chat
expand_more

The Driving Factors Behind Today’s Ransomware Landscape

As part of our research, we dove into why ransomware has changed and how each variable influences the overall threat of ransomware in distinctly different ways.
February 4, 2022

Recently, our team at Abnormal published new research on ransomware threat actors and their victims, with deep insight into how ransomware has grown over the last two years. As part of that research, we dove into why ransomware has changed and how each variable influences the overall threat of ransomware in distinctly different ways.

When taken together, these three factors—ransomware-as-a-service, extortion, and cryptocurrency—provide insights into why this threat continues to grow, and why we’re seeing larger ransom payouts than ever before. In fact, when CNA Financial paid $40 million in 2021, that accounted for more than the entire cost of ransomware the year prior. So why is ransomware becoming such a large threat?

The Use of Ransomware-as-a-Service (RaaS)

The “as-a-service” model has been a fixture in the cybercrime landscape for more than a decade. This business model has been successful because, like legitimate software-as-a-service companies, cybercrime groups are able to develop a “product” and license it to others in exchange for either a fixed price or a cut of an affiliate’s proceeds.

This model is attractive to cybercriminals for two reasons:

  1. It allows them to focus on monetizing their product without worrying about the additional overhead required to launch a cyber attack.

  2. It puts them an arms-length away from an actual attack, letting affiliates assume a majority of the risk with law enforcement.

The primary reason RaaS drives the ransomware landscape is that it allows less technically sophisticated actors to enter the space—cybercriminals don’t have to develop malware on their own in order to conduct ransomware attacks, which significantly increases the population of actors able to carry out an attack.

Ransomware as a service affiliate program advertisement on LockBit

Affiliate program advertisement on the LockBit blog.

However, this model does create a very centralized hierarchy. Affiliates rely on the main ransomware developers for access to the resources needed to facilitate their attacks. If a primary ransomware group is disrupted by law enforcement infrastructure takedown, it can have a noticeable impact on the entire ransomware ecosystem, at least in the short term.

This is different from other cyber threats like business email compromise, which has a much more decentralized hierarchy and where the arrest of one group does not impact the rest of the ecosystem.

The Added Risk of Extortion

Until a few years ago, the most common guidance to prepare for a potential ransomware attack was to ensure that an organization had regular, secure, and offline backups of all critical data. In case of a successful attack, any encrypted data could just be restored using those backups, which mitigated the data loss impact of the attack.

This all changed in 2019 when ransomware groups like Maze added secondary extortion tactics to their playbook. Instead of just encrypting the files of an impacted organization, most ransomware groups today also download those files and threaten to publicly release them if the ransom isn’t paid.

An example of a Ransomware extortion note

Maze ransomware extortion note.

For organizations that refuse to pay a ransom, ransomware groups have launched blogs on the dark web where files can be downloaded by anyone visiting the site. This tactic changes the calculus of how an organization may decide to respond to a ransomware attack, adding an additional incentive to the equation. Now, instead of only weighing the cost of backup restoration and remediation, an organization must also factor in the cost of potentially sensitive information being leaked publicly. In some cases, this may persuade a victim company to pay a ransom they wouldn’t have previously paid.

An Increase in Cryptocurrency Usage

The third and largest driver of ransomware today is cryptocurrency. In the early days of ransomware, ransoms were requested using obscure payment methods, such as MoneyPak, Ukash, or PaysafeCard. Not only did these methods require a victim to purchase a physical payment card, but it also put an artificial ceiling on ransom amounts since a victim could only purchase a limited number of cards at a time. Because of the practical challenges of these payment methods, the average amount paid in ransomware attacks a decade ago hovered around $100.

A fake FBI ransomware page soliciting cryptocurrency

Reveton ransom message, circa 2012.

While bitcoin was created in 2008, it wasn’t until 2013 that threat actors started using cryptocurrency as the exclusive method for the ransom payment. Cryptocurrency affords a number of advantages over previous payment methods used in ransomware attacks, including:

  1. The relative anonymity of cryptocurrency payments (particularly on the receiving end) and the availability of tumbling services help cybercriminals protect their identities.

  2. The ability to send payments via cryptocurrency is relatively frictionless and quick, unlike other payment methods like wire transfers.

  3. Most importantly, the total amount that can be easily sent using cryptocurrency is substantially higher than other payment methods.

These factors, combined with the explosion of cryptocurrency prices over the past few years, have resulted in substantially higher ransom payments—and bigger profits for the cybercriminals. As a result, the average payment amount in ransomware attacks has skyrocketed from hundreds of dollars just five years ago to tens of thousands of dollars today, with some payments reaching millions of dollars.

How These Factors Impact Ransomware Trends

There is little denying that cybercriminals are becoming more intelligent, using each of these tactics to target more organizations and demand more money. When combined, it becomes obvious why ransomware has continued to grow at an accelerating rate, and why we expect the payments made to threat actors in 2021 to far exceed those made over the previous few years.

We dive more into this more in our recent report, titled The Evolution of Ransomware: Victims, Threat Actors, and What to Expect in 2022, which gives deeper insight into the victims of these attacks by industry, company size, and location. And for those interested in learning more about the threat actors behind ransomware, we provide an overview of their activities, including reasons why we’ve seen a 600% increase in the number of active groups since January 2020.

The Driving Factors Behind Today’s Ransomware Landscape

See Abnormal in Action

Get a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Get AI Protection for Your Human Interactions

Protect your organization from socially-engineered email attacks that target human behavior.
Request a Demo
Request a Demo

Related Posts

B Manufacturing Industry Attack Trends Blog
New data shows a surge in advanced email attacks on manufacturing organizations. Explore our research on this alarming trend.
Read More
B Dropbox Open Enrollment Attack Blog
Discover how Dropbox was exploited in a sophisticated phishing attack that leveraged AiTM tactics to steal credentials during the open enrollment period.
Read More
B AISOC
Discover how AI is transforming security operation centers by reducing noise, enhancing clarity, and empowering analysts with enriched data for faster threat detection and response.
Read More
B Microsoft Blog
Explore the latest cybersecurity insights from Microsoft’s 2024 Digital Defense Report. Discover next-gen security strategies, AI-driven defenses, and critical approaches to counter evolving threats and safeguard your organization.
Read More
B Osterman Blog
Explore five key insights from Osterman Research on how AI-driven tools are revolutionizing defensive cybersecurity by enhancing threat detection, boosting security team efficiency, and countering sophisticated cyberattacks.
Read More
B AI Native Vendors
Explore how AI-native security like Abnormal fights back against AI-powered cyberattacks, protecting your organization from human-targeted threats.
Read More