Download this article in PDF format.
Defined as malware that encrypts files on a user’s computer and then demands payment to decrypt those files, ransomware attacks have been rising in recent years as the cybercriminals find new ways to infiltrate their victims’ computers. The attacks typically begin with a phishing email that includes a malicious attachment or link that—when opened—infects the computer with the ransomware. The ransomware then encrypts the computer’s files, makes them inaccessible and demands a ransom payment in the form of cryptocurrency.
Some of the high-profile ransomware attacks that took place over the last few years include the WannaCry attack, which infected over 200,000 computers in 150 countries; Petya, which infected over 300,000 computers in over 60 countries; NotPetya, which impacted more than 100,000 computers in over 60 countries; and Emotet, a type of malware that’s been active since 2014 and is still being used to steal personal information and spread ransomware.
The total number of global, recorded ransomware attacks peaked in 2021 at 623.3 million and has since fallen to 493.3 million (in 2022). This compares to just 183.6 million ransomware attacks in 2017, according to Statista. The Ransomware Task Force (RTF) recently reported a similar decline in attacks. Started in 2021, RTF is a public-private partnership led by the Institute for Security and Technology (IST) and includes representatives from government, industry and academia.
Gaining Ground
In its May 2023 Progress Report, the RTF says that the U.S. is “gaining ground” against cybercriminals whose ransomware attacks target both business and personal computers. Two years after publishing Combating Ransomware: A Comprehensive Framework for Action, the RTF says it has seen “impressive moves” by industry, domestic and partner governments toward implementing the group’s recommendations.
“We have also seen significant change across the ransomware landscape,” the RTF says in its latest progress report. “Governments have taken action to prioritize ransomware defenses and investigations; victims have changed their responses; and threat actors have evolved, not only in terms of who they affiliate with, but also in terms of their tactics and the size and geographic location of their targets.”
Citing research from CrowdStrike, the RTF says that use of ransomware itself decreased 20% in data theft and extortion campaigns during 2022, indicating that encryption was becoming less appealing to threat actors as threats of data leaks rise. “In another sign of effective action against the ransomware threat, Chainalysis reported that the average lifespan of a ransomware strain in 2022 was 70 days, down from 153 days in 2021 and 265 in 2020,” the RTF adds.
The RTF says that a significant decrease in ransomware attacks against U.S. organizations during the first half of last year may have been a “side effect” of the Russian invasion of Ukraine, which disrupted and redirected the focus of cybercriminal groups based in the region. “Despite this, ransomware remains a major threat to both companies and civil society, with reports of increasing numbers of attacks against organizations in Latin America and Asia,” the group warns.
What’s Next?
Looking ahead, the RTF expects the cybercrime ecosystem to continue evolving. For example, it says ransomware activities emanating from Russia also appear to be expanding their targets to include a greater emphasis on the Global South, including by shifting toward Asian and Latin American targets and away from critical infrastructure and other sensitive targets within NATO countries.
“This refocusing away from critical infrastructure and other sensitive targets in NATO countries may be driven by a desire to avoid incidents that could increase friction between Russia and NATO countries,” says the RTF, which is encouraged by the “increased data sharing” across the public and private sectors—and among governments.
“However, factors like incomplete cyber incident reporting indicate that we still do not have a complete understanding of the scale and scope of this threat,” it adds. “As the ecosystem evolves, it is critical that governments continue to collect and process incident data, work to create target decks of ransomware developers, criminal affiliates and ransomware variants, and share information with relevant stakeholders in a timely manner.”
