The number of ransomware attacks is plummeting. During the first quarter of the year, cybercriminals carried out significantly fewer cyberattacks against businesses than last year. Researchers discuss the cumulative effects of faulty police operations targeting reputed gangs…
Toc
Last year, the number of ransomware attacks exploded. Malwarebytes researchers recorded a 68% increase in the number of offensives aimed at extorting money in exchange for stolen data. Chainalysis experts, specializing in the study and monitoring of blockchain, agree and reveal that the amount paid by victims has exceeded a billion dollars in one year. That’s almost double the $567 million extorted a year earlier.
“2023 marks a major comeback for ransomware, with record payouts and a substantial increase in the scope and complexity of attacks”explains Chainalysis.
To explain this increase in attacks, MalwareBytes pointed the finger “the explosion of AI”, which allows budding cybercriminals to get started without the slightest computer knowledge, and the numerous operations carried out by Lockbit. The Russian gang is also responsible for the largest known ransom demand to date. The hackers demanded $80 million from Royal Mail in exchange for the sequestered data.
For its part, Chainalysis highlighted the MOVEit hack, one of the most important hacks of 2023. This immense data leak was the source of a multitude of attacks. Finally, TrendMicro identifies a change in the strategy of cybercriminals. For their profits, they have mainly attacked small businesses, which are less well protected, to the detriment of large companies, whose security mechanisms are more sophisticated.
Also read: IBM unveils the ultimate weapon against ransomware, an AI-powered SSD
A gradual decline in ransomware attacks
During the first quarter of 2024, the trend finally reversed. CyberInt experts noted a 22% drop in ransomware attacks in one quarter. Researchers recorded only 1,048 hacks in the just-concluded period. For WatchGuard, the situation began to change in the last three months of 2023 with a 20% drop in identified attacks compared to the previous quarter.
The counterattack of the police
Behind this sudden drop in the number of cyberattacks, we first find the sustained efforts of law enforcement, says Watchgard. The authorities have carried out several large-scale operations against groups specializing in extortion. Let us first mention Operation Cronos carried out by the FBI with the cooperation of 11 different countries. This operation dealt a major blow to Lockbit, one of the most prolific gangs in the world. Deprived of part of its servers, the gang was forced to relaunch a new platform to publish its data leaks on the dark web.
Unfortunately for Lockbit, reputational damage is harder to reverse than IT damage. Police attack on Lockbit indeed removed some of the subscribers ransomware. Like most criminal groups, Lockbit offers its extortion software through a subscription. This approach allows the gang to diversify its sources of income.
Scalded by the FBI attack, budding hackers prefer to distance themselves from Lockbit’s services, at least temporarily. Affiliates likely fear that authorities, who have Lockbit’s decryption keys, will thwart Lockbit 3.0 ransomware attacks. Unsurprisingly, the Lockbit debacle was therefore accompanied by a sharp drop in the number of attacks. Ransomware had in fact established itself as the most prolific ransomware in the world, it held 25% of the digital extortion market share.
A few weeks earlier, the police also attacked to the BlackCat hackers, another major gang specializing in ransomware. Last December, the FBI and police forces in several countries seized the dark web site from ALPHV, aka BlackCat. Authorities have got their hands on the decryption keys for the ransomware. With these keys, the FBI was able to help more than 500 BlackCat victims. They were not forced to pay the ransom to regain access to their data.
Considerably weakened, the gang was forced to keep a low profile. In the first quarter of 2024, BlackCat orchestrated only 51 ransomware attacks, compared to 109 in the last three months of 2023. Again, this policing operation contributed to the decline in ransomware attacks worldwide. The latest news is that the gang faked his death in order to avoid further FBI investigations. At the end of 2023, BlackCat still accounted for 8.1% of ransomware cyberattacks worldwide, according to TrendMicro.
“Since 2022, LockBit and BlackCat have consistently ranked among the ransomware providers with the highest number of detections”summarizes TrendMicro.
Let us also cite a police operation targeting a gang of Ukrainian hackers in December. Europol managed to put an end to the activities of cybercriminals after two years of investigation. The hackers, arrested in the wake of the operation, are suspected of having deployed malware on more than 250 computer servers spread across 71 countries. Before their arrest, the hackers extorted hundreds of millions of euros from companies.
Victims refusing to pay the ransom
At the same time, cybercriminals are finding it increasingly difficult to convince their victims to pay a ransom, explains CyberInt. According to a Coveware report, less than 30% of victims still agree to pay the ransom, compared to 85% in 2019. This is a historic drop.
Since last year, a growing share of companies hacked firmly refuse to negotiate with cybercriminals. These companies believe that paying a ransom could harm their image. They therefore prefer that the stolen data be disclosed by the hackers. Coverware also cites “better preparedness by organizations” and a lack of trust in cybercriminals’ promises. Companies realized that hackers were free to collect the ransom while knowing the data, or by returning to attack a few years later. Faced with increasingly recalcitrant companies, hackers sometimes consider that ransomware attacks are no longer lucrative enough.
This is why some gangs try to beef up their extortion tactics. Cybercriminals go so far as to threaten people, including cancer patients, to obtain a ransom. They also no longer hesitate to publish very sensitive data to try to collect a ransom. Furthermore, some hackers also threaten American companies with reporting them to the authorities. Companies based in the United States have four working days to notify the authorities of an attack. Aware of the legislation, cybercriminals threaten to disclose the information to American regulatory bodies once this deadline has passed.
New gangs in ambush
Despite the drop in offensives, we must not let our guard down too quickly, WatchGuard warns. In its report, the company explains that it expects ransomware affected by police investigations to make a comeback. We have already noticed an increase in copies of Lockbit in recent months, in the wake of the dismantling of part of the gang’s infrastructure.
We must also expect new gangs to appear to take the place of the entities currently on the sidelines. According to CyberInt, groups like RansomHub, Mogilevich, Trisec or Slug will end up establishing themselves as leading players alongside Lockbit or BlackCat. This emergence of “ambitious new groups looking to make their mark on the ransomware industry” is a “warning for businesses around the world”.
🔴 To not miss any news from 01net, follow us on Google News and WhatsApp.