Ransomware Operators Are Feeling the Heat

Ransomware has maintained its dominance the past few years; however, increased law enforcement attention may result in changes to how it looks in the future.

January 24, 2022

4 Min Read

Since 2020, BAE Systems Applied Intelligence has tracked the evolution and progressive dominance of ransomware in the threat landscape. Threat actors in this space have widely adopted a technique coined "double extortion," where data stolen from victims is exposed on leak sites often only accessible on the Dark Web. Over 4,000 organizations have appeared on the 20+ leak sites BAE Systems Applied Intelligence tracks at any one time, with just over 2,700 of these seen in 2021 alone.

The United States has borne the brunt of this ransomware activity, housing over half the ransomware victims identified in 2021; Canada, Great Britain, and France are the next most impacted, each representing only 5% of the identified victims each. Industrial and manufacturing organizations have seen their own share of attention, with just over a quarter of victims slotting into this sector. The retail and health sectors follow behind with 9% and 6%, respectively.

Combating Ransomware
There were a number of high-profile ransomware cases in 2021, with perhaps the most notable being the attack against Colonial Pipeline in May. Here, the DarkSide ransomware operators demanded a payment of 75 bitcoins, a sum that would have equaled more than $4 million.

Bitcoin serves as a constant throughout the majority of ransomware cases BAE Systems Applied Intelligence has observed, with a number of other high-profile cases, such as an attack against JBS USA in May involving the REvil ransomware, where an $11 million ransom was paid in bitcoins, and the exploitation of Keseya VSA, where a ransom of $70 million in bitcoins was demanded in return for a combined decryptor for all the approximately 1,500 organizations affected.

Of these cases, the attack against Colonial Pipeline is perhaps the most interesting, and not just because it caused the company, which supplies 45% of the fuel to the East Coast of the US, to shut down its operations for a time. Approximately a month after the company paid the attackers, the US Department of Justice announced it had recovered approximately 85% of the 75 total bitcoins paid in the ransom.

Given this seizure, showing that Bitcoin is perhaps not the infallible, untraceable form of currency that it is sometimes purported to be, BAE Systems Applied Intelligence has predicted that 2022 will see threat actors begin to move away from it and toward other cryptocurrencies, such as Monero, where tracing is far more difficult. The operators of one particular ransomware strain, Grief, was seen to follow this trend in 2021, with chat logs showing its preference for Monero by offering a discount compared with the amount asked for in bitcoins.

The recovery of funds is just one case of law enforcement action taken against ransomware groups in the last few years, with individuals linked to large ransomware variants such as REvil, Clop, Egregor, GandCrab, and more being arrested. The most interesting piece of recent law enforcement action is that taken by Russia's Federal Security Service (FSB) against the operators of the REvil ransomware, potentially demonstrating a shift in Russia's stance of denying that ransomware operators have been allowed safe harbor in the country, moving instead to aid the US after talks with the its president in 2021.

Looking to the Future
With ransomware's dominance of the criminal threat landscape, the question of what that landscape will look like in the future is an interesting one.

In 2021, BAE Systems Applied Intelligence observed a trend showing that the median revenue of compromised organizations had started to drop, with another trend suggesting the percentage of US-based organizations being compromised was also falling. While the second appears to have leveled out again, the drop in the median revenue of compromised organizations appears to be continuing.

There are likely to be a number of underlying reasons for these trends. Given the spate of high-profile US organizations compromised recently, and the resulting law enforcement attention, ransomware operators may be opting for those organizations that will draw less geographic and political attention, and who may have a worse security posture as a result of their size.

Banning ransomware payments is one of many ways to potentially counter the ransomware problem, and, if done correctly, could have a significant impact. This would, however, require careful co-ordination with law enforcement, the insurance industry, and other stakeholders, and should not come at the expense of initiatives to improve the organization's security postures.

Ransomware continues to pose a major threat to organizations around the globe, a fact highlighted by BAE Systems Applied Intelligence's research, and a fact we do not believe will change in the near future.

About the Author


Dan Alexander is the Head of Threat Intelligence at BAE Systems Applied Intelligence, where he leads a globally distributed intelligence team, providing unique insights into the threat landscape. His team specializes in tracking and reporting on top-tier threat groups that traditional network defenses miss. Dan also leads the BAE Systems Threat Advisory services, delivering the threat intelligence component of intelligence-led penetration tests.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights