Ransomware gangs are using methods akin to state-sponsored cyberattackers and have focused their targeting on more lucrative potential victims, according to cybersecurity researchers.
As ransomware gangs hit prominent victims such as a pipeline company and food producers in 2021’s first six months, cybersecurity company Trend Micro said it observed cyberattackers becoming more mature criminal enterprises whose attacks “seem like nation-state [advanced persistent threat] attacks.”
“Cybercriminal groups have taken on more sophisticated business models and adopted new technologies to create efficient and stealthy ransomware attacks,” reads Trend Micro’s “2021 Midyear Cybersecurity Report.”
“These evolved attacks have certain features that separate them from traditional ransomware activities: data exfiltration rather than simple encryption, covert online collaboration, the extended use of affiliate programs, and APT-like victim targeting, among others,” the security firm reported Tuesday.
Trend Micro said it observed far fewer ransomware threats in the first half of 2021 than in 2020’s first six months.
“Our data shows that over 7.3 million ransomware threats were detected in the first six months of 2021, which is almost half the number of detections we found in the same period in 2020,” the report reads.
“There are several factors that might have contributed to this decrease. First, it signals the shift to the more targeted modern ransomware that we have been analyzing, which involves attackers moving from the less effective, quantity-focused model of ransomware to big-game hunting.”
Other factors Trend Micro said may have deterred cyberattackers include governments across the world taking actions against ransomware operations, attention to the ransomware gang DarkSide prompting others to go quiet, and threats being stopped before they reach people.
The ransomware threats Trend Micro measured included threats in emails, malicious files and URLs.
Trend Micro is not the only company to observe fewer ransomware threats in 2021. In its report on the first quarter of 2021 published in June, cybersecurity company McAfee said it saw “smaller” campaigns.
“More attackers shifted from mass-spread campaigns toward fewer, but more lucrative targets,” read McAfee’s June report. “Most of these larger, targeted victims received a custom created variant of the ransomware family at a low volume.”
Some cybersecurity professionals think measuring ransomware threats is inhibited by any given company’s limited view of the threat landscape and is diminished by poor information-sharing.
Brett Callow, threat analyst at the software company Emsisoft, said a key metric that matters when tracking ransomware is the number of successful attacks, which he said has been “fairly flat for quite some time.”
“Like legitimate businesses, cybercrime enterprises output as much as they can but are constrained by personnel and infrastructure limits. The overall threat landscape and volume of attacks does change, but not quickly,” said Mr. Callow in an email. “That said, ransomware does have a seasonal aspect, with the overall number of global incidents spiking at certain times of year. The spikes do not, however, necessarily occur in the same months or quarters every year. The bottom line is that fluctuations in numbers are perfectly normal.”
Fewer ransomware threats also do not mean less danger and may actually mean the opposite. Efficient ransomware gangs collected multimillion-dollar payouts in 2021’s first six months, whereas previous widespread attacks may have amassed smaller returns from lesser-funded victims.