As the threat landscape evolves, organizations worldwide face increasing challenges related to ransomware attacks (see our previous blog post on ransom payments). Recently, the German Federal Criminal Police Office (BKA) published new data on cybercrime trends in its 2023 Federal Status Report. And that’s reason enough to take a look at how things have evolved in this fast-moving environment.
2022’s ransom payment decline reversed by 2023’s record highs
In 2022, ransom payments saw a surprising drop from $983 million in 2021 to $567 million – a 42% decline. This was largely due to Russia’s invasion of Ukraine, which shifted cybercriminals’ focus to politically motivated attacks. Additionally, concerns about breaching sanctions made victims less willing to pay.
However, this trend reversed in 2023. Ransom payments nearly doubled to $1.1 billion, accompanied by a surge of 538 new ransomware variants, indicating the rise of new cybercriminal organizations. The average ransom payment also soared by 125%, reaching $621,858 per case.
New trends: Big Game Hunting, zero-day attacks, data extortion and RaaS
In recent years, new cybercrime trends have gained popularity, most notably:
- “Big Game Hunting”, where cybercriminals are deliberately targeting large, financially robust companies, or companies with particularly sensitive data (for example, companies in the health care sector) in order to demand larger ransoms, often over $1 million. Hackers expect larger companies and companies that handle sensitive information in the regular course of business to be more willing to pay a ransom to resume their business activities or avoid public attention.
- Zero-day attacks, i.e., the exploitation of unknown security gaps in computer software or hardware, such as CL0P’s exploit of the file transfer software MOVEit used by many cloud applications, which allowed CL0P to directly access extensive data from various large companies resulting in ransoms exceeding $100 million.
- Data extortion or data exfiltration, which describes the method of stealing data and threatening exposure instead of encrypting the data and distributing the decryptor key after payment. This method – used e.g., by CL0P in its MOVEit campaign – saw a 39% surge in Germany in 2023, as skipping encryption reduces detection risk. This reflects efforts by hackers to respond to companies’ attempts to build resiliency against encryption attacks through robust backups by finding other pain points. In connection with this, hackers are reflecting awareness of and leveraging global regulatory developments, such as when the BlackCat ransomware syndicate reported a victim that refused to pay to the U.S. Securities and Exchange Commission (SEC), which has been aggressively enforcing new cybersecurity requirements.
- Ransomware as a Service (RaaS), where criminals gain access to a company’s data and let third parties – the affiliates – carry out attacks, sharing the ransom. The method benefits both parties: It allows less technically skilled hackers to carry out attacks, while at the same time enabling malware operators to attack a larger number of companies.
Law enforcement on the rise: important victories by agencies around the world
As malware methods develop, so do cyber defense and law enforcement agencies who have achieved major successes:
- In early 2023, the DoJ announced that the FBI had successfully infiltrated Hive’s networks in 2022, preventing $130 million in ransom payments. The FBI was able to take control of decryption keys and – in collaboration with German and Dutch law enforcement – even servers, weakening Hive’s communication.
- Active since 2021, RaaS provider ALPHV (aka BlackCat or Noberus) targeted more than 1,000 victims including networks supporting US critical infrastructure. In 2023, the FBI seized their website and released a decryption tool saving victims from paying up to $68 million in ransom. In response, ALPHV threatened to target critical infrastructure and hospitals (in line with its recent attack on the Hong Kong Consumer Council in May 2024).
- On February 19, 2024, the UK’s National Crime Agency (NCA), together with other international law enforcement agencies, were able to arrest four individuals linked to the RaaS provider LockBit and freeze over 200 cryptocurrency wallets. The NCA also found some undeleted victims’ data, contrary to LockBit’s promise to delete data once the ransom had been paid. On May 7, 2024, the DoJ announced it had charged a Russian national with developing and operating the LockBit ransomware.
- Most recently, Operation Endgame, a multinational-coordinated cyber operation by the US, Denmark, France, Germany, the Netherlands, and the UK, with Europol and Eurojust, marked another victory for worldwide law enforcement. These joint efforts were able to neutralize cyber security threats from several malware groups, and reflect the growing trend of cross-border coordinated law enforcement actions to combat cybercrime.
Lessons learned
Recent developments show that while law enforcement agencies are achieving important successes, attackers are constantly finding new ways to infiltrate networks, increasing the risk of falling victim to a cyberattack. This makes it increasingly important for companies to take precautions and adapt security measures in line with the changing hacking landscape.