The Driving Factors Behind Today’s Ransomware Landscape

Recently, our team at Abnormal published new research on ransomware threat actors and their victims, with deep insight into how ransomware has grown over the last two years. As part of that research, we dove into why ransomware has changed and how each variable influences the overall threat of ransomware in distinctly different ways.

When taken together, these three factors—ransomware-as-a-service, extortion, and cryptocurrency—provide insights into why this threat continues to grow, and why we’re seeing larger ransom payouts than ever before. In fact, when CNA Financial paid $40 million in 2021, that accounted for more than the entire cost of ransomware the year prior. So why is ransomware becoming such a large threat?

The “as-a-service” model has been a fixture in the cybercrime landscape for more than a decade. This business model has been successful because, like legitimate software-as-a-service companies, cybercrime groups are able to develop a “product” and license it to others in exchange for either a fixed price or a cut of an affiliate’s proceeds.

This model is attractive to cybercriminals for two reasons:

1. It allows them to focus on monetizing their product without worrying about the additional overhead required to launch a cyber attack.

2. It puts them an arms-length away from an actual attack, letting affiliates assume a majority of the risk with law enforcement.

The primary reason RaaS drives the ransomware landscape is that it allows less technically sophisticated actors to enter the space—cybercriminals don’t have to develop malware on their own in order to conduct ransomware attacks, which significantly increases the population of actors able to carry out an attack.

However, this model does create a very centralized hierarchy. Affiliates rely on the main ransomware developers for access to the resources needed to facilitate their attacks. If a primary ransomware group is disrupted by law enforcement infrastructure takedown, it can have a noticeable impact on the entire ransomware ecosystem, at least in the short term.

This is different from other cyber threats like business email compromise, which has a much more decentralized hierarchy and where the arrest of one group does not impact the rest of the ecosystem.

Until a few years ago, the most common guidance to prepare for a potential ransomware attack was to ensure that an organization had regular, secure, and offline backups of all critical data. In case of a successful attack, any encrypted data could just be restored using those backups, which mitigated the data loss impact of the attack.

This all changed in 2019 when ransomware groups like Maze added secondary extortion tactics to their playbook. Instead of just encrypting the files of an impacted organization, most ransomware groups today also download those files and threaten to publicly release them if the ransom isn’t paid.

For organizations that refuse to pay a ransom, ransomware groups have launched blogs on the dark web where files can be downloaded by anyone visiting the site. This tactic changes the calculus of how an organization may decide to respond to a ransomware attack, adding an additional incentive to the equation. Now, instead of only weighing the cost of backup restoration and remediation, an organization must also factor in the cost of potentially sensitive information being leaked publicly. In some cases, this may persuade a victim company to pay a ransom they wouldn’t have previously paid.

The third and largest driver of ransomware today is cryptocurrency. In the early days of ransomware, ransoms were requested using obscure payment methods, such as MoneyPak, Ukash, or PaysafeCard. Not only did these methods require a victim to purchase a physical payment card, but it also put an artificial ceiling on ransom amounts since a victim could only purchase a limited number of cards at a time. Because of the practical challenges of these payment methods, the average amount paid in ransomware attacks a decade ago hovered around $100.

While bitcoin was created in 2008, it wasn’t until 2013 that threat actors started using cryptocurrency as the exclusive method for the ransom payment. Cryptocurrency affords a number of advantages over previous payment methods used in ransomware attacks, including:

1. The relative anonymity of cryptocurrency payments (particularly on the receiving end) and the availability of tumbling services help cybercriminals protect their identities.

2. The ability to send payments via cryptocurrency is relatively frictionless and quick, unlike other payment methods like wire transfers.

3. Most importantly, the total amount that can be easily sent using cryptocurrency is substantially higher than other payment methods.

These factors, combined with the explosion of cryptocurrency prices over the past few years, have resulted in substantially higher ransom payments—and bigger profits for the cybercriminals. As a result, the average payment amount in ransomware attacks has skyrocketed from hundreds of dollars just five years ago to tens of thousands of dollars today, with some payments reaching millions of dollars.

There is little denying that cybercriminals are becoming more intelligent, using each of these tactics to target more organizations and demand more money. When combined, it becomes obvious why ransomware has continued to grow at an accelerating rate, and why we expect the payments made to threat actors in 2021 to far exceed those made over the previous few years.

We dive more into this more in our recent report, titled The Evolution of Ransomware: Victims, Threat Actors, and What to Expect in 2022, which gives deeper insight into the victims of these attacks by industry, company size, and location. And for those interested in learning more about the threat actors behind ransomware, we provide an overview of their activities, including reasons why we’ve seen a 600% increase in the number of active groups since January 2020.