SonicWall: Ransomware Declines Further As Attackers ‘Pivot’ Their Tactics

The first half of 2023 saw ransomware attack volume drop even lower than in 2022, according to SonicWall data. But other types of threats are on the rise, including extortion and cryptojacking.


Ransomware continued to lose favor among malicious actors during the first half of 2023, but overall intrusions increased as some attackers switched focus to other types of threats, according to newly released SonicWall data.

In the cybersecurity vendor’s report on the first six months of the year, ransomware attack volume dropped 41 percent from the same period a year earlier, the report released Wednesday shows.

The findings are notable in part because the first half of 2022 had itself seen a major decline in ransomware from the year before, when a flood of ransomware attacks — including a number of high-profile incidents such as the Colonial Pipeline and Kaseya attacks — struck customers and partners alike.

Sponsored post

[Related: Ransomware Attacks Plunged 48 Percent In US Last Year: SonicWall]

SonicWall’s data is based on its global network of 1.2 million sensors, including firewalls and endpoints.

The continued downward trend in ransomware may not last, as attack volume showed signs of a rebound during the second quarter, according to the report.

But in any case, overall intrusions climbed 21 percent during the first half of 2023, year-over-year, SonicWall reported. And a number of other threats — including cryptojacking and “pure” extortion attacks that don’t involve file encryption — gained steam during the first six months of the year.

“We’re seeing diversification relative to the type of attacks,” SonicWall CEO Bob VanKirk said in an interview with CRN. Based on a number of factors, “threat actors are continuing to pivot,” he said.

Cryptojacking attacks — which involve taking control of systems to mine cryptocurrencies such as Bitcoin — nearly tripled during the first half of the year, from the same period of 2022, SonicWall reported. IoT malware climbed 37 percent, meanwhile.

Additionally, several threat actors that previously focused on traditional ransomware have also shifted gears to pure extortion attacks.

Those include BianLian — which said in March that it would no longer encrypt files after a free decryptor for its victims was released — and Clop, which has favored extortion-only tactics in its wide-ranging MOVEit campaign. Clop’s recent data extortion attacks have exploited a critical vulnerability in the MOVEit file transfer tool, and are likely to result in a payday as high as $100 million for the cybercriminal group, according to a report last week from incident response firm Coveware.

While many victims will be unlikely to pay cybercriminals for extortion-only attacks — particularly in cases of older or non-sensitive data being stolen — “there are situations where they are going to pay it,” said Bobby Cornwell, a vice president at SonicWall. In cases where the fines associated with a data leak would be higher than the amount charged by the cybercriminals, an organization may be inclined to pay to prevent the exposure, Cornwell said — though there’s no guarantee this will solve the problem.

“How much do you trust the guy that just stole your data?” he said.

Ultimately, there’s a strong chance that more threat actors will consider switching focus to extortion-only attacks amid factors such as the law enforcement crackdown on ransomware gangs, Cornwell said.

It’s also possible that more small and medium-sized businesses could become targets of extortion-only attacks going forward, given that a serious data leak for an SMB could “pretty much end their company” — leading to an inclination to pay the cybercriminal demands, he said.

Ultimately, the shift to a broader set of threats is a reminder that organizations who feel they’ve protected themselves against ransomware still have work to do, VanKirk said.

“What’s concerning is how much it is diversifying and pivoting,” he said. “It’s not like we can just focus in a few different areas and then think that we’ve got things addressed.”

At Irvine, Calif.-based Alvaka, which offers ransomware response and recovery services, responders have seen a significant rebound in cyberattacks during 2023 so far following the decline in activity in 2022, according to Oli Thordarson, president and CEO of Alvaka. That has included both traditional ransomware attacks involving file encryption as well as attacks focused on data theft and extortion tactics.

Ultimately, “I don’t think ransomware is going anywhere,” Thordarson told CRN. “It’s going to morph and change, but it’s [always] there.”