Dr Deepthi Ratnayake FHEA CITP MBCS explains what the latest attacks tell us about ransomware’s evolution Ransomware has evolved during 2022.

In this year’s final column it feels like a good time to reflect on what we’ve observed this year and look forward to 2023. Here are some key facts about a year in ransomware:

  • Check Point (checkpoint.com) revealed a 42% global increase in cyber-attacks with ransomware the number one threat.
  • IBM’s cost of a data breach report 2022, findings show that ransomware attacks accounted for 12% of critical infrastructure breaches.
  • Ransomware breach costs have declined slightly compared to 2021, from USD $4.62 million to USD $4.54 million. The costs included detection of the attack and loss of business due to system downtime, but not the cost of the ransom itself.
  • The frequency of ransomware breaches has increased — from 7.8% of breaches to 11%.
  • The 2022 SonicWall Cyber Threat Report claims that while ransomware volume shrunk 23% worldwide, Europe saw a 63% increase.

Though it doesn’t feel like it, ransomware has been around for over 30 years. Over that time, we’ve seen attackers evolve from modest criminals working alone, right up to modern, sophisticated, resilient and aggressive threat actors. Once just discrete pieces of software, attacks today can be launched using RaaS (Ransomware-as-a-Service) models. The attacks themselves have evolved too. We’ve seen high impact ransomware attacks launched against weaknesses in supply chains, unpatched code and flaws in open-source software. We’re also seeing them share victims’ names and business data on victim-shaming sites.

Follow the money

Criminal gangs also host auctions to sell off victims’ data to the highest bidder. They might also reach out to media outlets and seek to publicise attacks. All this adds pressure to victims. Conti made it into headlines as the most widely used – and abused – human-operated double extortion ransomware strain. The Conti Group uses a variant of the RaaS attack model. Against the cumulative weight of 2021’s ransomware attacks, regulators, insurers and stockholders have responded with different tactics. As a result, according to Sonicwall’s 2022 Cyber Threat Report: ‘ransomware may not just be falling; it may be shifting course due to government sanctions, supply-chain deficiencies, limited availability of needed infrastructure, and increased attention from law enforcement and governing bodies’. It is also speculated that, perhaps, the biggest driver for ransomware’s apparent decline may be the disbandment of the Conti ransomware gang. The Russia-Ukraine cyber warzone has split the group into factions.

For you

Be part of something bigger, join the Chartered Institute for IT.

Defensive ecosystems

Liability risk for organisations is increasing and insurance providers are tightening the rules on ransomware payment reimbursement. The security community also saw regulation updates on public disclosure requirements and fiduciary duties of directors and boards. This year UK, Europe and US authorities actively discouraged ransomware payments but fell short of banning ransomware payments outright, taking human context into account. However, payees are advised that they may face penalties for money laundering and financing of terrorism. Boards are expected to proactively oversee security measures to defend, prepare and respond. NCSC and ICO (UK) recommend performing and recording regular audits of the organisation’s environment against a proven security standard, such as Cyber Essentials (for smaller organisations) or ISO27001 (for medium and larger organisations).

What about AI?

AI and machine learning are showing great promise as techniques for effective threat detection. These systems can learn in real-time from changing tactics, techniques and procedures (TTP) in the developing cyber landscape. The use of security AI and automation jumped by nearly one-fifth in two years, from 59% in 2020 to 70% in 2022. IBM’s findings show a 65.2% difference in the average breach cost between the organisations with fully deployed security AI and automation organisations with no security AI and automation. Companies with fully deployed security AI and automation also experienced, on average, a 74-day shorter time to identify and contain the breach.

About the author

Deepthi Ratnayake FHEA CITP MBCS is an experienced academic with proven skills in CS research.