Rising ransomware activity has dominated cyber conversations for the better part of the past decade. Global retail giants and thousands of educational institutions and healthcare providers have been among those to fall victim to rampant ransomware attacks. However, this past year, there has been a surprising number of reports that ransomware attacks are declining. Our recent research at Delinea found that only 25% of the 300 IT and security decision-makers surveyed said they were victims of ransomware in 2022, a significant decrease compared to previous years. Similarly, the recent "SonicWall Cyber Threat Report" showed a 21% decline in ransomware attack volume worldwide last year.
Could this be the light at the end of the tunnel we've all been longing for? While it may be too early to say for certain, there are a few key reasons why ransomware may be on the decline
Why Is Ransomware Decreasing?
The most obvious reason is that organizations have learned from their past mistakes and other previous ransomware victims and, as a result, have implemented stronger security tooling and controls to successfully deter or block ransomware attacks. This includes robust threat detection and response, identity and access management, and cloud security mechanisms.
It has also been reported that ransomware attacks may no longer be as fruitful financially as they once were. Research from Chainalysis found that ransomware payments declined substantially in 2022, as more victims refused to pay their attackers. Ransomware attackers extorted approximately $456.8 million from victims in 2022, down nearly 40% from the $765.6 million they had extracted from victims the year before.
The dismantling of prominent ransomware-as-a-service cartel Conti could also account for the decline. Conti was responsible for many ransomware attacks in recent years, but disbanded in May 2022. However, since then, numerous splinter groups and other gangs have emerged, and therefore, Conti's disbandment likely made little impact on the decline. Government agencies around the world have also implemented various initiatives to control the mounting ransomware attacks, which may have caused a reduction in activity. In the US, the White House has created a multiagency ransomware task force and launched the Ransom Disclosure Act in support of reform.
Unfortunately, it's also possible that perhaps ransomware is not decreasing but that the number of companies reporting attacks is. While public companies and organizations that are subject to regulations are required to disclose cyber incidents that jeopardize consumers' personal and other sensitive information, not all have compliance regulations. As a result, they may opt to quietly pay a ransom and conceal the incident. Some ransomware gangs have adapted and moved to target countries that have less protection against ransomware, such as Central and South America, which both experienced some major ransomware incidents in 2022.
The Danger of the Decline
Whatever the reasons for the decline, it does not mean organizations are safe. It is critical that organizations do not use the decline as a reason to become complacent and cut back on security controls. Ransomware is, and will always be, a significant risk and concern.
Unfortunately, our report did show that companies are stagnating in their ransomware security controls — fewer organizations are implementing incident response plans and even fewer have budgets allocated specifically to ransomware. This could lead to an increase in attacks, as the focus is taken away from protecting against risks, which in the end amplifies the risk. Despite the decline, organizations must not lose focus, and take the proper steps to protect themselves from ransomware, or unfortunately, we may see an increase in ransomware attacks in 2023, as ransomware gangs are using this period to improve and enhance their variants.
Protecting Against Ransomware
One of the most important steps for organizations to take to protect themselves from ransomware is having an incident response plan in place. The plan should outline the steps to be taken in the event of a ransomware attack, including who to contact and what actions to take to prevent further damage. Organizations should also be performing frequent backups, and they should invest in cyber insurance policies that cover ransomware recovery and payments.
It is equally as important, though, that organizations also take a more proactive approach to cybersecurity and invest in the right technologies to prevent ransomware attacks, particularly identity and access controls. Following the principle of least privilege should not be an optional security strategy. By providing users only with the privileges they need, when they need them, attackers are forced to take greater risks, increasing the ability to be detected before they cause more damage. With limited privileges, even if ransomware does gain access to an organization, the damage can quickly be contained.
Unfortunately, we cannot predict the future. But we can hope we continue to see a decline in ransomware as time goes on. This is only possible, however, if organizations remain vigilant and do not take the decline in ransomware as a reason to cut back on their cybersecurity strategies.