It’s difficult to fix a problem when you can’t measure it. That maxim has dominated most conversations around ransomware over the past decade.
Law enforcement, businesses and other stakeholders know on a general level that the cadence and volume of successful attacks are vast and have gotten considerably worse in the past five years, but due to a lack of standardization and reporting from victims, they've historically struggled to understand the number of victims hit each year, which industries, and whether those numbers are getting better or worse as policymakers implement a coterie of responses in the U.S. and abroad.
“The short answer is we don’t know,” Allan Liska, a ransomware analyst with Recorded Future, said at a May 5 event hosted by the Institute for Security and Technology. “We think that ransomware attacks have seen a resurgence in 2023 after dipping a little bit in 2022. … But if then if you look at extortion sites and if you look at publicly reported attacks in the first quarter of 2023, those appear to be up compared to what we saw this time last year.”
The first wave of substantive reporting numbers is expected to come in as critical infrastructure entities start complying with new mandatory reporting requirements for cyber incidents and ransomware payments are finalized over the next year.
In the meantime, security experts, legislators, insurers and law enforcement are working with the information they do have. As digital extortion has increasingly become the center of gravity in policy discussions around cybersecurity, trackers in government and the private sector have also gotten better — and more creative — in collecting or generating their own data around the ransomware ecosystem and its targets.
Private researchers are collecting their own data — where they can
Long before ransomware became high-profile enough to warrant mention by the president of the United States, a handful of private security researchers and companies recognized the gaps in visibility around victims and attacks and have looked for their ways scope out the impact in ways that — while perhaps not definitive — could provide a certain level of confidence when tracking trends in different sectors and industries.
Large enterprises that provide incident response services for organizations hit by a cyber attack often have a wealth of unique or non-public data around ransomware that they can use to analyze and extrapolate trends. One of those organizations, Mandiant, was able to draw on those experiences to determine that successful ransomware attacks overall appeared to suffer a noticeable downward dip last year before rising back.
“Essentially what we’re looking at is a sample set of around 1,000 [incidents response engagements] a year, relative to a larger population [of ransomware incidents] that we don’t know the number of, but is rather large,” Sandra Joyce, vice president and head of Mandiant Intelligence at Google Cloud, told SC Media last month. “But with 1,000, you can be certain that there is a non-trivial correlation between what a sample of that size would be representative of the whole population.”
Mandiant’s findings generally track with other sources who have also reported a similar lull in ransomware activity last year, but the reasons for why are not clear. Most experts say there are likely a range of contributing factors, including increased targeting and disruption of ransomware groups by law enforcement agencies, a jump in organizations being unwilling to pay the ransom, a shift in focus from Russia-based ransomware groups since the start of the Ukraine invasion and a number of groups attempting to lay low in the wake of the 2021 Colonial Pipeline, JBS and Kaseya incidents.
But there remain real limitations to the conclusions Mandiant and others can reach with the data at hand, and those figures still leave out numerous attempted ransomware attacks that aren’t successful.
“What doesn’t get reported as a ransomware statistic are all those intrusions that happen where the threat actor doesn’t actually have the ability to steal data or deploy a decryptor,” said Charles Carmakal, Mandiant’s chief technology officer. “There were countless times where we’re called in, a company notices their network was compromised, and we’re able to quickly help them contain the incident and eradicate the threat actor, so those stats don’t get pulled into the ransomware statistics [you see].”
Other companies have found their own ways to track different sectors or tap disparate sources of information to get a clearer picture of incidents.
Brett Callow, an analyst at Emsisoft, collects his own data around nationwide ransomware attacks on school systems and the education sector, often through a mix of open-source reporting and individual research. According to numbers he’s crunched, at least 266 different school districts and more than 3.3 million students attended schools that have been affected by ransomware attacks since 2019, either through data theft or disruption of school activities. That includes 24 districts and 508 schools this year.
Liska said Recorded Future employs a pair of interns who spend around 15 hours every week sifting through local newspapers and news stations attempting to find fresh reports of cyberattacks hitting businesses or governments, then doing further research to determine if they are ransomware-related.
He also looks at the churn around new groups and leak sites that pop up on the dark web. Those figures indicate the problem may be getting much worse, or at least more complex: in 2021, he collected data from about 40 different leak sites. Two years later that number has ballooned to more than 150.
“I think that kind of fracturing of the ransomware market has made it harder for us to track and identify what the growing strains are, even who hit [who],” said Liska.
More aggressive law enforcement tactics are yielding hard insights
Over the past few years, the Department of Justice and FBI have undertaken a series of disruptive actions to shut down or seize the infrastructure of hacking groups and turn their own tools against them. Nowhere was this more apparent that the takedown of the Hive ransomware group’s website and infrastructure, where FBI officials said they were able to quietly steal encryption keys from the group for months and pass them onto victims.
But according to David Ring, section chief of the FBI’s Washington, D.C., cyber division, it also helped confirm internal numbers around ransomware reporting in the private sector. The bureau uses a variety of sources to track the issue, from criminal investigations, voluntary reporting from victims and data from the Internet Crime Complaint Center.
A general assessment based on different datasets concluded the FBI was probably being notified of 20% — or 1 out of every 5 — ransomware incidents. The extensive access the bureau attained from compromising Hive’s infrastructure gave them unique insights into their victim set, and using that officials were able to validate that figure.
“The Hive ransomware [takedown] … confirmed that, so when we were able to get more insight into one particular ransomware variant, about 20% of what we saw in Hive ransomware attacks were being reported to us from victims,” said Ring.
The FBI made a (failed) attempt to be included as the primary reporting entity in incident reporting regulations alongside the Cybersecurity and Infrastructure Security Agency, but CISA Director Jen Easterly has pledged to share those reporting with the bureau.
But the successes from the Hive takedown convinced officials that higher rates of reporting from the private sector will yield further insights and create more opportunities for high-impact operations in the future. Part of that process is assuaging nerves around inviting the FBI or other policing organizations to poke and prod in their business, and lawmakers are looking for different ways to encourage victims to increase reporting rates and make it clear the purpose of such engagements would be restricted to cybersecurity.
“We want to encourage people to go to the bureau because oftentimes what the bureau learns from one attack, they can share with other field offices and … build an ability to get keys back if you know the style and methods of those attacks,” said Rep. Eric Swalwell, D-Calif, ranking member on the House Homeland’s cyber subcommittee, on May 5. “That’s a priority for us, to try to bump up that number and make sure people know that they’re not coming in to see if your books are clean, that’s not going to be a part of [the process.”
Cryptocurrency tracers are demystifying the blockchain
Ransomware groups traditionally demand payment in the form of cryptocurrency because of its perceived anonymity, but that has started to change over the past few years.
A report from Chainalysis in January found that total funds sent to known ransomware addresses globally fell from $765.5 million in 2021 to $456.8 million in 2022, while victim payments rates have nearly halved since 2019, from 76% to 41%.
The findings suggest many organizations may be heeding the advice of the FBI and other government agencies who urge victims of ransomware not to pay, as it will simply fund and feed the next round of attacks. It’s also possible that some companies are warier of reporting attacks as a number of ransomware groups tied to nation-states have been placed on sanctions lists.
The work of Chainalysis — which has contracts with the FBI, Treasury Department and other agencies to trace ransom payments and other form of digital crime — and other tracing companies have become critical tools that shed light on the ways the cryptocurrency space is being exploited by hackers and criminals. Their findings also help policymakers better understand how to better regulate a sector that in recent years has increasingly become synonymous with wrongdoing.
“There are a lot of people who really associate cryptocurrency — at least in the state of Michigan — exclusively with crime and criminality and as a way to pay bad guys,” said Rep. Elissa Slotkin, D-Mich.. “They don’t understand the underlying blockchain technology that might be super interesting. Right now, they associate it with the bad stuff.”
