The Retail Payments Risk Forum team has been writing a lot about ransomware in Take on Payments since 2018, when criminals shifted their targets from consumers with small ransom payouts to large government entities, educational institutions, and healthcare industries with their deeper pockets. Some of the initial victims in the United States were the cities of Atlanta and Baltimore and Florida's Monroe County School District. As with consumer attacks, criminals get to the bigger targets primarily by using phishing or smishing messages to obtain account credentials. They then exploit known software security gaps and make brute force attacks.
The number of ransomware attacks has ebbed and flowed over these last five years. The FBI's Internet Crime Complaint Center (IC3) receives voluntary reports on ransomware attacks and, according to the most recent data, in 2021 there were 3,729 reported attacks with net losses of approximately $50 million. This was an increase of 51 percent from the previous year. Our June 2022 post highlighted findings of IC3's annual report and some of the tactical shifts made by the criminal organizations to further their success rate.
While the IC3 report for 2022 has not been released, reports from some private cybersecurity firms (for example, here and here) give perspective on the current ransomware environment. The findings in these reports reveal a dynamic battleground:
- The number of attacks in 2021 declined but the focus on large companies and educational institutions continues. Some experts attribute the decline to the disruption of criminal organizations in Eastern Europe by the Russian invasion of Ukraine.
- While initial ransomware attacks were limited to file encryption, criminals now also deploy data extraction. They threaten to sell or publish that data to coerce an increased ransom payment.
- Ransom payments increased 144 percent in 2021 over 2020. The average reported ransomware payment in 2022 was $4.7 million. These attacks reflect a more diverse target base including smaller businesses, health care providers, and municipal governmental agencies.
- Ransomware-as-a-service offerings have increased, making it easier for less sophisticated criminals to perpetrate these attacks.
From my perspective, the ransomware battle between the criminals and their targets continues unabated. Despite increased security and education efforts, ransomware is still identified by the FBI as the major cyber threat against business. Law enforcement has had some victories with high profile arrests but still struggles to keep up with the pace of ransomware activity.
Defenders against ransomware crime must remain agile. What new tactics and weapons can businesses and law enforcement deploy? Let us know what you think.