Ransomware Flashcard 2022: The Vicious Cycle

Trends from 2021 indicate that 2022 will see an increased threat of ransomware on a global level. Here are some insights and background information to accompany the facts and figures provided by our Ransomware Flashcard 2022.
ransomware flashcard 2022

Table of Contents

In February 2022, CISA, alongside security agencies from the United States, the United Kingdom, and Australia, released a report titled 2021 Trends Show Increased Globalized Threat of Ransomware. Our Ransomware Flashcard 2022 gives you some stats on the trends that inform this expectation, plus observations from our own system.

The Vicious Cycle

According to data from CyberEdge, ransom payers have been increasingly recovering their data (up from 19.4% in 2018 to 71.6% in 2021). This in turn has led businesses to be more willing to pay for the recovery of data (up from 38.7% in 2018 to 57% in 2021). As a consequence, threat actors are more incentivized to launch ransomware attacks and can invest more into their ransomware efforts, leading to increased attacks (up from 55.1% in 2018 to 68.5% in 2021).

The Vicious Cycle of Ransomware: More victims of ransomware are recovering their data after paying a ransom, which incentivizes paying the ransom an din turn creates a profit motive for more and better ransomware attacks
More victims of ransomware are recovering their data after paying a ransom, which incentivizes paying the ransom and in turn creates a profit motive for more and better ransomware attacks.

Security agencies have long advocated for businesses to refuse to pay ransoms. Unfortunately, it would appear that organizations haven’t taken—or haven’t been able to take—such a stance. As a result, a market has been established and threat actors encouraged. The losses from such ransomware attacks have been so severe that cyber insurers have had to cut the amounts they cover and in some cases have stopped offering policies that cover ransomware. Increasingly, the best course of action for businesses isn’t to mitigate its cost through insurance, but rather to break the cycle by not getting hit in the first place.

Small and Medium-sized Business (SMB) Perceptions

Managed Security Providers (MSPs) are often on the front lines when it comes to dealing with ransomware. As such, it isn’t too surprising that MPS are overwhelmingly (84%) ‘very concerned about ransomware’. SMBs, however, have a very different outlook with only 30% claiming to be very concerned.

As we mentioned in our cybersecurity prognosis for 2022, large enterprises will continue to be the victims of sophisticated attacks. However, new, less skilled threat actors will enter the market due to the democratization of ransomware through initial access markets, malware-as-a-service, and ransomware chains. These groups will have SMBs squarely in their sights.

Ransomware Precursor Malware

Ransomware doesn’t appear out of the blue. Precursor malware is used by threat actors to spread laterally and escalate access before a ransomware package is deployed. Some of these malware strains have evolved from their original purpose as banking trojans, others are being created explicitly to deliver ransomware. All need to be taken seriously.

After intial access, threat actors deploy precursor malware to move laterally and escalate privileges before deploying a ransomware payload
After intial access, threat actors deploy precursor malware to move laterally and escalate privileges before deploying a ransomware payload

Threat actors are constantly creating new domains—sometimes using algorithms—for the remote command and control of these types of malware in order to avoid detection.  In 2021, Lumu collected 21 820 764 new confirmed IoCs that were related to ransomware precursor malware.

The precursor malware whose contacts were most often detected by Lumu was Emotet, which isn’t surprising since it’s one of the world’s biggest and most resilient botnets. Emotet was originally a banking trojan, but has recently adapted to form a ransomware chain with Trickbot that can result in the deployment of Ryuk ransomware.

Top 10 most active ransomware precursor malware contacts per month ransomware flashcard 2022
The top 3 most active precursor malware for each month of 2021 by number of contacts.

Conclusion

National security organizations agree that the threat posed by ransomware will only increase in 2022. Unfortunately, the ransomware landscape is due to evolve even more given the precarious geopolitical situation the world finds itself in. We encourage all organizations as well as the public at large to bear in mind that any business can be a target. Cybersecurity operators will still have to efficiently stop incoming attacks, while also being prepared to swiftly detect, mitigate, and remediate the compromises of all types that are getting through.

View the full Ransomware Flashcard 2022 for more insights and statistics into the state of ransomware.

Subscribe to Our Blog

Get the latest cybersecurity articles and insights straight from the experts.

Share this post

RELATED POSTS

New Lumu Free Training Register.
Technical

The New and Improved Lumu Free

Reading Time: 3 mins Lumu Free just got a major upgrade. We’ve included more metadata collectors, giving you greater network visibility and more closely reflecting our vision of how cybersecurity needs to be operated.

Join our pre-day 
workshop waitlist

  • By clicking “Submit Request” you agree to the Lumu Terms of Service and Privacy Policy.