Ransomware is not a new threat, but in recent years it has grown so exponentially that it has become one of the most prominent global threats, not only in the digital world but in the physical one as well. The threat is now at the top of the global geopolitical agenda, as cybercriminals are deploying more advanced techniques and conducting more high profile attacks than ever before.

New trends

1. Double extortion
Ransomware attack patterns have shifted over the last years. In the past, attackers would only encrypt data found on the targets’ systems and then request a ransom payment from the victim to obtain the decryption key. Now cybercriminals have adopted more aggressive attack patterns like double, and even triple, extortion. In double extortion attacks, cybercriminals not only encrypt the targets’ data but exfiltrate data as well, and then threaten to release it publicly if the ransom is not paid. This type of attack puts at risk even organisations that follow security recommendations to have off-site and off-line backups of their data to use should their systems be compromised and their data encrypted.

2. Ransomware as a service
Ransomware-as-a-service has become an increasingly popular business model in the cybercrime community, allowing ransomware developers to lease their malware to other malicious actors for financial gain. This allows people with little technical knowledge to launch potentially destructive, and very lucrative, ransomware campaigns simply by paying for the service. Before Ransomware-as-a-service (RaaS) became popular, to launch successful ransomware attack, malicious actors would have to possess extensive technical abilities and skills in manipulating people for social engineering purposes. Now, aspiring inexperienced malicious actors can easily find RaaS kits for sale on underground forums, which usually come with round-the-clock technical support from experienced cybercriminals. This trend has significantly increased the potential pool of malicious actors.

3. Supply chain attacks
As companies and organisations invest time and money in improving their cybersecurity, malicious actors have to find new points of entry to carry out their attacks. In recent years, cybercriminals have started targeting companies’ supply chains, made up of multiple independent partners of different sizes, that might have very different levels of care and sophistication when it comes to cybersecurity. Less-secure business partners and third-parties could unknowingly act as doorways for cybercriminals to attack otherwise secure organisations. The severity of this type of attack became evident in December 2020, when malicious actors targeted SolarWinds, an American software firm, and inserted malicious code inside Orion, the company’s IT management tool. Through this, the malicious actors, later recognised as Russian hackers working for the Russian foreign intelligence service, managed to access over 18,000 networks across the world, as they all used the compromised tool. Similarly, in July 2021, the infamous Russian hacker group REvil took advantage of a vulnerability found in the US-based software provider Kaseya to launch a ransomware attack to over 1,500 businesses.

4. Ransom demands
One of the major reasons why the ransomware threat is continually growing is that it is an extremely profitable venture for cybercriminals. Faced with the threat of not being able to restore their data, or of having their data leaked to the public, many organisations decide to pay the ransom. It is reported that ransom payments have increased exponentially in the last two years, reaching on average $5.3 million in the US in 2021, 518% higher compared to the average in 2020. The financial revenue of ransomware attacks, coupled with the large pool of potential targets, as more and more companies are connecting their systems, and low chances of detection make it an attractive activity for malicious actors. Throughout the past year cybercriminals have also shifted their focus from targeting small companies to more high profile, lucrative and important organisations, like medical facilities and national infrastructure. These targets are attractive to cybercriminals, as when under attack, they might be more willing to pay a relatively small ransom to regain access to their data and their system, and to be operative again. An additional aspect that makes ransomware a rewarding and relatively easy activity for cybercriminals, is cryptocurrency. The anonymous nature of virtual currencies like Bitcoin make it perfect for use in ransom demands for cybercriminals, as they can ask for unlimited amounts of money while minimising their risk of being caught.

Real world impact

Ransomware attacks can be devastating for organisations, from a financial, organisational and reputational point of view. Loosing access to data can bring businesses to a halt for extended periods of time, causing significant financial losses, and reputational damage when the general public is alerted, while paying the ransom to regain access to stolen data could bankrupt small and mid-size businesses.
Throughout the past year it became increasingly clear that the consequences of ransomware attacks are no longer confined to the digital environment. In 2021, a number of large-scale cyber incidents have raised concerns over how ransomware attacks can affect the general public in their day-to-day life, and can result in inaccessibility to heath care and education, gas shortages, and transportation problems. The ransomware attack that in May 2021 targeted the Health Service Executive in Ireland caused all IT systems to be shut down, resulting in delayed and cancelled appointments for outpatient services. Similarly, an attack on a Vermont Hospital had devastating effects for weeks especially on the cancer centre, which was able to perform only one in four scheduled chemotherapy treatments. In May the infamous ransomware attack on the Colonial Pipeline raised concerns over gas shortages, leading the public to panic-buy fuel until many stations across the US ran out of supplies. Similarly, in June the meat supplier JBS had to shut down its operations for a week following a ransomware attack, leading to concerns over a meat shortage. The company paid a $11 million in ransom to the allegedly Russian hacker group REvil.

What is being done to tackle the threat

The large-scale attacks mentioned above have brought high levels of public attention to the threat ransomware attacks pose on national security, public health and safety. It has become clear that ransomware is a global threat and therefore there needs to be a global effort to tackle it, both from governments and from technology vendors. In June 2021, the G7 held in England, expressed a shared commitment to focus on and tackle the threat of ransomware. At the summit, world leaders issued a statement to hold Russia accountable for the cyberattacks launched from the country. In the US, the Biden Administration has set mandatory baseline security standards for all federal agencies and software suppliers, for instance multi-factor authentication and the use of encryption. In addition, thirty countries were invited by President Biden to take part in a two-day virtual summit to discuss the escalating ransomware threat, with discussions focusing on cybersecurity measures and tactics to prevent attacks, and on the role of cryptocurrencies and of diplomacy. As a matter of fact, world leaders agree that to tackle ransomware attacks there needs to be a global coordinated response, to facilitate the investigation and prosecution of cybercriminals across different jurisdictions.