Attacks

Ransomware Flashcard 2022: The Vicious Cycle

Table of Contents

In February 2022, CISA, alongside security agencies from the United States, the United Kingdom, and Australia, released a report titled 2021 Trends Show Increased Globalized Threat of Ransomware. Our Ransomware Flashcard 2022 gives you some stats on the trends that inform this expectation, plus observations from our own system.

The Vicious Cycle

According to data from CyberEdge, ransom payers have been increasingly recovering their data (up from 19.4% in 2018 to 71.6% in 2021). This in turn has led businesses to be more willing to pay for the recovery of data (up from 38.7% in 2018 to 57% in 2021). As a consequence, threat actors are more incentivized to launch ransomware attacks and can invest more into their ransomware efforts, leading to increased attacks (up from 55.1% in 2018 to 68.5% in 2021).

More victims of ransomware are recovering their data after paying a ransom, which incentivizes paying the ransom and in turn creates a profit motive for more and better ransomware attacks.

Security agencies have long advocated for businesses to refuse to pay ransoms. Unfortunately, it would appear that organizations haven’t taken—or haven’t been able to take—such a stance. As a result, a market has been established and threat actors encouraged. The losses from such ransomware attacks have been so severe that cyber insurers have had to cut the amounts they cover and in some cases have stopped offering policies that cover ransomware. Increasingly, the best course of action for businesses isn’t to mitigate its cost through insurance, but rather to break the cycle by not getting hit in the first place.

Small and Medium-sized Business (SMB) Perceptions

Managed Security Providers (MSPs) are often on the front lines when it comes to dealing with ransomware. As such, it isn’t too surprising that MPS are overwhelmingly (84%) ‘very concerned about ransomware’. SMBs, however, have a very different outlook with only 30% claiming to be very concerned.

As we mentioned in our cybersecurity prognosis for 2022, large enterprises will continue to be the victims of sophisticated attacks. However, new, less skilled threat actors will enter the market due to the democratization of ransomware through initial access markets, malware-as-a-service, and ransomware chains. These groups will have SMBs squarely in their sights.

Ransomware Precursor Malware

Ransomware doesn’t appear out of the blue. Precursor malware is used by threat actors to spread laterally and escalate access before a ransomware package is deployed. Some of these malware strains have evolved from their original purpose as banking trojans, others are being created explicitly to deliver ransomware. All need to be taken seriously.

After intial access, threat actors deploy precursor malware to move laterally and escalate privileges before deploying a ransomware payload

Threat actors are constantly creating new domains—sometimes using algorithms—for the remote command and control of these types of malware in order to avoid detection.  In 2021, Lumu collected 21 820 764 new confirmed IoCs that were related to ransomware precursor malware.

The precursor malware whose contacts were most often detected by Lumu was Emotet, which isn’t surprising since it’s one of the world’s biggest and most resilient botnets. Emotet was originally a banking trojan, but has recently adapted to form a ransomware chain with Trickbot that can result in the deployment of Ryuk ransomware.

The top 3 most active precursor malware for each month of 2021 by number of contacts.

Conclusion

National security organizations agree that the threat posed by ransomware will only increase in 2022. Unfortunately, the ransomware landscape is due to evolve even more given the precarious geopolitical situation the world finds itself in. We encourage all organizations as well as the public at large to bear in mind that any business can be a target. Cybersecurity operators will still have to efficiently stop incoming attacks, while also being prepared to swiftly detect, mitigate, and remediate the compromises of all types that are getting through.

View the full Ransomware Flashcard 2022 for more insights and statistics into the state of ransomware.

Recent Posts

  • Blog

Lumu & the MSP Community: 2024 in Review

Reading Time: 4 minsLumu has worked hand-in-hand with MSPs throughout a year that consolidated the…

4 days ago
  • Blog

Reflecting on 2024: Lumu’s Innovations in SecOps

Reading Time: 5 minsLumu’s 2024 SecOps advancements focus on automation and smarter threat detection, with…

6 days ago
  • Attacks

Lumu’s Detection & Response to a Real-World DNS Tunneling Attack

Reading Time: 7 minsThis is the story of a serious DNS tunneling attack on a…

1 week ago
  • Events

Cybersecurity Insights for MSPs: Lessons from IT Nation Connect 2024

Reading Time: 4 minsDiscover the top insights from Lumu’s pre-conference workshop at IT Nation Connect,…

4 weeks ago
  • Stories

Cybersecurity Trends 2025 and Beyond: Navigating AI-Driven Evasion Techniques and Autonomous Threats for Resilient Defense

Reading Time: 2 minsAs we move into 2025, AI-driven evasion and autonomous threats will redefine…

1 month ago
  • Trends

CISA Reveals How 12 Ransomware Gangs are Bypassing EDRs

Reading Time: 7 minsEndpoint Detection and Response (EDR) has a critical role in most companies’…

2 months ago