Ransomware decline: cause for worry or celebration?

Extortion gangs are going through some tectonic changes, but they are masters of reinventing themselves and will be back, just as happened with REvil.

According to the director of cybersecurity at the National Security Agency (NSA), Rob Joyce, the number of ransomware attacks plummeted due to sanctions against Russia.

Cyber insurers feel the decline, too. Violet Sullivan, VP at Redpoint Cyber, says that claims for cyber insurance payouts have been down since the start of the war. If anything, it only makes defenders worried.

"CISA said, 'Shields Up,' we are going to protect and defend and be on the lookout for new strains of ransomware. Strangely, we all thought it was going to become a cyberwar immediately, but it was quiet. The silence is almost scarier because you know that they are developing something," Sullivan told Cybernews.

Why is REvil's comeback scary?

For quite some time, it seemed that walls were closing in on the notorious REvil ransomware gang, known for extortion attacks against meat supplier JBS and software company Kaseya, amidst increased pressure from the US and the international community.

However, there's mounting evidence that REvil is back. Researchers from the cybersecurity company Secureworks found the most recent clue. After taking a closer look at the REvil ransomware samples uploaded to the VirusTotal analysis service, they published a detailed analysis, suggesting that 'REvil is under active development.'

REvil's arrests in January were made at the request of the United States, a rare case of bilateral cooperation between the two countries even before Russia’s invasion of Ukraine. Since then, the international relations between Russia and the US have deteriorated, which might have changed the ransomware dynamics. There's plenty of speculation that the Kremlin has released some of the gang members or that they were not all arrested in the first place.

Ransomware groups reinvent themselves and rebrand to throw researchers and law enforcement off track.

"We are scared of it. Changes show that they [REvil] have evolved, and the evolution of ransomware is scary," Sullivan said. With ransomware gangs constantly evolving and changing tactics, it's only harder to predict, prevent and mitigate the attacks.

Tectonic changes

The current Russo-Ukrainian war has prompted changes in how ransomware gangs operate. For example, after Conti announced its allegiance with Vladimir Putin, a pro-Ukrainian researcher with the means to access Conti's data exposed the ransomware gang by leaking thousands of documents.

"I'm not sure where the future goes. There's been a rift in some of the ransomware communities as a result of it. Many of them are also worried about being massively exposed just how Conti was," Stairwell's security researcher Silas Cutler said during the Institute for Security and Technology webinar.

Marc Rogers, VP of Cybersecurity Strategy at Okta, believes that there's too much focus on specific groups and not enough on the fact that this is an entire ecosystem.

"If there's one thing we know about ransomware, they are good at reinventing themselves. You squash one group, and you'll get another bunch of groups," he said.

Due to the international sanctions, cybercriminals find it hard to make money because they can't cash them out. However, the raging chaos will not impact the ransomware landscape in the long term.

"I think that will take a constituted effort from all parties attacking ransomware to do something about it. But it is going to reshape some things. Maybe this is why we see some of the more simplistic ransomware attacks, like simple file extortion attacks, on the rise. Anyone can at least do that. You don't need larger platforms, sophisticated code to execute one of those," he said.

There's also some speculation surrounding the cyber insurance policy. Sophisticated threat actors go after insured companies, usually having a pretty good idea of the insurance payout and aligning ransom demands with it.

"I don't think that just because we are in the midst of the conflict, the insurance companies will not pay. But everybody goes back to Merck [pharmaceutical company], where they had significant damage incurred from NotPetya. The insurance did not pay it out because it was classified as, I believe, war-related and not necessarily true ransomware," Cutler said. In January 2022, Merck won a lawsuit against its insurer Ace American.

Insurers getting tougher

Extortion money fuels the ransomware economy, but we are nowhere near banning ransom payments by law. According to Sullivan, that would have a flipside as some businesses have no other option but to succumb to demands.

"I got a call before, and the company is a three-person-doctors office, and they had 20-years of data for all their patients, and they are a family and community office. They can't continue operating because they don't have backups, technical expertise, and an IT person. That's why it's heartbreaking," Sullivan said.

A survey by cybersecurity company Sophos revealed that the average ransom paid by victims increased nearly fivefold in 2021 to over $800,000. Adversaries vary their ransom demands across industries, extracting the highest sums from those they consider most able to pay.

Insurers are more likely to cover the cleanup costs to get the organization up and running. However, they are reluctant to pay ransoms – 40% of respondents reported that the insurer paid the extortion, down from 44% in 2019.