
In the first part of this three part blog series on ransomware, we discuss the reasons why cybercriminals still use, and rely on ransomware to infiltrate organizations across the globe.
The ongoing growth of ransomware
Ransomware continues to be one of the most disruptive and profitable cyberattack techniques in the world, affecting organizations and individuals alike. According to our threat intelligence team’s observations, in H1 of 2024 the number of ransomware groups operating on the dark web increased by 56 percent compared to the same period in 2023. So, despite advancements in cybersecurity technologies, why are ransomware attacks still effective?
Ransomware remains profitable
One of the primary reasons ransomware remains successful is the profitability of these attacks. In 2023 the amount of extorted cryptocurrency from victims exceeded $1 billion. Cybercriminals have discovered that encrypting a victim’s data and demanding a ransom in exchange for decryption keys can generate a significant financial reward. Because of the profitability, ransomware groups have gone on to further refine their models to maximize their profits, including double and even triple extortion. This means ransomware gangs aren’t just encrypting an organization’s data, but they are threatening to sell the data to other cybercriminals on the dark web if the ransom isn’t paid, which could lead to further attacks and more disruption. The added layer of threats from cybercriminals will make the paying of the ransom difficult for them to refuse, and also encourage them to pay it quickly.
For businesses and organizations that rely on their data to function, the downtime caused by an attack can be catastrophic. Many are willing to pay to recover their information and restore normal operations, especially if the cost of the ransom is perceived as less than the financial impact of prolonged downtime in data loss.
The profitability is enhanced by the use of cryptocurrencies, like Bitcoin, which provide a degree of anonymity to attackers, making it more difficult for law enforcement to trace the transactions. With potentially massive payouts and relatively low risk, ransomware attacks have become an appealing business model for cybercriminals.
Ransomware is low-risk, and high-reward
The dark web provides a safe environment for ransomware attackers to operate. Many attacks go unreported due to the fear of reputational damage or the legal complications that come with a public breach. Even when victims do report attacks, cybercriminals often operate from jurisdictions where law enforcement has little or no power to act, such as countries with weak international agreements on cybercrime. This global nature makes it incredibly challenging to track down and prosecute offenders.
Ransomware attackers have also adapted their tactics to reduce their risk further. By demanding payments through decentralized cryptocurrency systems and operating from locations with limited law enforcement cooperation, attackers make it nearly impossible for victims and authorities to recover lost funds or identify perpetrators. As long as the rewards remain high and the risk of being caught remains low, ransomware will continue to thrive.
Ransomware attacks are becoming more sophisticated
Ransomware has evolved significantly over the past few years, becoming more sophisticated and damaging. Attackers are using more advanced encryption techniques that are virtually impossible to crack without decryption keys. This makes traditional backup and recovery methods less effective unless organizations have prepared in advance.
Ransomware has also adopted stealthier attack vectors. For instance, modern ransomware strains can lie dormant in a system for weeks or even months before being executed, allowing attackers to identify the most critical data and systems to target. This delay also gives ransomware time to spread across networks, ensuring that more systems are infected and making recovery more difficult. As ransomware continues to evolve with better encryption and stealth tactics, it becomes harder for security teams to keep pace.
Ransomware plays on human error and weak security
Even the most sophisticated security systems can fail if human error comes into play. Many ransomware attacks succeed because of simple mistakes such as clicking on a phishing email, using weak or compromised passwords, or failing to install software updates. Phishing emails remain one of the most common methods for ransomware, relying on social engineering to trick victims into downloading malicious attachments or clicking on harmful links.
Weak security practices, such as failing to implement multi-factor authentication, leaving Remote Desktop Protocol open to the internet, or neglecting software updates are major contributors to the success of ransomware attacks. Once attackers find a vulnerability they can quickly spread the ransomware across the network.
Ransom payments often work
Despite law enforcement and cybersecurity experts advising against it, many victims choose to pay the ransom to quickly regain access to their data. Unfortunately, this encourages further attacks. When criminals see that they can consistently get paid, they continue to refine and spread their attacks. It’s worth noting that paying the ransom does not guarantee full recovery and in some cases the decryption keys they do receive only recover part of their data. In fact, 78 percent of organization’s that pay the ransom are targeted by cybercriminals again. Nonetheless, the willingness and desperation of many organizations to pay the ransom has helped fuel the continued success of ransomware.
Ransomware-as-a-Service (RaaS)
The rise of RaaS has further contributed to the success of ransomware. RaaS platforms operate similarly to legitimate Software-as-a-Service (SaaS) businesses, offering packaged ransomware kits that cybercriminals can purchase and use with little to no expertise. This allows even low-skilled attackers to launch devastating ransomware attacks.
RaaS has also created a profitable affiliate model for cybercrime, where developers of ransomware share profits with those who distribute it. This allows ransomware developers to focus on improving their tools while affiliates focus on distributing the ransomware through phishing campaigns, or exploiting vulnerabilities.
Poor incident response
Even with the knowledge that an organization may become the victims of ransomware attacks, many lack proper incident response plans to handle an attack. Without a clear strategy in place, victims are often left scrambling to respond, wasting valuable time and resources. The absence of regular backups, lack of training for employees on how to recognize a phishing attack, and the lack of disaster recovery plans make it more likely that victims will resort to paying the ransom instead of effectively managing the crisis. This then leads to a large financial win for the cybercriminal.
How can organizations and law enforcement overcome the challenge of ransomware?
As this blog highlights, there are many persistent challenges that have allowed ransomware to retain its position as one of the most consistent attack techniques. However, the “good guys” have also adapted their approaches to tackling ransomware and – in the last year in particular – we have observed huge progress in combatting some of the most prolific ransomware groups in operation.
In the next two blogs we’ll discuss how enterprises can be more proactive in their fight against ransomware groups, using dark web intelligence to profile their most likely adversaries and prepare their defenses appropriately. We will also look at how law enforcement has aided organizations through coordinated campaigns that have succeeded in taking some of the most notorious ransomware groups off the map.