The Federal Bureau of Investigation's Internet Crime Complaint Center received 3,729 complaints identified as ransomware in 2021, up 82% from just two years prior and accelerating. According to the Department of Treasury, the top 10 ransomware gangs raked in at least $5.2 billion dollars in extortion payments. Ransomware's growth and sheer scale captured the attention of leaders in policy and business, but we must keep our eye on how its operators might adapt and evolve to protect their profits.
The Ransomware Evolution
Before the ransomware explosion, cybercriminals explored a variety of monetization techniques. Most involved theft and resale of sensitive records, especially credit card numbers. Many focused on direct financial transactions and ACH transfers. Others experimented with cryptomining or reselling system access for scrap value to other cybercriminals, kicking the monetization problem downstream. The most profitable techniques required savvy operators and sustained, persistent access, which meant that being detected could spoil operations that required a significant time investment.
Ransomware changed the game. This brutish new monetization technique was comparatively fast and simple. Early ransomware did not require the same understanding of the victim network, did not call for much caution or anti-forensics, and it offered immediate and direct payment without relying on black market resellers. With a tighter life cycle, higher profits, and a much lower barrier to entry, ransomware spurred a new cybercrime boom.
Easy money attracted new, less sophisticated attackers. These new groups professionalized with a focus on scale over tradecraft, and scale brought specialization. Now we know that some operations eerily mirrored the corporate structures of their victims and that, like any other scrappy enterprise, they kept an eye out for new opportunities. In what is known as the Ransomware 2.0 evolution, many groups found success with so-called double extortion, threatening public release of stolen data on top of locking systems. This squeezed more dollars from victims and brought many new ransom payers, who would not have capitulated for mere decryption, back to the table.
The Future of Ransomware
We are still coming to understand the real-world impact of government sanctions and payment bans, as well as shifts related to rising cyber resilience from victims and the war in Ukraine. While we hope to frustrate attackers with a greater resistance to ransom demands, those benefits might be limited to well-resourced companies with access to strong outside technical and legal support. Meanwhile, sanctioned threat groups are professional criminals and will pivot to protect their profits.
We will certainly see groups refine the ransomware playbook. We may see groups develop more sophisticated tradecraft to hamper attribution, dampening the impact of sanction lists. We already see them experiment with victim handling, including "carrots" like lower costs, safer decryption, and more support; and "sticks," like ruthless victim targeting, more severe disruption, and more personalized intimidation tactics.
We are in the early stages of the Ransomware 3.0 evolution, but we expect to see more pivots in the monetization model itself. Attackers are likely to revisit models from before the ransomware boom; they are already circling back to reselling stolen data instead of (and in addition to) extortion. They may offload dormant backdoors post-incident to resellers and jump on direct theft opportunities. We know they are already experimenting with several different cryptocurrency schemes including using victims' systems as mining farms and denial of service-enabled pump and dumps, and they are actively looking for more novel crypto-ransomware synergies.
Building Better Defenses
Boards and senior leaders now recognize high-profile, disruptive ransomware attacks as an operational and strategic risk. Just as attackers respond to new pressure, pressure from business-to-business diligence, cyber-insurance carriers, and savvy leadership is causing many organizations to reprioritize their efforts.
Tactically, it's time to pull off the Band-Aid for high-friction projects like multifactor authentication, privileged access management, and closing external interfaces like RDP. Despite overwhelming evidence that these initiatives hamper ransomware attacks, organizations often resist their uncomfortable learning curve. But that discomfort is temporary and the risk of delay is very real. Championing that culture shift is the most impactful cyber-resilience lever for senior leaders today.
Strategically, organizations need to embrace resilience as a moving target. Most firms do not need cutting-edge capabilities, but do need continuous and thoughtful improvement. Set-and-forget cybersecurity quickly grows stale and ill-equipped to address dynamic threat groups which also increases risk. Leaders should lean on third parties with a bird's eye view on the breach landscape to build effective road maps. Pay notice when insurance underwriters, vendors, government agencies, and cyber practitioners all agree on critical controls and capabilities.
More broadly, attackers thrive on our instinct to keep the lessons and scars of breaches hidden. Shifting to a more open forum not just to share threat intelligence, but to share the true impact of breaches, why defenses failed, and how we responded, can be a resilience force-multiplier across all industries. The ransomware model starves without scale; making effective resilience more accessible shuts the door on would-be targets and disrupts attackers more than anything else can.