The contradictory fall in ransomware in 2022
In Part 1 of this article, we spoke to Mike McLellan, Director of Intelligence at the Secureworks Counter Threat Unit about a seeming rise in reports of business email compromise being used against business in 2022 – as revealed by the Unit’s annual report on the cyber-threat landscape. In Part 2, we took a look at the rising tide of attacks based on multifactor authentication fatigue. But the leading – not to mention the best known and probably best understood – cyberthreat remains ransomware. While we had Mike in the chair, it seemed almost indecent not to ask him about it.
Especially as figures in the report showed ransomware down by a staggering 57% in 2022. Our first question, then, was probably inevitable.
What gives with the plummeting number of ransomware attacks in 2022?
Ransomware grabs a lot of attention, because you have attacks like the Royal Mail, the US Marshals Service, just to name a couple from the last few months. They are very high-profile organizations that are impacted by this with, with a clear impact on people.
Typically, the general public only care about these things when they actually have some impact on their lives, and some of these ransomware attacks do, because they hit critical infrastructure or critical services.
The Ukraine factor.
So yes, it’s interesting that we’ve seen a reduction in the number of incidents this year. And I don’t think we’re alone in seeing that – it’s not a blip in our data. Some other vendors have reported similar trends, though whether it continues to be a trend throughout 2023 remains to be seen…
You’re about to tell us something mind-blowing with a tinge of horror, aren’t you?
What makes you say that?
We’ve interviewed you before. We know that pause.
Well… it’s possible the war in Ukraine had a significant cooling effect on ransomware last year. We saw a two- or three-month period where there was a huge disruption to the ecosystem, because you had groups who had operators in Ukraine, or they had split political loyalties, and that impacted on the volunteer activity.
So whether we will see that decline continue, I’m not sure. I think we will start to see it pick up again, because I think it remains a very lucrative form of revenue for cybercriminals.
But, you know, reasons why we could see a reduction would include organizations getting better at defending against it, which we always like to say is a thing.
Law enforcement disruption getting better, having more impact on the groups is a thing. Groups deciding it’s not economical because of the price of cryptocurrency or the challenges of conducting attacks. That’s a potential thing, too.
Finally, and possibly the most likely explanation, is that we’re just seeing an underreporting of it to the likes of ourselves, to law enforcement, and to other places. One theory that we’ve got is that following Colonial Pipeline and some of those very big attacks, the more sophisticated ransomware gangs decided that actually, if they could keep their heads under the radar a bit more and conduct more attacks against smaller organizations, they could still generate enough money, but without bringing the headlines, and so without bringing the law enforcement interest.
The quiet life.
Cybercriminals opting for a quiet life?
It’s possible, yes. There are plenty in the criminal organizations who are absolutely only in it for the money. If you can make a good living without bringing the FBI or Interpol down on your own head, why not do that?
So it’s very hard for us to say, because we only work with organizations who pay us to come and do incident response for them. But there is potentially a much larger number of very small organizations who aren’t mature enough, don’t have those relationships to report these things, don’t know how to report it to law enforcement, and we’re just not seeing it. So I think our data on this tells potentially only part of the story.
There are reasons why that might be, but it’ll be interesting to see over the next 12 months whether insurance firms and other organizations report similar trends or not based on their data and their view of that threat.
I do think we’ll see the numbers start to creep back up, sadly. But we definitely saw a reduction last year driven probably by the war in Ukraine, and by some of the heat that came from some of the very high-profile attacks, forcing a rethink of the operation.
A busy year?
This is inevitably going to sound crass, but is it possible that, with the illegal Russian invasion of Ukraine, lots of cybercriminals had… more pressing things to focus on?
I think they undoubtedly will have, yes. Ukrainian police arrest people for their involvement in ransomware gangs, and while those may not be the core operators, (the really sophisticated criminals probably live in places where they’re never going to be arrested), it will have an impact on your operation if there’s suddenly a war which encompasses places where you or some of your colleagues live.
So yeah, undoubtedly, that caused a significant distraction, and possibly some kind of physical disruption if people had to relocate.
Obviously, we hope that situation improves over the next 12 months. But it certainly looks like most of the criminal gangs that were disrupted have managed to reconfigure themselves to carry on as they were before. So we will be keeping a very close eye on that, just seeing if the fall in ransomware numbers becomes a long term trend, or if it was just a bit of a blip last year.
An offer they can’t refuse.
As we understand it, some of the pro-Russian groups have died out or been agglomerated into the bigger groups too, right?
Yes, some of the big ransomware-as-a-service schemes have. There’s been a sort of stratification of the landscape where you’ve got two or three ransomware schemes, which are now very large, with lots of affiliates, lots of people kind of participating in them.
I think that’s making it harder for other schemes to establish themselves and break into that market, you’ve got a bit of a monopoly going on there with a very small number of schemes now running lots of affiliates, potentially.
And again, when we see some of the high-profile attacks, the likes of the US Marshal Service, it’s possible that was some affiliate who just hasn’t really appreciated the potential impact of that attack on the scheme.
We think the criminals who have been doing this for a long time have come to the realization that you don’t really want to try and take down the Irish Health Service, or the Royal Mail or whatever, because the potential blowback on you from law enforcement could be significant, could cost you a lot in terms of having to adapt and retool and all that sort of thing.
So we’re seeing a small number of schemes with lots of affiliates. And I’d be interested to see if we see some kind of unintended behaviour from some of those affiliates who are less easy to control, maybe because they’re less experienced.
Apologies if this is cliché, but it sounds like there’s a mafia-style structure developing in those schemes. The cyber-mafia?
It’s interesting, because if you go back 15-20 years, some of the people in charge now are the same people who started out back then. And it’s always important to know that there are people behind these attacks. The central people have probably been around for a long time, but you end up with a much broader pyramid of other people who get involved.
Potentially, the people who’ve been in the business for less time are just making a sort of salary rather than generating the big payouts, but they are nevertheless getting paid well to do the job they’re doing. So you do have this kind of organizational structure.
And if you look at something like the constant leaks from last year which exposed some of this, it’s fascinating to see them talking about things like HR disputes, and salaries and all that kind of thing, and having to deal with the kind of things that most managers have to deal with in legitimate organizations.
It’s curious to think that some of the players responsible for the bigger, flashier, more headline-grabbing ransomware attacks may actually be the people with less experience, who have yet to buy into the quiet life philosophy of advanced cybercrime. You can’t help wondering if that might be a useful thing for companies to consider in their future negotiations with these players.
In the final part of this article, having dipped into the conflict in Ukraine, Mike turns his attention to other national-level state actors that have been especially busy delivering cyberattacks in 2022. Will the leading threat surprise you at all…?
6 December 2023
5 December 2023
4 December 2023