Defying expectations: What caused the dip in ransomware attacks between July-August 2022?
By Jamie Smith, head of cyber security at S-RM
For many years Russia has been home to some of the world’s most skilled hackers and most profitable ransomware groups. Research from Chainanalysis estimates that $400m of crypto-currency payments (74% of ransomware payments) went to Russia-linked groups in 2021. New research from S-RM, the intelligence and cyber consultancy, shows that cyber security and ransomware attacks in particular have been rising up the agenda for a lot of organisations.
The recent research found that cyber security forms over a quarter (26%) of organisations’ annual IT budget in 2022, which was consistent across the UK (25%) and US (26%) and marks a 5% year-on-year growth in cyber budgets compared to our survey responses in 2021.
Despite expectations that ransomware attacks would increase throughout 2022, attacks notably decreased over the summer period. With cyberwarfare at the heart of Russia’s modern military doctrine, and an increase in attacks before the conflict, this sudden drop is in stark contrast to what was anticipated by commentators – namely, that Russia-affiliated groups would choose to cause increased disruption to Western companies during the conflict.
With this activity level diving far below the predicted trends, it is important to consider the possible causes and look to what may happen with ransomware attacks in the future.
What is stopping ransomware groups?
It is first important to note the impact of the conflict in Ukraine and the fact that some established ransomware groups are comprised of both Russians and Ukrainians. The conflict catalysed rifts within these groups, and some – such as Conti – have chosen to publicly side with one of the countries. As a consequence, at least in the relatively short term, the activity of these groups slowed as priorities and country loyalties overtook malicious planning of attacks outside the physical conflict zone.
The conflict has not only had an effect within the groups themselves but has also triggered a collapse in their infrastructure and transaction routes. At the time of writing, there are currently eight packages of sanctions adopted against Russia, including export restrictions and oil price caps. The conflict and sanctions have hugely increased international scrutiny on Russia, which has dissolved much of the framework relied on by ransomware groups for their planning and acquiring the server space they rely on to conduct attacks.
Whilst these groups have proven to be innovative and adaptable, it has become substantially harder for these collectives to purchase server space or other resources needed to amass botnets required for large-scale attacks.
On top of this, being watched by the world has complicated the previous money laundering routes used by actors. Where payment would normally move from the affected party, to a payments brokerage, to an exchange, and finally to a cryptocurrency tumbler before the group receives it, there is now too much global focus for these processes to go undetected.
The payments themselves are also causing issues for actors. This year has seen Bitcoin go through massive waves of volatility, and groups will have had to watch their funds and reserves take an unavoidable nosedive as a result.
Amongst the numerous factors of world conflicts and internal issues, the efforts of the cybersecurity sector and businesses cannot be discounted. With the everchanging attacks, plans, and software used by ransomware groups, greater awareness amongst businesses as to their vulnerabilities plays a key part in preventing attacks.
With companies moving risk management up as a priority, and investing in endpoint detection, response approaches, and managed services to protect their networks, it is becoming increasingly harder for these ransomware groups. According to new research from S-RM, the intelligence and cyber consultancy found their respondents reported an average direct loss from a serious cyber incident of $1.5m and this figure has since decreased roughly $300,000 from last year. Considering the increase in incident frequency, this may suggest that organisations are managing cyber incidents more effectively.
Looking to the future
It is crucial to pay attention to, and carefully examine, unexpected patterns in our industry. Not only can this help us keep up with what is happening with current activity, but also forms the basis for predicting and counteracting attacks in the future.
It is expected that traditional ransomware groups will increase their activity once again to return to the levels seen in 2021. This will predominantly be a result of affiliates disengaging with the ongoing conflict in Ukraine and moving away from ideological anchors. Consequently, they will be looking to regain their losses in activity and profitability as quickly as possible.
Over the last three years, our research has shown that 75% of senior IT leaders say their firm suffered a serious attack and the ongoing rise in attacks against both small and medium sized companies is also expected to continue through to 2023. In addition to this trend, we can expect to see a more decentralised distribution of ransomware activity and, as a result, we will see an increase in attacks on individuals, as the activity spreads beyond corporate targets. In particular, we anticipate seeing a rise in pure data theft, as more opportunistic cyber thieves realise the huge value of extracting sensitive data, over the current lock-out-and-ransom-back model.
We can expect, however, that law enforcement can take advantage of these dips to slow the development of these criminal groups, targeting and capturing them whilst their productivity is lowered.
In the face of rising geopolitical tensions, it is suspected that state-sponsored attacks may rise, and alongside the constant threat of ransomware innovation, businesses need to be thorough in checking for their vulnerabilities. They must utilise the best tools and practices in order to pre-empt these attacks and protect themselves in the face of the unknown or unexpected.