Have we reached peak ransomware?

Cybercrime reports flowing out of marketing departments still highlight the danger of ransomware. However, a closer look at the numbers reveals a much different story and poses the question: Have we reached peak ransomware?

Last year, ransomware attacks hit all-time highs with paid ransoms exceeding $1.1 billion and attacks exceeding 5000, according to FBI and Interpol reports. However, looking at midyear reports from Cyberint, SonicWall and Check Point and a dozen others, attacks and ransoms paid have crashed. Still, the crime is not to be discounted, and industry recommendations are to double down on efforts to combat the “scourge”.

There are three reasons why the ransomware industry is hitting a wall.

Law enforcement agencies, working In cooperation, have found the means to identify and shutdown ransomware gang operations around the world.
Potential victims have learned hard lessons regarding the gangs’ willingness and ability to decrypt data, and becoming repeat targets. They are deciding in greater numbers to ignore ransom demands, cutting into revenue streams.

The “honor among thieves” philosophy does not relate to these criminals. Ransomware service providers are stiffing their affiliates, causing a fracturing of the criminal industry into multiple, independent gangs.

By the numbers

Taking a look at the statistics in the mid-year reports, it would seem that ransomware attacks are still growing.

According to SonicWall’s 2024 midyear report, ransomware increased of more than 15% in the North American market and a resounding 51% in Latin America (LATAM). The one bright spot is almost a 50 percent decrease in Europe, Middle East and Asia (EMEA). Likewise, the 2024 midyear reports from Check Point and Cyberint show a general increase worldwide. How some markets are defined skews those results where attacks are increasing abnormally in certain countries.

Mexico, for example, has seen an 18 percent increase in cyberattacks in general, but ransomware, depending on who is counting, has increased between 50 and an eye-popping 99 percent in the first six months of 2024. A dozen countries in Africa have also seen dramatic increases in ransomware attacks with Ethiopia, Zimbabwe, Angola and Kenya all stepping into the top 10 according to Check Point.

Remove Africa from the EMEA numbers and the EU drops even further. Mexico is often counted in both North American and Latin American numbers. Divorce Mexico from North America. And it negates the growth of ransomware in all the reports in the US and Canada.

Why is that significant?

LATAM, including Mexico, and Africa are relative newcomers to the digital world. As adoption of web-based business expands, so does awareness of cyber hygiene rules as well as outdated digital platforms, according to several of the reports studied. That makes organizations, businesses and individuals low-hanging fruit for criminals.

“The significant increase in Latin America highlights regional vulnerabilities and the adaptive strategies of ransomware operators to focus on maturing cyber markets,” said Brad Crompton, cyber threat intelligence director at Paysafe.

Historically, the European and U.S. markets are the most attractive because, that’s where most of the money and use of digital technology has been. But the EU maintains the most mature digital protection legislation on the planet, with the US still a fairly distant second. That has given law enforcement in this markets broad support and latitude to go after cybercriminals even outside their borders. In February, the FBI took down Lockbit, the most productive and insidious ransomware gang in the world, forcing not only the people running the organization the scatter, but their affiliates as well.

Breaking up the band

“The reduction in revenue for major ransomware-as-a-service (RaaS) groups such as Lockbit and AlphV, as you’ve noted, is an important trend,” said Crompton. “This is driving some affiliates to operate independently, adding complexity to the ransomware landscape. This fragmentation may make ransomware harder to track and attribute, especially over shorter time spans.”

Cyber Protection Magazine has reported recently on the increase in identity fraud crime, concurrent with the drop in ransomware. Crompton acknowledges this trend.

“While the US and EMEA have shown varying trends in attack occurrences, with EMEA experiencing a notable decline, the global landscape remains dynamic. The rise in identity fraud you mentioned aligns with the broader trend of sensitive data extraction by threat actors to yield quick profits. As these actors diversify their tactics, other illicit revenue streams, such as identity fraud, will become an increasing concern, presenting new challenges for defenses and mitigation strategies.”

To pay or not to pay

The second factor — outright refusal to pay the ransoms — is the result of hard lessons learned and expanding cyber hygiene practices.

More companies are backing up their data better and a sub-industry providing data backup services is flourishing and realizing that paying ransoms doesn’t guarantee they get control of that data back, nor became immune to a followup attack.

Heather Clauson Haughian, managing partner at the cybersecurity-focused law firm Culhane PLCC, said this trend is taking the focus away from corporations and redirecting it to infrastructure organizations that have less security infrastructure and best practices in place.

“We’re seeing manufacturing facilities, critical infrastructure providers, financial institutions, health care organizations, but less running through companies, Haughian said. “They’re not even bothering anymore.”

Desperate times, desperate measures

As ransomware groups become more desperate, they are raising the stakes in their demands, including threatening physical violence. A June Wired story recounted how the criminals contacted individual cancer patients at the Fred Hutchinson Cancer Center in Seattle and threatened to release their personal information if they did not pay when the hospital refused to pay.

The gangs are also raising demands to make up for lost revenue. Zscaler’s Threatlabz reported they were aware of a Fortune 50 company paid a record $75 million in cryptocurrency this year to the Dark Angels ransomware group.

“The Dark Angels group employs a highly targeted approach, typically attacking a single large company at a time. This is in stark contrast to most ransomware groups, which target victims indiscriminately and outsource most of the attack to affiliate networks of initial access brokers and penetration testing teams,” Zscaler said.

New groups arising from the ashes are focused on smaller victim segments. For example, Trisec, based in Tunisia, markets its services to nation-states to disrupt infrastructure and elections. Cyberint anticipates several of these newer groups to enhance their capabilities and emerge as dominant players in the industry, alongside veteran groups like LockBit 3.0, Cl0p, and BlackBasta.

PIVOT!!!

This doesn’t mean ransomware is going away, but it does give governments, organizations, corporations and individuals time and resources to protect against the larger, and growing problem of identity theft.

The data ransomware groups have stolen is just as valuable to other criminal fraud organizations.. For example, while paid ransoms were hitting their peak of $1.1 billion last year, the estimated losses from elder fraud were ten times higher. Not only is identity theft more lucrative than ransomware, it has less resources dedicated to curbing it than ransomware attacks.

Jeremy Turner, head of cyber risk at Cogility agreed that it appears we have reached peak ransomware, but it could be a lull as criminal groups reorganize and re-prioritize. He said criminal groups are finding backups to encrypt and exfiltrate giving them better leverage in their extortion game.

“And those groups are really going after the whales in the industry,” he stated. “Small, medium businesses or mid-market companies force the threat actors have to compromise in order to get a payout.” That means ransomware groups have to “take their time, make sure that they really cover their bases on backups and data integrity so that they really have the leverage to demand these kinds of payouts.”