Blockchain data platform Chainanalysis has reported that cybercriminals have seen a 40 per cent fall in their earnings as more people have refused to pay the ransom following ransomware attacks.

More Strains With Shorter Lifespans

However, the number of unique ransomware strains being used in attacks increased dramatically in 2022 (Fortinet). Also, Chainanalysis reports that ransomware lifespans are dropping. For example, in 2022, the average ransomware strain remained active for just 70 days, down from 153 in 2021 and 265 in 2020.

How Does Chainanalysis Know Criminals Get Paid? 

Being a blockchain data platform (blockchain is the technology behind cryptocurrencies) Chainanalysis can track money flowing in and out of Bitcoin wallets. Ransomware crews use bitcoin wallets to collect ransoms and retain their anonymity. Also, evidence from cyber insurance firms who are usually the ones reimbursing victims for ransomware payments, show that these payments are down.

Why Are People Refusing To Pay Ransomware? 

There are several reasons why more victims are refusing to pay the ransomware ransom, including:

– Increased awareness. More people are becoming aware of the risks, so this has led to improved cyber-security at organisations, while increased awareness of the potential consequences of paying the ransom has led to many choosing not to do so.

– Improved and more secure backups. With the increased use of more secure cloud-based backups and other disaster recovery solutions, more people are able to recover their data without paying the ransom. It’s worth noting that insurance companies are driving security by tightening underwriting standards, and by not renewing a policy unless the insured has comprehensive backup systems, uses EDR, and has multi-authentication.

– Greater segmentation of data backups, resulting in less material business impact as a result of an attack, thereby reducing the economic justification to pay.

– US sanctions against hacker groups, e.g. those Russia’s Federal Security Service, have made paying some groups legally risky.

– Increased openness due to how common ransomware attacks have become. For example, a ransomware attack is now less of a PR disaster for companies, meaning that companies are less likely to keep quiet and pay the money to stay out of the news.

Why Are Ransomware Lifespans Dropping? 

There are several reasons why ransomware lifespans are dropping (including those mentioned above), such as:

– The increased use of anti-ransomware software. As more organisations and individuals use anti-ransomware software to protect their systems, the lifespan of ransomware attacks may be shorter, as the malware is detected and neutralised more quickly.

– Improved incident response. As organisations and individuals become more familiar with the signs of a ransomware attack and have better incident response plans in place, they are able to quickly detect and respond to the attack, which can shorten the lifespan of the ransomware.

– The development of decryption tools, some security researchers have been able to develop decryption tools that can help victims recover their data without paying the ransom. This can significantly shorten the lifespan of a ransomware attack.

– More effective law enforcement action. Law enforcement agencies have been successful in shutting down some larger ransomware operations and gangs. This can also shorten the lifespan of a ransomware attack.

– Cyber insurance and the involvement of specialised teams. More companies are now using cyber insurance and have specialised teams to deal with ransomware attacks, this also can shorten the lifespan of a ransomware attack.

What Does This Mean For Your Business? 

Criminal earnings from ransomware are down for the reasons mentioned above, and although larger ransomware gangs have been disrupted, there are now many smaller groups operating. It’s also worth noting that new strains of ransomware are being developed all the time, so the threat continues to be present (and is growing as previously stated). With this in mind, businesses should continue to focus on not falling victim to ransomware attacks in the first place. Measures businesses can take include having recurring meetings with all relevant teams/persons (security, networking, IT, server administration, PR, finance) and the company leadership to develop a clear picture of the strengths and weaknesses/vulnerabilities and establish how the business can remain secure and understand who’s responsible for all aspects of security. Also, seeking professional advice about cyber security and implementing best practices, e.g. with data backups and other security measures, can help keep the business safe from new as well as existing ransomware strains.

Threat intelligence firm Analyst1 has warned that, as cyber criminals try to avoid the attention of law enforcement agencies, they are likely to target small businesses with ransomware attacks in 2022. Researcher Chris Fiormonti comments on the Analyst1 blog that “Instead of going after the high-profile attacks since the activity brings unwanted attention from the federal government, they will likely target smaller companies that will allow them to stay under the radar of the federal government.”

The international Counter-Ransomware members from 30 countries have issued a joint statement outlining their intent to take action to counter the growing threat posed by ransomware.

What Is Ransomware?

Ransomware is a form of malware that encrypts the important files on a computer and the user (often a business/organisation) is given a ransom demand, the payment of which should mean that the encrypted files can be released. In reality, some types of ransomware delete many important files anyway and paying the ransom does not guarantee that access to files will be returned to normal. Ransomware is primarily a profit-seeking crime which also commonly leverages money laundering networks to move ransomware proceeds.

How Big Is The Problem?

A recent White House fact sheet stated that “the global economic losses from ransomware are significant. Ransomware payments reached over $400 million globally in 2020, and topped $81 million in the first quarter of 2021, illustrating the financially driven nature of these activities.”

In March, The Palo Alto Networks, Unit 42 Ransomware Threat Report showed that the average ransom paid by a victim organisation in Europe, the US and Canada trebled from $115,123 (£83,211) in 2019 to $312,493 (£225,871) in 2020. The report showed that over the same period, the highest value ransom paid doubled from $5m (£3.6m) to $10m (£7.2m), and the highest extortion demand grew from $15m (£10.8m) to $30m (£22m).

Meeting

At the meeting of the Ministers and Representatives from the Counter Ransomware Initiative (held on October 13 and 14), it was recognised that the threat of ransomware is complex and global in nature and requires a shared response and will depend, in part, on the capacity, cooperation, and resilience of global partners, the private sector, civil society, and the general public.

Action

The joint statement outlines the following actions to be taken and to efforts to be made to tackle the ransomware threat:

– Improving network resilience to prevent incidents when possible and respond effectively when incidents do occur. This will involve the sharing of lessons learned and best practices for development of policies to address ransom payments and engaging with private sector entities to promote incident information sharing and to explore other opportunities for collective buy-down of risk.

– Addressing the abuse of financial mechanisms to launder ransom payments or conduct other activities that make ransomware profitable. This will involve using the national anti-money laundering (AML) frameworks to identify and mitigate risks associated with VASPs and related activities, and enhance the capacity of national authorities (regulators, financial intelligence units, and law enforcement) to take action.

– Disrupting the ransomware ecosystem via law enforcement collaboration to investigate and prosecute ransomware actors, addressing safe havens for ransomware criminals, and continued diplomatic engagement. This will involve cooperation between different stakeholders and international partners in the exchange of information.

– Using diplomacy to promote rules-based behaviour and encourage reasonable steps to be taken to address ransomware operations emanating from a particular territory.

What Does This Mean For Your Business?

Attempts to exploit the vulnerabilities created by remote working in the pandemic, businesses not having effective data backup procedures in place, the costs of downtime perceived as being greater than the cost of paying the ransom, low technical barriers to entry and a high affiliate earning potential, plus the growth of ransomware-as-a-service (RaaS) have fuelled a huge rise in ransomware attacks. Ransomware poses a big risk to critical infrastructure, essential services, public safety, consumer protection and privacy, and economic prosperity, and a bigger effort to tackle the threat is long overdue. The promising aspect of the joint statement by the Ministers and Representatives from the Counter Ransomware Initiative is that they have recognised the need for collaboration and help between multiple governments, agencies and organisations and using multiple means to make a real impression on the problem. Individual businesses can play their own part in protecting themselves through basic security measures. These include keeping antivirus software and Operating Systems up to date and patched (and re-starting the computer at least once per week), using a modern and secure browser, using detection and recovery software (e.g. Microsoft 365 protection and Windows Security), and storing files on cloud services e.g. OneDrive/Google Drive, IDrive, or whatever work-based cloud file storage systems employees are required to use, and having an effective, workable backup in place. Since ransomware relies upon human error to spread, staff should be educated about how to spot and deal with potential ransomware risks e.g., suspicious emails, Organisations should also realise that prevention is better and cheaper than cure and paying a ransom will not guarantee the return of vital files and system control, and that many files are deleted anyway by the attackers.