Are Ransomware Attacks Slowing Down? It Depends on Where You Look

Are Ransomware Attacks Slowing Down? It Depends on Where You Look

December 20, 2021 • Allan Liska

Insikt Group

I need to get a few disclaimers out of the way first:

  1. Ransomware attacks in 2021 are going to surpass the number of attacks in 2020 significantly.
  2. This data is preliminary and based on publicly reported data, but it does show interesting trends.
  3. There are always observability problems with ransomware. No one sees the full picture of ransomware attacks.

2021 has seen unprecedented global law enforcement action taken against ransomware groups. The 30-nation ransomware task force led by the United States appears to be seeing early success with almost weekly announcements against ransomware groups, some of which are shown in Figure 1: 

Figure 1: Some of the law enforcement action taken against ransomware groups in 2021 (Source: Recorded Future)
 

While there is little doubt that continued and consistent law enforcement action against ransomware groups is needed, there have been questions about whether these actions would slow down ransomware attacks. 

It is too early to provide a definitive answer, but there are some early indications that the combination of arrests, cryptocurrency exchange sanctions, and cryptocurrency seizures may be slowing down the number of ransomware attacks in some sectors and geographic areas.  

Figure 2 shows global publicly reported attacks against healthcare providers for 2021. Through November 30, 2021, our data sets identified 114 ransomware attacks against healthcare providers, compared to 104 identified in all of 2020. Of these 114 attacks, 63% occurred between January and June 2021 and 37% since July 1, 2021. 

Figure 2: Breakdown of global ransomware attacks against healthcare providers H1 2021 versus H2 2021 (Source: Recorded Future)
 

Looking at these numbers compared to 2020, the pie chart is almost flipped as ransomware attacks increased in the second half of 2020 as shown in Figure 3.

 

Figure 3: Global ransomware attacks against healthcare providers in 2020 (Source: Recorded Future)
 

This same pattern holds with global ransomware attacks against schools. Recorded Future has identified 95 attacks against schools through November 2021, up from 64 in 2020.

 

Figure 4: Globe ransomware attacks against schools through November 2021 (Source: Recorded Future)
 

The first 6 months of 2021 accounted for 59% of all ransomware attacks, while the second half has only accounted for 41%. Even looking at global ransomware attacks against local governments, which have been down overall in 2021, the pattern holds. Recorded Future has identified 87 ransomware attacks against state and local governments in 2021, compared to 104 in 2020.

Figure 5: Global ransomware attacks against state and local governments in 2021 (Source: Recorded Future)
 

Similar to schools, 61% of the attacks occurred in the first half of 2021 while only 39% have occurred so far in the second half of the year, as shown in Figure 5.

The one data point against the argument that ransomware attacks are slowing down in the second half of 2021 is the number of victims posted to ransomware extortion websites. As of the end of November 2021, Recorded Future has identified 2,597 victims posted to ransomware extortion websites, despite an almost universally observed slowdown in the number of attacks between July and August 2021

As Figure 6 shows, 45% of those victims were in the first half of 2021 and 55% were in the second half, with a month left. This is the largest sample size of ransomware attacks publicly available, and it appears to show an increase in the number of victims. 

Figure 6: Ransomware victims posted to extortion websites in 2021 (Source: Recorded Future)
 

It is important to note that the posting times are when the victim was posted to the extortion website and not when the ransomware attack happened. Some researchers are seeing increasingly large delays in the number of victims posted to ransomware extortion websites.

I spoke to French researcher Valéry Rieß-Marchive, who has been studying the timing between ransomware attacks and posts to ransomware extortion websites and said, 

“…from what I’ve seen, it can range from no time to four months depending on the RaaS and the affiliate. And I can’t help but notice that we’ve started to see some leaks on some marketplaces that most likely come from ransomware victims that had never been claimed before. Which means the delay there can be much longer.”

In other words, because of the delay we are seeing between ransomware attacks and posts to extortion websites, it is possible that a lot of these attacks actually occurred in the first half of 2021, but got posted to the extortion website in the second half of 2021. Though, even a significant delay between the original attack and the posting to extortion sites wouldn’t be enough to indicate a slowdown in ransomware attacks overall in the second half of the year.  

This bears out in separate research Recorded Future is conducting around ransomware attacks in Germany. Looking at the difference between when these attacks were posted to extortion websites compared to when the attack actually happened shows 2 very different timelines, as shown in Figure 7.

Figure 7: Comparison of ransomware attacks posted to extortion sites, compared to when the attacks occurred
Figure 8: Showing the difference between when attacks are reported and when they happen
 

The graph on the left in figure 7 shows postings to extortion websites and the graph on the right shows when the attacks actually occurred. The caveat here is that only about 25% of attacks are reported when they happen, so Recorded Future’s ransomware researchers were only able to locate publicly reported information on attack dates for around 20% of the attacks logged by Recorded Future, shown in Figure 8. Still, this data is consistent with the finding that the difference between the attack and posting to an extortion website is consistently more than a month (on average, there are certainly exceptions to this).

That being said, even with the adjusted numbers, most of the 110 publicly reported ransomware attacks in Germany through the end of November 2021 that Recorded Future was able to identify took place in the second half of the year, as shown in Figure 9.

Figure 9: Publicly reported ransomware attacks in Germany 2021 (Source: Recorded Future)
 

Another possibility that needs to be pointed out is that ransomware attacks against sectors that have received a lot of attention, such as healthcare and schools, are on the decline while overall ransomware attacks still seem to be increasing. Some sectors that seem to have been hit particularly hard this year, such as manufacturing, construction, food and agriculture, and others, are also harder to track.

It is not just certain industries being targeted by ransomware groups, but threat actors may be targeting countries that don’t have as robust reporting or cybersecurity infrastructure. According to Brett Callow, analyst at Emsisoft, “Our data does not indicate a slowdown (yet). What we are seeing, however, is data being published in a smaller percentage of cases — and especially cases involving US organizations — as well as fewer attacks on US critical infrastructure.” This is consistent with what we see happening in France and Germany, which shows a clear trend toward increasing attacks over the second half of 2021 (or it may be an indication of better reporting). 

The perception in the slowdown of attacks may be one of observability. Different organizations have different views into what is happening with ransomware and that limits what they can see. It is possible that reporting is down overall. We can see this in observed ransomware attacks in France. 

In 2021 there were 242 publicly reported ransomware attacks in France through the end of November, according to Rieß-Marchive. Looking at the breakdown by half year, it is very similar to the other charts in this report; 63% of the attacks occurred in the first half of 2021 and 37% in the second half. 

Figure 10: Publicly reported ransomware attacks in France (Source: Recorded Future)
 

But, there is a second set of data that needs to be examined for France. The Cybermalveillance.gouv.fr is an agency where victims of cybercrime can reach out to report an incident and receive assistance. They keep track of the number of organizations that reach out for assistance with ransomware attacks and the numbers they recorded (1,522) are shown in Figure 11.

As Figure 11 demonstrates, there is a huge gap between what is being publicly and privately reported. Ransomware attacks may be continuing their increase, but fewer of them are being publicly reported. This would also explain the skews in the data that we are seeing with closely tracked sectors like education and healthcare. Ransomware groups know these attacks generate a lot of attention and they may not want the type of negative attention that comes from these attacks so they are focusing their efforts on sectors that don’t draw criticism.

Figure 11: Ransomware attacks in France, publicly reported versus privately reported in 2021 (Source: Recorded Future)
 

In short, while there does appear to be a slowdown in ransomware attacks, at least in some sectors, overall attacks may not be slowing down, and whether or not you see them slowing down may depend on your view into the ransomware attack surface. 

If ransomware attacks are decreasing overall, it is likely not just because of increased law enforcement. There is anecdotal evidence that cyber insurance companies are requiring that policyholders have more stringent cybersecurity protections in place before they will renew a policy and, according to Gartner, companies are spending 12% more on cybersecurity this year. The combination of law enforcement activity, more effective cybersecurity spending, and better controls put in place by cyber insurance companies may all be contributing to the decline. 

This data is very preliminary, but it is a trend that bears watching and something Recorded Future will continue to monitor and update. 

New call-to-action

Related Posts

The People’s Liberation Army in the South China Sea: An Organizational Guide

The People’s Liberation Army in the South China Sea: An Organizational Guide

January 19, 2022 • Insikt Group®

Editor’s Note: The following post is an excerpt of a full report To read the entire analysis,...

2021 Adversary Infrastructure Report

2021 Adversary Infrastructure Report

January 18, 2022 • Insikt Group®

Editor’s Note: The following post is an excerpt of a full report To read the entire analysis,...

FIN7 Uses Flash Drives to Spread Remote Access Trojan

FIN7 Uses Flash Drives to Spread Remote Access Trojan

January 13, 2022 • Gemini Advisory

Editor’s Note: The following post is an excerpt of a full report by Gemini Advisory To read the...