​​Recent Rise of Ransomware Attacks: What Are the Main Drivers?

Ransomware is not a new phenomenon. The earliest recorded incident goes as far back as the 1980s. However, today’s ransomware operates at a scale and sophistication that makes it virtually unrecognizable from its early predecessors.

Each year, ransomware attacks are hitting a new high. In its annual Internet Crime Report, the FBI received almost 2,500 ransomware complaints in 2020. This was up about 20 percent from the 2019 numbers. Suppose incidents capturing media attention are anything to go by, in that case, 2021 is proving to continue this trajectory – from disrupting a critical pipeline to obstructing operations at a major insurer.

The relentless attacks are further compounded by ever-higher ransom demands which organizations, worried about the impact of extended disruption, are paying. The payouts have enraged policy and lawmakers while emboldening demands from subsequent ransomware attacks.

So what has been the root cause of this recent rise in ransomware attacks? Multiple factors are at play here.

Global Internet Penetration

Internet penetration has rapidly accelerated significantly in developing economies. By the end of the first quarter of 2021, more than 4.7 billion Internet users were worldwide.  No longer is access limited to the world’s wealthiest countries, or the rich and upper-middle class.

The growth has to a large extent been thanks to the ubiquity of the smartphone. In 2020, smartphone vendors shipped more than 1.3 billion devices, a number that far exceeds the 275 million PCs shipped over the same period.

Whereas having more of the world online is essentially a good thing, it inevitably means more criminals coming online as well. If the opportunity arises, individuals and groups who already have a criminal past offline would have no qualms transitioning their activities worldwide web. Ransomware provides an avenue to do just that.

Cryptocurrency

Cryptocurrency’s rise has been a classic case of unintended consequences. It continued to draw attention as an alternative currency outside the control of nation-states and regulators; it has also become a magnet for underworld business. Cryptocurrencies are challenging to track and lightly regulated (if at all), making them attractive to cybercriminals.

In the past, the difficulty of extracting proceeds of crime from the international banking system was a significant impediment to the proliferation of ransomware. Cryptocurrency has effectively ‘solved’ that bottleneck.

It doesn’t help that the price of major cryptocurrencies such as Bitcoin and Ethereum has soared in recent years. Criminals see holding cryptocurrency as lucrative.

Successful Payouts

A recent Institute for Security and Technology report found the number of victims paying ransoms following a ransomware attack grew 300 percent in 2020 compared to 2019. In 2021, millions of dollars have so far been paid out to ransomware groups.

  • Brenntag, a German chemical distributor, paid a $4.4 million ransom.
  • Colonial Pipeline paid out $5 million to cybercriminals when a ransomware attack stalled its operations. Fortunately, about half of the ransom was recovered.
  • Meat-packing behemoth JBS’s CEO admitted that the company had to part with an $11 million ransom.
  • CNA Financial forked out a staggering $40 million.

What these large payouts do is create a precedence that cybercriminals are taking note of. Worse, the attackers are rarely caught since the transactions are difficult to track. Such promising prospects have made ransomware a popular get-rich-quick scheme even for criminals who would otherwise not be interested or have the technical skills to engage in cybercrime.

High Profile Targets

The ransomware targets covered in the previous section are large organizations.

  • Colonial Pipeline is one of the largest distributors of petroleum products in the United States, delivering about half of the fuel needs of the East Coast. The pipeline’s shutdown led to fuel shortages, panic buying, price hikes, and the federal government’s declaration of a state of emergency.
  • JBS is the world’s largest meat processor by sales. The company generated more than $52 billion in revenue in 2020. Headquartered in Sao Paulo, Brazil, the company has nearly 150 industrial plants across the world. Its US subsidiary raked in nearly $28 billion in sales in 2020.
  • CNA Financial is the seventh-largest commercial insurer in the US.

Each of these companies probably invests millions of dollars each year in cybersecurity. To be breached by a ransomware attack sends a message to attackers that no organization is impregnable. This only serves to encourage cybercriminals to seek out the most prominent targets in hopes of securing a significant payoff.

Ransomware-as-a-Service

Ransomware-as-a-service (RaaS) refers to a criminal enterprise model whereby ransomware variants are leased to criminals. RaaS initially surfaced a few years ago but has gained traction over the last one to two years.

Its popularity stems from the fact that it makes it possible for non-techie bad actors to launch a sophisticated ransomware attack.

RaaS works like a structured organization with profits shared between the attacker, the service provider, and the programmer. The result of RaaS is that the overall number of people who can effectively launch a complex ransomware attack has grown significantly.

Remote Work

Remote work was already a growing trend, but it received fresh impetus with the COVID-19 pandemic. As governments enforced social distancing requirements, organizations had to scramble to get most of their staff working from home.

This rush resulted in many people accessing business systems and sensitive work-related data over unsecured or less secure personal devices and private networks. Users were also likely to have weaker IT controls at home than they did at work.

All these provided fertile ground for ransomware and other cyber threats to flourish.

US-Russia Tensions

No one country is home to ransomware attackers. However, US officials and cyber experts have regularly pointed out that several significant cyberattacks hitting the US recently can be attributed to Russia or Russia-leaning groups.

The FBI attributed the JBS attack to Russia-based hacking group REvil, and the Colonial Pipeline breach to Eastern European and Russian-speaking cybercrime organization DarkSide.

To many cybersecurity experts and policymakers in the US, Russia is providing a haven for ransomware hacking groups as long as they do not target entities or persons inside Russia. Cybersecurity authorities assert that Russia has cooperated with Eastern European hackers in the past.

The ransomware attacks must be viewed in the context of long-running tensions between the US and Russia. These tensions are hampering the ability to create a united global front in tackling the ransomware problem.

Wrapping Up: Proactive Action is Key

Ransomware is a growing threat. It’s imperative that governments, businesses, and IT security professionals continuously explore the different ways they can contain or counter the threat. The better prepared an organization is, the less disruptive and less expensive a ransomware attack is likely to be. Acting proactively is vital. Proactive actions include:

  • Employee ransomware awareness
  • Backing up data
  • Applying system updates and security patches as soon as they are available
  • Contracting third-party cybersecurity experts and ethical hackers
  • Buying cyber insurance

Awareness is necessary because ransomware attacks often tap into social engineering techniques to get ordinary users to download attachments, install programs, or click URLs. Organizations should have a contingency plan that kicks in and transitions operations if central production systems are inaccessible.