The Driving Factors Behind Today’s Ransomware Landscape

February 4, 2022

Recently, our team at Abnormal published new research on ransomware threat actors and their victims, with deep insight into how ransomware has grown over the last two years. As part of that research, we dove into why ransomware has changed and how each variable influences the overall threat of ransomware in distinctly different ways.

When taken together, these three factors—ransomware-as-a-service, extortion, and cryptocurrency—provide insights into why this threat continues to grow, and why we’re seeing larger ransom payouts than ever before. In fact, when CNA Financial paid $40 million in 2021, that accounted for more than the entire cost of ransomware the year prior. So why is ransomware becoming such a large threat?

The Use of Ransomware-as-a-Service (RaaS)

The “as-a-service” model has been a fixture in the cybercrime landscape for more than a decade. This business model has been successful because, like legitimate software-as-a-service companies, cybercrime groups are able to develop a “product” and license it to others in exchange for either a fixed price or a cut of an affiliate’s proceeds.

This model is attractive to cybercriminals for two reasons:

  1. It allows them to focus on monetizing their product without worrying about the additional overhead required to launch a cyber attack.

  2. It puts them an arms-length away from an actual attack, letting affiliates assume a majority of the risk with law enforcement.

The primary reason RaaS drives the ransomware landscape is that it allows less technically sophisticated actors to enter the space—cybercriminals don’t have to develop malware on their own in order to conduct ransomware attacks, which significantly increases the population of actors able to carry out an attack.

Ransomware as a service affiliate program advertisement on LockBit

Affiliate program advertisement on the LockBit blog.

However, this model does create a very centralized hierarchy. Affiliates rely on the main ransomware developers for access to the resources needed to facilitate their attacks. If a primary ransomware group is disrupted by law enforcement infrastructure takedown, it can have a noticeable impact on the entire ransomware ecosystem, at least in the short term.

This is different from other cyber threats like business email compromise, which has a much more decentralized hierarchy and where the arrest of one group does not impact the rest of the ecosystem.

The Added Risk of Extortion

Until a few years ago, the most common guidance to prepare for a potential ransomware attack was to ensure that an organization had regular, secure, and offline backups of all critical data. In case of a successful attack, any encrypted data could just be restored using those backups, which mitigated the data loss impact of the attack.

This all changed in 2019 when ransomware groups like Maze added secondary extortion tactics to their playbook. Instead of just encrypting the files of an impacted organization, most ransomware groups today also download those files and threaten to publicly release them if the ransom isn’t paid.

An example of a Ransomware extortion note

Maze ransomware extortion note.

For organizations that refuse to pay a ransom, ransomware groups have launched blogs on the dark web where files can be downloaded by anyone visiting the site. This tactic changes the calculus of how an organization may decide to respond to a ransomware attack, adding an additional incentive to the equation. Now, instead of only weighing the cost of backup restoration and remediation, an organization must also factor in the cost of potentially sensitive information being leaked publicly. In some cases, this may persuade a victim company to pay a ransom they wouldn’t have previously paid.

An Increase in Cryptocurrency Usage

The third and largest driver of ransomware today is cryptocurrency. In the early days of ransomware, ransoms were requested using obscure payment methods, such as MoneyPak, Ukash, or PaysafeCard. Not only did these methods require a victim to purchase a physical payment card, but it also put an artificial ceiling on ransom amounts since a victim could only purchase a limited number of cards at a time. Because of the practical challenges of these payment methods, the average amount paid in ransomware attacks a decade ago hovered around $100.

A fake FBI ransomware page soliciting cryptocurrency

Reveton ransom message, circa 2012.

While bitcoin was created in 2008, it wasn’t until 2013 that threat actors started using cryptocurrency as the exclusive method for the ransom payment. Cryptocurrency affords a number of advantages over previous payment methods used in ransomware attacks, including:

  1. The relative anonymity of cryptocurrency payments (particularly on the receiving end) and the availability of tumbling services help cybercriminals protect their identities.

  2. The ability to send payments via cryptocurrency is relatively frictionless and quick, unlike other payment methods like wire transfers.

  3. Most importantly, the total amount that can be easily sent using cryptocurrency is substantially higher than other payment methods.

These factors, combined with the explosion of cryptocurrency prices over the past few years, have resulted in substantially higher ransom payments—and bigger profits for the cybercriminals. As a result, the average payment amount in ransomware attacks has skyrocketed from hundreds of dollars just five years ago to tens of thousands of dollars today, with some payments reaching millions of dollars.

How These Factors Impact Ransomware Trends

There is little denying that cybercriminals are becoming more intelligent, using each of these tactics to target more organizations and demand more money. When combined, it becomes obvious why ransomware has continued to grow at an accelerating rate, and why we expect the payments made to threat actors in 2021 to far exceed those made over the previous few years.

We dive more into this more in our recent report, titled The Evolution of Ransomware: Victims, Threat Actors, and What to Expect in 2022, which gives deeper insight into the victims of these attacks by industry, company size, and location. And for those interested in learning more about the threat actors behind ransomware, we provide an overview of their activities, including reasons why we’ve seen a 600% increase in the number of active groups since January 2020.

To learn more about how Abnormal can protect you from ransomware, request a demo today.


Prevent the Attacks That Matter Most

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Demo 2x 1

See the Abnormal Solution to the Email Security Problem

Protect your organization from the attacks that matter most with Abnormal Integrated Cloud Email Security.

Related Posts

B 05 11 22 Scaling Out Redis
As we’ve scaled our customer base, the size of our datasets has also grown. With our rapid expansion, we were on track to hit the data storage limit of our Redis server in two months, so we needed to figure out a way to scale beyond this—and fast!
Read More
B 05 17 22 Impersonation Attack
See how threat actors used a single mailbox compromise and spoofed domains to subtly impersonate individuals and businesses to coerce victims to pay fraudulent vendor invoices.
Read More
B 05 14 22 Best Workplace
We are over the moon to announce Abnormal has been named one of Inc. Magazine's Best Workplaces of 2022! Learn more about our commitment to our workforce.
Read More
B 05 13 22 Spring Product Release
This quarter, the team at Abnormal launched new features to improve lateral attack detection, role-based access control (RBAC), and explainable AI. Take a deep dive into all of the latest product enhancements.
Read More
B 05 11 22 Champion Finalist
Abnormal has been selected as a Security Customer Champion finalist in the Microsoft Security Excellence Awards! Here’s a look at why.
Read More
Blog series c cover
When we raised our Series B funding 18 months ago, I promised our customers greater value, more capabilities, and better customer support. We’ve delivered on each of those promises and as we receive an even larger investment, I’m excited about how we can continue to further deliver on each of them.
Read More
B 05 09 22 Partner Community
It’s an honor to be named one of CRN’s 2022 Women of the Channel. Here’s why I appreciate the award and what I love about being a Channel Account Manager at Abnormal.
Read More
B 05 05 22 Fast Facts
Watch this short video to learn current trends and key issues in cloud email security, including how to protect your organization against modern threats.
Read More
B 05 03 22
Like all threats in the cyber threat landscape, ransomware will continue to evolve over time. This post builds on our prior research and looks at the changes we observed in the ransomware threat landscape in the first quarter of 2022.
Read More
B 04 28 22 8 Key Differences
At Abnormal, we pride ourselves on our excellent machine learning engineering team. Here are some patterns we use to distinguish between effective and ineffective ML engineers.
Read More
B 04 26 22 Webinar Re Replacing Your SEG
Learn how Microsoft 365 and Abnormal work together to provide comprehensive defense-in-depth protection in part two of our webinar recap.
Read More
Blog mitigate threats cover
Learn about the most common socially-engineered attacks and why these tactics are still so successful—despite a growing awareness from employees.
Read More