It may seem counterintuitive given its regularity of ransomware attacks today, but these debilitating cyberattacks actually declined for the first time ever in 2022, thanks to actions and policy changes implemented by enterprises and governments in countries around the world.

This bit of good news comes courtesy of the Ransomware Task Force (RTF), an industry group founded by the Institute for Security and Technology (IST) during the height of the COVID-19-onset rise in ransomware. In its May 2023 progress report, RTF announced that of its 48 recommendations for how society could fight back against the scourge of ransomware, a full 92% have already been addressed in one way or another.

The results of this progress are already showing up in the data and being felt on the ground.

"I think it's reasonable to compare ransomware to COVID," says Curt Franklin, principal analyst for enterprise security management at Omdia. "We're past the epidemic and into the endemic. It is not the constant in your face. Now it's just part of the everyday cybercrime background that we all deal with."

Still, ransomware attacks continue. New threat actors are still cropping up every week, getting better at what they do and always evolving their tactics and technologies to circumvent our best defenses. Major, multimillion-dollar attacks — the likes of which would've seemed extreme even just a couple of years ago — continue to befall both enterprises and government targets. Just last week, for instance, the Sheriff's Department in San Bernardino, California admitted to paying off a ransom of $1.1 million.

RTF was founded in Dec. 2020, bringing together dozens of leaders from organizations as far and wide as Microsoft, Bank of America, Mandiant, the US Department of Justice, and Europol. In April 2021 the group released its inaugural report, centered around "a comprehensive framework of actions (48 in total) that government and industry leaders can pursue to significantly disrupt the ransomware business model and mitigate the impact of these attacks in the immediate and longer terms."

It would've been easy to lose track of all those actions or ignore them entirely. Instead, "two years later, we have seen impressive moves by industry, US, and partner governments toward implementing these recommendations," the authors of the newest report wrote.

By now, 44 of the RTF's 48 recommendations "have seen some action." 24 of those "have seen significant progress" since April 2021, with "preliminary actions" taken to address 20 more. "Only 4 recommendations have had no publicly known action," the new report stated.

Who's Doing What

Among the myriad ways governments, enterprises, and individuals have stepped up to the plate, "each has had an important impact," Franklin says.

"The government," he points out, "is doing things like providing forums in which security professionals could gather and share information. Government has also played a role in enforcement, which changes the calculation that the cybercriminals have to do, to see whether ransomware is a worthwhile investment in their time and resources."

Even the way governments talk about ransomware has been important. RTF co-chair Megan Stifel points to the Colonial Pipeline attack as a watershed moment in ransomware policy. "The United States government was very overt in its messaging, signaling that ransomware attacks on critical infrastructure was not something that it will continue to tolerate. And that signaling carries on to this day, in its cybersecurity strategy."

Meanwhile, private industry has played its role. "Organizations have gotten better about their own hygiene," Stifel assesses. "Organizations have changed their responses to ransomware incidents," including paying their attackers far less often — only 37% of the time in Q4 2022, as compared with 85% of the time in Q1 2019, according to Coveware.

Dips in Ransomware

All these advancements have already borne fruit. In its May report, RTF noted 2022 data from CrowdStrike — indicating that ransomware was down 20% in data theft and extortion attacks — and Chainalysis — that the average lifespan of a ransomware strain plummeted to 70 days, from 153 in 2021 and 265 in 2020.

"My number one priority is to advance the scale, scope, and extent of operational collaboration," Stifel says. "We need to be better, quicker, and faster — and harsher, in some ways — at working between the government and private sector in operational collaboration, where we are closely integrated while also respecting privacy and civil liberties in leading these investigations and showing that a rule of law based approach to combating this type of cybersecurity risk ransomware is a successful one."

For as much effort as it took to stem ransomware the first time, even more will be required to keep it down and address the next threat that crops up in its place.

"Ransomware eventually, hopefully, will start to decline, but there will be something next," Stifel warns. "And so we need to get better at operational collaboration, not just to defeat ransomware, but to ensure a more sustainable and secure ecosystem."