelligence by the US when it arrested 14 suspected members of the infamous Revil, aka Sodinokibi, operation. So far, eight have been charged with illegal money control or laundering.

The White House has welcomed the action, saying it has been sharing intelligence with Moscow since last spring. Against the backdrop of Russia’s threat to invade Ukraine, a senior White House official said the Biden administration is taking the arrests at face value.

“Our hope is that Russia … will take legal action within its system against these criminals, which they have done …” as well as “preventing future ones,” the official said.

Criminal attitude: wait and see

Security watchers have said the suspects arrested are either low-level players, or are part of teams of allies, running ransomware-as-a-service – aka Ras – operations like Revil. to act as a business partner. In other words, for whatever reason, the core operators and administrators of REvil seem to remain at large.

Still, the arrest could prompt at least some smaller players to close up shop, and make others think twice about entering the market.

According to the chatter being tracked by security firm Trustwave SpiderLabs, the arrests are already creating at least some chaos and panic in cybercrime, not least in how Russian law has been used to prosecute such crime. Not on the uncertainties about it.

In a recent forum discussion, Ziv Mador, vice president of security research at Trustwave SpiderLabs, states that “one person thought the charges would not be so serious: ‘As I understand it, they are under Article 187 of the Criminal Code. of the Russian Federation, and the maximum is 7 years, that is, it is not even a serious offence.'”

But Mador says another forum user disagreed. “Learn the criminal code. This is a serious crime. Building an organized crime group [can get you] 12 to 20 years [in prison],” said the forum user.

Of course, the list of charges against the accused can be expanded as well.

‘Let’s not celebrate too soon’

What Russia does next will help determine whether these arrests serve as some sort of deterrent.

“There is a strong possibility that the FSB’s activity has a long-term impact on cybercrime, but only If the Russian government follows and prosecutes those arrested to the fullest extent of its law,” Mador says. “Russians are not a walk in the prison park, and cybercriminals know this.”

Again, though, although security experts say these are clearly steps in the right direction, and should be welcomed, it’s not clear what if it will eventually have any impact on the ransomware ecosystem.

“It’s a win-win, in regards to cooperation and watching a ransomware gang take down,” says Carson Reville of ThycoticCentrify, of the arrest. “But the growth of ransomware clusters is on the rise; there’s more to deal with. So it’s a good thing to take down a big group. But we shouldn’t celebrate too quickly.”

In fact, ransomware operators have a proven ability to innovate. But of late, Western governments have been trying to do the same. And while a variety of new initiatives have yet to emerge, they will at least continue to press against ransomware activity, says Dave Liebenberg, head of strategic analysis at Cisco Talos.

“We are also monitoring the impact of US President Joe Biden’s entire government approach to combating the ransomware threat, including those implemented so far by the Treasury Department, the Department of Justice and other agencies to disrupt the ability of a ransomware actor.” initiative,” Liebenberg writes in a blog post.

“Many of these initiatives will have potential impacts that have yet to be seen,” he says. “We suspect that as US officials prioritize combating the ransomware threat, we will see groups continue to shut down or rebrand operations under new monikers, more restrictive about members joining their RAS ranks. and strive to improve their operational safety.”