Many vendors will release security reports showing trends discovered by their research team. Sonic wall released their 2023 threat report (found HERE) indicating a massive drop in Ransomware while crypto jacking attacks have blown up.
Why did the Sonic wall research team see this? In the report, they point out a few factors that likely are the cause of this. First, the Hive Takedown meant the loss of the 3rd largest ransomware operation being removed from the equation. They also point out the general increase of law enforcement scrutiny against ransomware actors means more arrests, takedowns, and more work to remain in business. These two alone wouldn’t have this type of impact but they are likely part of the reduction.
A third and interesting point brought up regarding this downward trend is due to the political and economic claimants, security teams are hyper sensitive to attacks. The war in Ukraine has all eyes on nation state threats as well as there is an increase in attackers participating in cyber warfare vs focusing on economic gains. Many threat actor groups have publicly chosen sides and claim they are getting involved by taking down technical resources for either side. Besides war, the current economic market has causes many layoffs forcing companies to be tighter with spend. This also can lead to hyper focused security teams (IE I don’t want to lose my job and better over perform) and companies less willing to pay a ransomware as they are already strained financially.
The Sonic Wall report’s last thought towards why ransomware is decreasing is due to some threat actors skipping the while ransomware concept is moving directly to purse extortion. Data loss continues to be a top challenges for most organizations I speak with as data can be anywhere and moves quickly. If a threat actor can obtain valuable data, why encrypt it? Just tell the victim you have it and you want money. This removes the whole ransomware structure out of the picture reducing steps to obtain payment. I find this interesting as the goal of modern ransomware is to identify sensitive data, encrypt it, and ask for a ransomware. The extortion model is similar however, you just capture sensitive data, show a sample of what you have, then ask for payment. Both have the same end goal however, the extortion option doesn’t involve all the risk of launching a chain exploitation attack that includes infecting and spreading ransomware/malware.
Once again, you can find the report HERE. I found it interesting.