Ransomware Trends 2022: Stats, Facts, & Today’s Biggest Threats

According to Microsoft, ransomware has become more sophisticated – and in many ways, more dangerous.

While we’re seeing more high-profile attacks make headlines, total attacks are down – but it’s a bit of a mixed bag. Remote networks, the IoT, and supply chain software are uniquely vulnerable to attack. And – attackers are more organized than ever – a shift that has netted them higher payouts from fewer, targeted hits.

Here’s a few stats that paint a clearer picture of where ransomware stands right now:

• Sophos’ 2021 State of Ransomware survey revealed that 37% of participants were hit by ransomware attacks in 2021 – down from 51% the year before. The survey also found that while total attacks were down, the average cost of recovering from an attack was roughly $1.85M – which accounts for things like down-time and missed opportunities, along with the ransom itself.
• CrowdStrike reports that the number of attacks that resulted in stolen data being leaked to the public increased by more than 80% from 2020 to 2021. Ransom demands are up, too. In 2021, the average ransom was about $570k – a more than 500% increase from 2020. At the high-end, ransom demands can hit $50M+.
• According to another Crowdstrike report, SMBs are particularly vulnerable. Many have valuable IP, vulnerable networks, and a lot to lose. While many struggle to pay ransoms, the legal, regulatory, and reputational ramifications can easily level their business and they may believe they have no other option.
• What’s more, when attackers are successful, 80% of victims did paid the ransom were attacked again shortly after. So – we’re seeing some vulnerable companies suffer additional blows as they recover.

At a glance, these numbers are absolutely terrifying. But, they don’t necessarily mean you’re doomed. A March 2022 Zerto report asserts that orgs are better equipped than ever to fend off ransomware attacks. Though researchers also noted that significant gaps remain — particularly when it comes to IoT networks, remote devices, and keeping pace with an innovative new breed of attackers.

The point is, preparation is key. In the next few sections, we’ll discuss three key ransomware trends and what they mean for your business in 2022 — and beyond.

1. Ransomware Gangs Grow Up and Get Organize

Attackers are shifting away from high-volume ransomware attacks and instead, moving toward customized attacks, tailored around specific targets more likely to deliver bigger payouts on a shorter timeline.

One of the key reasons for this shift is that ransomware is becoming more accessible to non-technical cybercriminals – a trend that echoes what’s happening in every industry. Widespread access to drag-and-drop development tools and open-source code are accelerating the generation and spread of new variants — and fueling the growth of two ransomware industries: the cybercrime syndicate and the ransomware service provider.

Once considered a criminal cottage industry, Ransom Operations, or RansomOps, has evolved into a complex underground market – boasting more specialized talent and sophisticated technologies than ever, along with a whole host of innovative solutions currently redefining the space.

Ransomware rings, or “gangs,” now run like real-deal businesses — with CEOs, middle managers, sales reps, marketers, and so on.

The big danger with RansomOps is that these attackers are invested, and often spend several weeks or months preparing for deployment — in other words, attacks are treated like any large-scale business project — with all of the planning, deliverables, and KPIs that come with the territory. To put things in perspective, in 2021, just six ransomware groups were responsible for nearly 300 data breaches, collectively netting a cool $45M.

Second, you’ve got the rise of ransomware-as-a-service, or RaaS (which Microsoft describes as a sort of gig economy for cyber criminals).

Here, organized threat actors have set up one-stop shops on the dark web where ransomware developers can monetize their creations.

Aspiring attackers can purchase custom suites of ready-to-launch malware, designed with a specific target in mind. Or – they can buy generic malware and make a few tweaks using low-code/no-code solutions. Either way, amateurs can launch pro-grade schemes that are more likely to fool discerning recipients — and deliver the ransom payments they’re after.

RaaS is a massive industry with service providers embracing the marketplace and subscription-based models that have become popular in recent years. And many are careful about who can access their platform and purchase services.

DarkSide, for example, requires prospective customers to complete a multi-step application process and internally, uses a set of predefined standards to determine who they’ll lease their software to. Customers who pass the screening can buy or lease a package that fits their needs, deploy the attack, collect the ransom and move on as if nothing happened.

What makes RaaS attacks especially scary is that anyone with a grudge, financial incentive, or political motivation can wage an attack.

With RansomOps, you have an Initial Access Broker (IAB) who lays the groundwork, often infiltrating the network, then setting it up for a large attack. This step maximizes the damage of the payload.

The RaaS provider, on the other hand, is responsible for creating, managing, and selling/leasing the payload, and affiliates are the ones carrying out the attacks.
While you can’t prevent bad actors from trying to break into your system, your best bet is disrupting attacks as early in the chain as possible.

2. Remote Work Poses a Serious Threat

2020’s rapid shift to remote work expanded the attack service, legacy security models were ill–equipped to protect remote employees and more workers were accessing company networks/apps from unsecured personal devices. All of this unlocked new opportunities for threat actors to attack – with many breaking in via VPN connections.

We’re now halfway through 2022 and still in the midst of a global pandemic. So, while we’ve more or less settled into remote work, ransomware attacks on individual devices aren’t letting up.

According to a recent Microsoft report, phishing remains the root cause of most data breaches — responsible for a whopping 70% of attacks. On top of that, phishing and smshing attacks have increased in scope, scale, and frequency since COVID hit in March 2020.

Remote work poses a heightened threat for ransomware attacks – even with VPNs, VLANs, and other virtualization tools that separate the personal from the professional.

This is, in large part, due to the fact that it’s impossible to control all employee actions in any given company device or system. One infected email sent to an employee account – and opened outside the virtualized environment – could lock the entire system. And – with proper precautions in place, one wrong click could infect the entire environment, locking company files and putting the company in jeopardy.

What’s more, remote teams are increasingly using personal devices to conduct business. So, even with strict protections in place, vulnerabilities from older hardware and unprotected software can slip through the cracks.

Without administrative control over the system, companies can’t enforce updates or patches on all at-risk systems and devices connected to the network. VPNs offer some protection, but it’s not 100%, and threat actors can still break in with the right set of tools.

This risk can be minimized, though not fully eradicated, by ditching BYOD or personal device policies for remote work.

Removing the ability for employees to have “free rein” over the device (install or use any software without restrictions or unrestricted access to the internet), can reduce the risk of an attacker taking over the system due to the use of access control and other restrictions. But — there’s still the risk that an email could come to an employee’s company account, and through lack of security awareness or just a good phish, the employee will click on it.

Another serious threat is unintended sabotage. This is less about ransomware itself, but more about the fact that employee devices may be used by other members of their household who could unintentionally unleash havoc on the entire enterprise — with no knowledge of the destruction they’ve caused.

The Microsoft report re-emphasizes the critical importance of embracing Zero Trust — an approach that assumes any user or device on a network has been compromised and continuously verifies its security.

3. IoT, OT, and the Supply Chain Are Under Attack

Per Microsoft analysts, the need for better cybersecurity protections for OT and the IoT came into clear focus last year, due to several high-profile attacks that hit a water treatment plant, an oil pipeline, surveillance systems, and networks of connected devices, among others.

A recent Anchore survey found that supply chain software attacks targeted three in five companies and just 38% said this type of attack did not impact they’re business in 2021.
According to IBM, manufacturing was the most attacked industry of last year — taking the crown from financial services. Over 60% of operational technology (OT) attacks hit manufacturing companies, while 36% of all OT attacks were ransomware. That same report revealed that recon efforts against OT equipment increased by more than 2200% between January 2021 and September 2021.

While IoT, OT, and supply chain networks clearly have a target on their backs, Microsoft researchers emphasized that, despite the risks, investing in these technologies remains an urgent priority.

In a joint survey with the Ponemon Institute, 68% of respondents said OT/IoT adoption is central to long-term business success and over 30% said they were unwilling to slow down adoption because of security concerns. Yet, 60% of that same group admitted that OT/IoT devices were the least secure part of their company’s digital infrastructure.

According to Bain & Company’s 2022 Global Machinery & Equipment report, these technologies play a critical role in helping industrial organizations embrace a more modern business model. Analysts say that IoT/OT innovation supports sustainability goals, allows orgs to focus on building solutions for more niche, specialized use cases, and explore new service models.

The Microsoft-Ponemon survey also stresses that many of these security gaps are a visibility problem. Addressing that issue is a significant first step in the right direction, laying the groundwork for mapping and securing every endpoint, asset, and device in the network.

Final Thoughts

As you can see, the state of ransomware — and cybersecurity on the whole — is well, kind of a mess.

Remote work, along with growing adoption of IoT devices, greater reliance on the cloud, and poor security practices mean opportunities for bad actors have exploded. On top of that, innovations in the RansomOps space have made launching an attack easier for anyone looking to break into cybercrime.

The good news is, the solutions already exist. Things like Zero Trust, AI/ML-based protections, even just working cybersecurity best practices and literacy into your company’s day-to-day culture. But — it’s still a lot to take on without the right partner on your side.

Velosio’s Microsoft experts can help you select and implement solutions that generate value for your business — and ensure your company and your customers are protected from incoming attacks. Interested in learning more? Read about all the security features found in the cloud.