5 Things To Know On The Big Drop In Ransomware Attacks

Multiple security vendors are reporting data showing that ransomware was less of an issue in 2022, particularly in the U.S., than it was in 2021. There’s both good and bad news in the findings, however.

Ransomware Respite?

Here’s the good news: Ransomware was down in 2022, according to research reports from several cybersecurity vendors, and at least some of the drop is thanks to improved prevention and law enforcement intervention. While 2022 was by no means a holiday for cyber defenders, the reports point to significant declines in the ransomware volume and success rate during the year, as compared with the epic ransomware year of 2021.

SonicWall reported Tuesday that global ransomware volume dropped by 21 percent in 2022—and saw an even larger decline in the U.S.—while Mandiant has disclosed it responded to 15 percent fewer ransomware incidents last year. Also on Tuesday, Proofpoint revealed that a lower percentage of organizations overall experienced ransomware infections in 2022, and both CrowdStrike and SonicWall reported an uptick in the number of threat actors that switched from ransomware to data extortion attacks during the year.

Additional security research from IBM X-Force suggests that threat detection tools are catching more intrusions at an early stage of the attack, prior to deployment of ransomware, while blockchain data platform Chainalysis revealed that overall ransomware payments fell sharply in 2022.

Overall, when it comes to the ransomware decline last year, “there have been multiple shifts in the operating environment that have likely contributed,” said Jeremy Kennelly, senior manager for financial crime analysis at Mandiant.

That’s not to say that ransomware has lost its status as a leading threat, as evidenced by recent attacks such as the widespread ESXiArgs ransomware campaign. And the fact that at least some of last year’s decline was attributable to threat actors switching to other highly damaging attacks, such as data extortion, is not exactly something to get excited about.

Ultimately, “it’s encouraging that we’re seeing a decrease” in ransomware attacks, SonicWall CEO Bob VanKirk said in an interview with CRN. At the same time, “the number of attacks still is staggering,” VanKirk said. And there are concerning signs that ransomware may already be on the rebound as well.

To dig into what the latest cybersecurity research is telling us about the ransomware threat, what follows are five key things to know about the drop in ransomware attacks in 2022.

Ransomware Plunges Globally — Especially In The U.S.

From 2019 to 2021, there was a steady climb in global ransomware attack volume, culminating in the massive ransomware assault of 2021, according to SonicWall data . That year, ransomware attacks more than doubled globally—surging by 105 percent—and included a series of hugely disruptive incidents such the ransomware attacks against Colonial Pipeline and Kaseya.

With that as a backdrop, 2022 doesn’t look so bad. And accompanying the 21 percent decline in ransomware attack volume last year reported by SonicWall, the fact is that there weren’t any incidents that caused the level of disruption that was seen in the attacks mentioned above.

Meanwhile, although the U.S. remained the biggest target for ransomware in 2022, the volume of attacks in the country fell even more sharply than it did worldwide. Ransomware attacks against U.S. targets plunged 48 percent in 2022 year over year, according to SonicWall.

According to Proofpoint data released Tuesday, fewer organizations overall were hit with ransomware in 2022 as well. The findings show that 64 percent of organizations experienced ransomware infections in 2022, down from 68 percent in 2021 and 66 percent in 2020.

To keep things in perspective, SonicWall noted that 2022 was still the second-worst year ever for ransomware attack volume, behind only 2021. As shown in the SonicWall chart above, the worldwide ransomware attack volume in 2022 was “still far above the levels seen in 2017, 2018, 2019 or 2020,” the company said in its report. The company’s data is based on its global network of 1.2 million sensors, including firewalls and endpoints.

Ransomware Prevention Saw Massive Improvement

In terms of the factors behind the drop in ransomware attacks in 2022, findings from an IBM X-Force report appear to tell part of the story. The report reveals a dramatic increase in the percentage of attacks that were stopped before they could progress to ransomware deployment, according to John Dwyer, head of research at IBM Security X-Force. That’s a big win for cyber defense because “this is the first time ever where we feel like they’re detecting [attacks] a lot earlier,” Dwyer told CRN.

A key statistic demonstrating this shift is that 21 percent of attacks were halted at the point of backdoor deployment, one of the initial stages of a typical ransomware attack. This statistic is significant because in prior years, X-Force was not even tracking the metric because it was considered an outlier. Previously, the percentage of attacks that were shut down at the backdoor stage was “almost nonexistent,” he said.

In other words, detection and response efforts produced a “massive” improvement in catching attacks at the initial backdoor stage in just one year, Dwyer said. The percentage of incidents that actually resulted in ransomware, meanwhile, dropped to 17 percent in 2022 from 21 percent in 2021, according to the report.

“The technology is getting better and better at finding ransomware attackers as they’re going through their goals and objectives,” Dwyer said.

Without a doubt, defenders are “always getting better” at detecting and preventing the tactics, techniques and procedures that attackers are actively using, Mandiant’s Kennelly told CRN. However, this process of continual improvement “drives a parallel cycle of improvement” in the cybercriminal ecosystem, he noted.

More Cybercriminals Focusing On Data Extortion

A less exciting reason for 2022’s drop in ransomware attacks is likely that some cybercriminals are just changing up their focus and shifting away from ransomware altogether. A new threat report from CrowdStrike released Tuesday shows that the number of threat actors that carried out data theft and extortion attacks, without deployment of ransomware, grew by 20 percent in 2022 year over year.

“We’re seeing more and more threat actors moving away from ransomware,” said Adam Meyers, head of intelligence at CrowdStrike. “Ransomware is noisy. It attracts attention. It’s detectable. Encryption is complex.” And due to the fact that data extortion is a more lucrative and easier alternative, ransomware is “ultimately unnecessary” at this point, Meyers told CRN.

The SonicWall report also details a greater focus for some cybercriminals on data extortion and the shift away from ransomware. Some of the factors at play include the fact that more organizations have implemented “strong” backups and incident response plans, which has made encrypting files a less effective tactic, according to the report. SonicWall pointed to the existence of extortion-only groups including Lapsus$ and Karakurt as further evidence of the trend.

Meanwhile, the process of actually extracting a ransom payment has also become extremely “frustrating” for attackers, Meyers said. Often, there ends up being a negotiation process that takes time and reduces the eventual ransom payment, he said. But with data extortion, “they don’t have to play that game,” Meyers said. If a victim stalls on making a payment, an attacker will often leak some of the victim’s files onto the internet to speed things along.

“Now they’ve got the control,” he said. With data extortion, “they can actually flip the script on the victim.”

SonicWall suggested in its report that threat actors may have switched gears from ransomware to other types of attacks as well in 2022. Cryptojacking attacks grew by 43 percent year over year, while IoT malware surged by 87 percent, according to the report. Attackers are proving once again that “they will quickly pivot to where the opportunity is,” SonicWall’s VanKirk said.

Disruption To Cybercrime Groups

Another factor that loomed large in the world of cybercrime last year was the multiple major disruptions to ransomware groups. Many of these groups are known to be based in Russia or elsewhere in Eastern Europe, and experts told CRN that the fallout from Russia’s unprovoked invasion of Ukraine was undoubtedly a constraining force on ransomware in 2022. The meltdown of prominent ransomware group Conti over the war was one widely publicized example.

Other disruptions—those attributable to law enforcement interventions—can be seen as more of a win in the battle against ransomware. “2022 was another banner year for ransomware busts, as law enforcement in the U.S., U.K., Canada, Brazil and even Russia brought some of ransomware’s key players to justice,” SonicWall said in its report. A prominent example was Russia’s apparent dismantling of the REvil ransomware group, believed to have carried out the Kaseya attack, with the help of U.S. intelligence in January 2022. Mandiant’s Kennelly said the law enforcement efforts targeting ransomware services can have a curtailing effect on the attacks because, at a minimum, they require threat actors to “retool or develop new partnerships.”

“We applaud the efforts of law enforcement” in the cybercrime arena, SonicWall’s VanKirk said. “I think the more we can continue to work public-private [collaborations] there, the better collectively we’ll be.”

As one piece of evidence for the effects of the disruptions, blockchain data platform Chainalysis reported that ransomware payments that it tracked in 2022 fell by 40 percent to $457 million. “The trend is clear: Ransomware payments are significantly down,” Chainalysis said in a blog post. Along with disruptions from Russia’s invasion of Ukraine and law enforcement interventions last year, the post mentions an increasing refusal by organizations to pay ransoms as a key factor.

Will Ransomware Bounce Back?

Unfortunately, the ransomware resurgence may already be happening. SonicWall’s report showed that the volume of ransomware attacks spiked in the fourth quarter of 2022 (see the company’s chart above). Not only was it the highest volume of attacks during the year, but it was actually a year-over-year increase from the fourth quarter of 2021. And considering how brutal 2021 was for ransomware overall, that’s potentially very worrisome.

While it’s tough to pinpoint what the biggest factor might have been in the fourth-quarter uptick in ransomware attacks, one possibility might be the worsening economic environment. Joanna Burkey, CISO at HP Inc., recently told CRN that “over the years, we definitely have seen a very strong correlation—[that] when economic times are a bit rough, the e-crime-based attacks go up.” Without a doubt, “the attacks for money definitely go up in a period like this,” Burkey said.

Recent ransomware attacks have included the ESXiArgs campaign, which compromised thousands of VMware ESXi servers in Europe and North America in February by exploiting a two-year-old vulnerability.

Whether it’s with a rebound in ransomware, or with more attackers pivoting to other types of attacks, “I don’t see things slowing down” in terms of malicious cyber activity overall, SonicWall’s VanKirk said. “There’s no question in my mind that we will continue to see the attacks morph and change based upon the opportunity out there.”